I scan my website with acunetix web vulnerability scanner and I got this report, Please brief me the major risks or changes I should made

Posted on 2014-02-11
Last Modified: 2014-02-14
I purchase acunetix web vulnerability scanner , and I scan my website and I attach the report,
Please advise me about this report.
Thanks in advance

[file deleted by slightwv ZA]
Question by:Ihab
  • 3
  • 3
LVL 20

Expert Comment

by:Patrick Bogers
ID: 39851353

Two advises, get this report offline a.s.a.p. because your website is now known and prown to attacks. (happy to see it appears not to be vulnerable to SQLi attacks)

You purchase Acunetix without knowing how to fix XSS? Please explain... are you learning pentesting and have big budgets?

Next to understand XSS scripting. It is about executing a script from user input, this is not good but can be easily avoided if you install MS URLSCAN.
I see you are using IIS 7 so this tool will work perfectly.

Click here to download.

Author Comment

ID: 39851370
Mr. Patrick
I will submit this report to the management, and they will hire someone  or they will assign someone to fix this errors.
I will remove the report once I got some advices and support
Thanks Mr. Patrick
LVL 20

Expert Comment

by:Patrick Bogers
ID: 39851395
Please know Acunetix uses pretty 'safe' Cross Side (java) Scripts to test your website, if a 'blackhat' visitor catches this report before you fix the issues he can create BIG DAMAGE to your website. (deface it, upload other content etc etc)

Simplest advise i can give you is install URLSCAN from Microsoft like advised.

If you really want to show this report to more people please take it offsite and anonymise it.
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.


Author Comment

ID: 39851482

Author Comment

ID: 39852399
Mr. Patrick
I uploaded the edited version of the report, can you help me?
LVL 20

Accepted Solution

Patrick Bogers earned 500 total points
ID: 39854170
Yes of course.

First URLSCAN is a tool made by Microsoft which prevents users to input dangerous characters like < % ' etc. This is the most easiest way to protect against XSS.

If not desired (which i can understand if e.g. you only have one production server so you cannot test it) you should filter your scripts.
Acunetix has this page for you or your developers to read. LINK

Last thing i could recommend it installing ACUSENSOR in your project. This gives you an even better pentest results and will advise on how to improve your source code. For the latter you need .NET3.5 installed on the IIS server.

i had a quick look at your website and found some very dangerous flaws which should be fixed right away.

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
This video teaches viewers how to create their own website using cPanel and Wordpress. Tutorial walks users through how to set up their own domain name from tools like Domain Registrar, Hosting Account, and Wordpress. More specifically, the order in…
This Micro Tutorial will demonstrate how to add subdomains to your content reports. This can be very importing in having a site with multiple subdomains.

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question