Cross-site Scripting Vulnerability
We had trustkeeper scan our server for vulnerabilities. We use IIS5. (I thought we had IIS6, but it says below it is IIS5. Hmmm.)
They said we have a medium risk on our Contact Us page:
Cross-Site Scripting (XSS)
Cross-site scripting is a term used to describe problems which arise
when maliciously crafted user data causes a web application to redirect
an unsuspecting web browser to an undesired site. It was
possible to send strings with special HTML characters ( < > " ' )
to your web application, and see them rendered in the response.
Since these characters were not encoded by the web application,
it may be possible to inject HTML scripting code into the rendered
page. The injections can occur in your HTML body, Title, Scripting,
or even commented out portions of the document. Note: Due to the
potential negative impact on this web server's resources that could
result from attacking a large number of cross-site scripting attack
vectors, TrustKeeper abandons this test after it has found at least three
instances where user input is not being properly sanitized. Therefore,
it is possible that the reported findings associated with this vulnerability
are only a subset of all possible attack vectors.
Note: All Cross-Site Scripting vulnerabilities are considered noncompliant
by PCI.
Service: (80) Microsoft-IIS/5.0
Evidence:
" Date: 2009-11-30 15:02:15.905
" HTTP Request Mode: POST
" HTTP Status Code: 200
The remediation action says to do this:
This is a generic warning based on a test that indicates that your web
application may not validate user-provided input, such as that provided
by a form. Review your web application to ensure that user data is
checked on the server side of the application (NOT in the web browser)
for proper length and character content. It is recommended that a
white-list of acceptable characters be used, with all other characters
being HTML encoded prior to being sent in response to the client.
Review the "Cross-Site Scripting", "Data Validation", and "Review
Code for Cross-site scripting" pages on OWASP.org (see the reference
links in this finding).
Specifically, what should we do? Please don't send me to the owasp.org page. I can read that instruction. Checked it, and it doesn't have any specifics.
The report says:
Test Input String: %3CScRipT%20%3Ealert%28%27
%27%29%3B%3C%2FScRipT%20%3
" Search Pattern: <ScRipT >alert('test');</ScRipT >
" Pattern Match: <ScRipT >alert('test');</ScRipT >
" Referrer Page: contactus.asp
" Vulnerable Parameter: FROM_ADDRESS
" Vulnerable Parameter: SUBJECT
Service: (80) Microsoft-IIS/5.0
Evidence:
" Date: 2009-11-30 15:02:17.502
" Vulnerable Page: contactus.asp
" HTTP Request Mode: POST
" HTTP Status Code: 200
" Test Input String: %22%3E%27%3E%3CIfRaME%3E
" Search Pattern: (?i)">'><IfRaME>
" Pattern Match: ">'><IfRaME>
" Vulnerable Parameter: FROM_ADDRESS
" Vulnerable Parameter: SUBJECT
" Vulnerable Parameter: FROM_NAME
Service: (80) Microsoft-IIS/5.0
Evidence:
" Date: 2009-11-30 15:06:26.38
" Vulnerable Page: forgotPassword.asp
" HTTP Request Mode: POST
" HTTP Status Code: 200
" Test Input String: %3CScRipT%20%3Ealert%28%27
%27%29%3B%3C%2FScRipT%20%3
" Search Pattern: <ScRipT >alert('test');</ScRipT >
" Pattern Match: <ScRipT >alert('test');</ScRipT >
" Vulnerable Parameter: LostEmail
" Vulnerable Parameter: FROM_NAME
Reference: http://www.cert.org/advisories/CA-2000-02.htmlReference:
http://www.owasp.org/index.php/Cross-site_scriptingReference:
http://www.owasp.org/index.php/Data_ValidationReference: http://
www.owasp.org/index.php/Review_Code_for_Cross-site_sc ripting
CVSSv2: AV:N/AC:M/Au:N/C:N/I:P/A:N
thanks!
Thanks!
They said we have a medium risk on our Contact Us page:
Cross-Site Scripting (XSS)
Cross-site scripting is a term used to describe problems which arise
when maliciously crafted user data causes a web application to redirect
an unsuspecting web browser to an undesired site. It was
possible to send strings with special HTML characters ( < > " ' )
to your web application, and see them rendered in the response.
Since these characters were not encoded by the web application,
it may be possible to inject HTML scripting code into the rendered
page. The injections can occur in your HTML body, Title, Scripting,
or even commented out portions of the document. Note: Due to the
potential negative impact on this web server's resources that could
result from attacking a large number of cross-site scripting attack
vectors, TrustKeeper abandons this test after it has found at least three
instances where user input is not being properly sanitized. Therefore,
it is possible that the reported findings associated with this vulnerability
are only a subset of all possible attack vectors.
Note: All Cross-Site Scripting vulnerabilities are considered noncompliant
by PCI.
