Solved

I scan my website with acunetix web vulnerability scanner and I got this report, Please brief me the major risks or changes I should made

Posted on 2014-02-11
6
774 Views
Last Modified: 2014-02-14
I purchase acunetix web vulnerability scanner , and I scan my website and I attach the report,
Please advise me about this report.
Thanks in advance

[file deleted by slightwv ZA]
0
Comment
Question by:Ihab
  • 3
  • 3
6 Comments
 
LVL 19

Expert Comment

by:Patricksr1972
Comment Utility
Hi

Two advises, get this report offline a.s.a.p. because your website is now known and prown to attacks. (happy to see it appears not to be vulnerable to SQLi attacks)

You purchase Acunetix without knowing how to fix XSS? Please explain... are you learning pentesting and have big budgets?

Next to understand XSS scripting. It is about executing a script from user input, this is not good but can be easily avoided if you install MS URLSCAN.
I see you are using IIS 7 so this tool will work perfectly.

Click here to download.
0
 

Author Comment

by:Ihab
Comment Utility
Mr. Patrick
I will submit this report to the management, and they will hire someone  or they will assign someone to fix this errors.
I will remove the report once I got some advices and support
Thanks Mr. Patrick
0
 
LVL 19

Expert Comment

by:Patricksr1972
Comment Utility
Please know Acunetix uses pretty 'safe' Cross Side (java) Scripts to test your website, if a 'blackhat' visitor catches this report before you fix the issues he can create BIG DAMAGE to your website. (deface it, upload other content etc etc)

Simplest advise i can give you is install URLSCAN from Microsoft like advised.

If you really want to show this report to more people please take it offsite and anonymise it.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:Ihab
Comment Utility
0
 

Author Comment

by:Ihab
Comment Utility
Mr. Patrick
I uploaded the edited version of the report, can you help me?
0
 
LVL 19

Accepted Solution

by:
Patricksr1972 earned 500 total points
Comment Utility
Yes of course.

First URLSCAN is a tool made by Microsoft which prevents users to input dangerous characters like < % ' etc. This is the most easiest way to protect against XSS.

If not desired (which i can understand if e.g. you only have one production server so you cannot test it) you should filter your scripts.
Acunetix has this page for you or your developers to read. LINK

Last thing i could recommend it installing ACUSENSOR in your project. This gives you an even better pentest results and will advise on how to improve your source code. For the latter you need .NET3.5 installed on the IIS server.

i had a quick look at your website and found some very dangerous flaws which should be fixed right away.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Introduction A frequently used term in Object-Oriented design is "SOLID" which is a mnemonic acronym that covers five principles of OO design.  These principles do not stand alone; there is interplay among them.  And they are not laws, merely princ…
International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
Learn how to set-up custom confirmation messages to users who complete your Wufoo form. Include inputs from fields in your form, webpage redirects, and more with Wufoo’s confirmation options.
This Micro Tutorial will demonstrate how nuggets on the Web are formatted by using Chrome Developer Tools. These tools would not only view the site's CSS but it can also modify it and save the CSS to use on your own site.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now