Today we failed the Secure metrics PCI complaint test  because of  : Cross site scripting

Posted on 2009-04-30
Last Modified: 2012-05-06
This is the result from secure metric's site...................................Possible cross site scripting on Use the following commands to verify this: wp --inject " ATEGORY=Chrome+Accessories%22%3E%3Cscript% 3Ealert%28123%29%3C%2Fscript%3E" curl -L " ATEGORY=Chrome+Accessories%22%3E%3Cscript% 3Ealert%28123%29%3C%2Fscript%3E"| grep "123" This website may have other injection related vulnerabilities.

How do i address this so that we pass the test ?
Question by:jbovalley
    LVL 7

    Expert Comment

    XSS or cross site scripting  is doable because of not "sanitizing" the URL or other sections of the code.

    don't know ASP code but i know Security.

    Read up on this and test if some of these examples work on your site.

    Have you tested if that "exploit" works on your site? it says only Possiable which can mean that "maybe" it can be done.

    Good Luck

    Author Comment

    the expliot does work on the site...when i run the script it gives me a dialog box with 123 ....
    LVL 7

    Expert Comment

    It looks like it works then , becouse the "exploit" tries too grep "123" and if it returns 123 it will work .. an attacker could change this sting into something like "<script>alert('XSS')</script>" to run a javascript function insted of 123 like in the example secure metric has given you

    Author Comment

    ok ....I am not sure how to repair this something that the web developer hes to fix ?  Is it a script on the site that is easy to be accessed and manipulated ?
    LVL 7

    Accepted Solution

    yeah the web developer need to look at this issue, possiable the web developer know what Cross Site Scripting are and know how to protect your site against it .

    Yeah you can "run" diffrent code on your site to do other things. an attacker can "attach" different code to provide information about the site and even your servers.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    If I have to fix slow responding website my first thoughts are server side optimizations: the database may not be optimized or caching is not enabled, or things like that. We often overlook another major part of our web application: the client. We o…
    Developer tools in browsers have been around for a while, yet they are still heavily underused by developers. Developers still fix html or CSS then refresh page to see effect, or they put alert or debugger in JavaScript and then try again and again …
    Learn how to set-up PayPal payment integration in your Wufoo form. Allow your users to remit payment through PayPal upon completion of your online form. This is helpful for collecting membership payments, customer payments, donations, and more.
    In this fourth video of the Xpdf series, we discuss and demonstrate the PDFinfo utility, which retrieves the contents of a PDF's Info Dictionary, as well as some other information, including the page count. We show how to isolate the page count in a…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now