Solved

How to fix - The remote web server is prone to cross-site scripting attacks

Posted on 2009-07-02
2
1,998 Views
Last Modified: 2013-12-04
I am running a website on a Windows Server 2008. My client ran a PCI Audit and Failed.

This is the failing point:

Error:  TCP, port 80, http
Synopsis : The remote web server is prone to cross-site scripting attacks. Description : The remote host is running a web server that fails to adequately sanitize request strings of malicious JavaScript. By leveraging this issue, an attacker may be able to cause arbitrary HTML and script code to be executed in a user's browser within the security context of the affected site. See also : http://en.wikipedia.org/wiki/Cross-site_ scripting Solution: Contact the vendor for a patch or upgrade. Risk Factor: Medium  / CVSS Base Score : 4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N) CVE : CVE-2002-1060, CVE-2003-1543, CVE-2005-2453, CVE-2006-1681 BID : 5305, 7344, 7353, 8037, 14473, 17408 Other references : OSVDB:4989, OSVDB:18525, OSVDB:24469, OSVDB:42314 [More]

I have not been able to fix the issue. The website is Build with DotNetNuke 5.

Server Specs:
Windows Server 2008 Standard (32-bit)
Service Pack 1

How can i fix the problem so I can pass the PCI Audit?
0
Comment
Question by:Benjamin_
2 Comments
 
LVL 5

Expert Comment

by:iUsername
Comment Utility
XSS (cross site scripting) is a web application vulnerability, and to fix this vulnerability you simply need to VALIDATE THE INPUT.
0
 
LVL 12

Accepted Solution

by:
jahboite earned 250 total points
Comment Utility
In order to fix this problem. you'll need to review the code for areas where the application accepts input from an untrusted source (user input, third party data...) and then displays that input back to the user.  You're looking for cases where the input is not validated and the corresponding output is not properly escaped.

I suggest the following page as an excellent jump-off point for understanding XSS and there also you'll find further references to help you understand and prevent XSS in your applications:

http://www.owasp.org/index.php/Cross_site_scripting
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now