Solved

How to fix - The remote web server is prone to cross-site scripting attacks

Posted on 2009-07-02
2
2,076 Views
Last Modified: 2013-12-04
I am running a website on a Windows Server 2008. My client ran a PCI Audit and Failed.

This is the failing point:

Error:  TCP, port 80, http
Synopsis : The remote web server is prone to cross-site scripting attacks. Description : The remote host is running a web server that fails to adequately sanitize request strings of malicious JavaScript. By leveraging this issue, an attacker may be able to cause arbitrary HTML and script code to be executed in a user's browser within the security context of the affected site. See also : http://en.wikipedia.org/wiki/Cross-site_ scripting Solution: Contact the vendor for a patch or upgrade. Risk Factor: Medium  / CVSS Base Score : 4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N) CVE : CVE-2002-1060, CVE-2003-1543, CVE-2005-2453, CVE-2006-1681 BID : 5305, 7344, 7353, 8037, 14473, 17408 Other references : OSVDB:4989, OSVDB:18525, OSVDB:24469, OSVDB:42314 [More]

I have not been able to fix the issue. The website is Build with DotNetNuke 5.

Server Specs:
Windows Server 2008 Standard (32-bit)
Service Pack 1

How can i fix the problem so I can pass the PCI Audit?
0
Comment
Question by:Benjamin_
2 Comments
 
LVL 5

Expert Comment

by:iUsername
ID: 24768386
XSS (cross site scripting) is a web application vulnerability, and to fix this vulnerability you simply need to VALIDATE THE INPUT.
0
 
LVL 12

Accepted Solution

by:
jahboite earned 250 total points
ID: 24771874
In order to fix this problem. you'll need to review the code for areas where the application accepts input from an untrusted source (user input, third party data...) and then displays that input back to the user.  You're looking for cases where the input is not validated and the corresponding output is not properly escaped.

I suggest the following page as an excellent jump-off point for understanding XSS and there also you'll find further references to help you understand and prevent XSS in your applications:

http://www.owasp.org/index.php/Cross_site_scripting
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question