Solved

How to fix - The remote web server is prone to cross-site scripting attacks

Posted on 2009-07-02
2
2,044 Views
Last Modified: 2013-12-04
I am running a website on a Windows Server 2008. My client ran a PCI Audit and Failed.

This is the failing point:

Error:  TCP, port 80, http
Synopsis : The remote web server is prone to cross-site scripting attacks. Description : The remote host is running a web server that fails to adequately sanitize request strings of malicious JavaScript. By leveraging this issue, an attacker may be able to cause arbitrary HTML and script code to be executed in a user's browser within the security context of the affected site. See also : http://en.wikipedia.org/wiki/Cross-site_ scripting Solution: Contact the vendor for a patch or upgrade. Risk Factor: Medium  / CVSS Base Score : 4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N) CVE : CVE-2002-1060, CVE-2003-1543, CVE-2005-2453, CVE-2006-1681 BID : 5305, 7344, 7353, 8037, 14473, 17408 Other references : OSVDB:4989, OSVDB:18525, OSVDB:24469, OSVDB:42314 [More]

I have not been able to fix the issue. The website is Build with DotNetNuke 5.

Server Specs:
Windows Server 2008 Standard (32-bit)
Service Pack 1

How can i fix the problem so I can pass the PCI Audit?
0
Comment
Question by:Benjamin_
2 Comments
 
LVL 5

Expert Comment

by:iUsername
ID: 24768386
XSS (cross site scripting) is a web application vulnerability, and to fix this vulnerability you simply need to VALIDATE THE INPUT.
0
 
LVL 12

Accepted Solution

by:
jahboite earned 250 total points
ID: 24771874
In order to fix this problem. you'll need to review the code for areas where the application accepts input from an untrusted source (user input, third party data...) and then displays that input back to the user.  You're looking for cases where the input is not validated and the corresponding output is not properly escaped.

I suggest the following page as an excellent jump-off point for understanding XSS and there also you'll find further references to help you understand and prevent XSS in your applications:

http://www.owasp.org/index.php/Cross_site_scripting
0

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question