Service: (80) Microsoft-IIS/5.0
Evidence:
" Date: 2009-11-30 15:02:15.905
" HTTP Request Mode: POST
" HTTP Status Code: 200
The remediation action says to do this:
This is a generic warning based on a test that indicates that your web
application may not validate user-provided input, such as that provided
by a form. Review your web application to ensure that user data is
checked on the server side of the application (NOT in the web browser)
for proper length and character content. It is recommended that a
white-list of acceptable characters be used, with all other characters
being HTML encoded prior to being sent in response to the client.
Review the "Cross-Site Scripting", "Data Validation", and "Review
Code for Cross-site scripting" pages on OWASP.org (see the reference
links in this finding).
Specifically, what should we do? Please don't send me to the owasp.org page. I can read that instruction. Checked it, and it doesn't have any specifics.
The report says:
Test Input String: %3CScRipT%20%3Ealert%28%27
%27%29%3B%3C%2FScRipT%20%3
" Search Pattern: <ScRipT >alert('test');</ScRipT >
" Pattern Match: <ScRipT >alert('test');</ScRipT >
" Referrer Page: contactus.asp
" Vulnerable Parameter: FROM_ADDRESS
" Vulnerable Parameter: SUBJECT
Service: (80) Microsoft-IIS/5.0
Evidence:
" Date: 2009-11-30 15:02:17.502
" Vulnerable Page: contactus.asp
" HTTP Request Mode: POST
" HTTP Status Code: 200
" Test Input String: %22%3E%27%3E%3CIfRaME%3E
" Search Pattern: (?i)">'><IfRaME>
" Pattern Match: ">'><IfRaME>
" Vulnerable Parameter: FROM_ADDRESS
" Vulnerable Parameter: SUBJECT
" Vulnerable Parameter: FROM_NAME
Service: (80) Microsoft-IIS/5.0
Evidence:
" Date: 2009-11-30 15:06:26.38
" Vulnerable Page: forgotPassword.asp
" HTTP Request Mode: POST
" HTTP Status Code: 200
" Test Input String: %3CScRipT%20%3Ealert%28%27
%27%29%3B%3C%2FScRipT%20%3
" Search Pattern: <ScRipT >alert('test');</ScRipT >
" Pattern Match: <ScRipT >alert('test');</ScRipT >
" Vulnerable Parameter: LostEmail
" Vulnerable Parameter: FROM_NAME
Reference: http://www.cert.org/advisories/CA-2000-02.htmlReference:
http://www.owasp.org/index.php/Cross-site_scriptingReference:
http://www.owasp.org/index.php/Data_ValidationReference: http://
www.owasp.org/index.php/Review_Code_for_Cross-site_sc ripting
CVSSv2: AV:N/AC:M/Au:N/C:N/I:P/A:N
thanks!
Thanks!
ASKER
I downloaded that and tried to install it, but it says that the URL Scan filter setup wizard ended prematurely. No error or anything.
That version is for IIS5.1 and upwards that might be your problem. I am not sure what versiuon of IIS you have.
They this older one.
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=f4c5a724-cafa-4e88-8c37-c9d5abed1863
They this older one.
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=f4c5a724-cafa-4e88-8c37-c9d5abed1863
ASKER
Running that executable gives me tihs error:
Update cancelled: No existing installation of URLscan as a global filter was found on this computer.
Do you know how I can tell what version I have? If I go to the help file and the page that says how to install IIS, it says Installing IIS 5.0. But I don't know where to find the exact version for certain.
Update cancelled: No existing installation of URLscan as a global filter was found on this computer.
Do you know how I can tell what version I have? If I go to the help file and the page that says how to install IIS, it says Installing IIS 5.0. But I don't know where to find the exact version for certain.
Are you installing IIS? ?
What OS do you have have IIS is a windows component and is fixed to your OS.
http://en.wikipedia.org/wiki/Internet_Information_Services
What OS do you have have IIS is a windows component and is fixed to your OS.
http://en.wikipedia.org/wiki/Internet_Information_Services
ASKER
No, I'm not installing IIS. I'm only clicking on the .exe to the file in the link you sent to me.
I'm using windows 2000 operating system.
What I'm saying is that in the Help file, under the Installation notes, it discusses how to install IIS 5.0 as opposed to some other version.
I'm using windows 2000 operating system.
What I'm saying is that in the Help file, under the Installation notes, it discusses how to install IIS 5.0 as opposed to some other version.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
And see here about how to use it:
http://support.microsoft.com/kb/307608
http://support.microsoft.com/kb/307608
ASKER
Can you please help me with how to fill this form out to resolve this issue? I filled it out and I'm still getting rejected. I don't know what setting I need to stop the cross-site-scripting.
I started a new ticket:
https://www.experts-exchange.com/questions/24996024/IIS-5-and-URLScan-with-ASP-web-pages-cross-site-scrpting-fix.html
I started a new ticket:
https://www.experts-exchange.com/questions/24996024/IIS-5-and-URLScan-with-ASP-web-pages-cross-site-scrpting-fix.html
IIS 6 will stop most of these.
Use URLscan ISAPI plugin to stop these attacks by banning the <> characters, etc.
http://www.microsoft.com/downloads/details.aspx?FamilyId=EE41818F-3363-4E24-9940-321603531989&displaylang=en