Solved

I scan my website with acunetix web vulnerability scanner and I got this report, Please brief me the major risks or changes I should made

Posted on 2014-02-11
6
794 Views
Last Modified: 2014-02-14
I purchase acunetix web vulnerability scanner , and I scan my website and I attach the report,
Please advise me about this report.
Thanks in advance

[file deleted by slightwv ZA]
0
Comment
Question by:Ihab
  • 3
  • 3
6 Comments
 
LVL 19

Expert Comment

by:Patricksr1972
ID: 39851353
Hi

Two advises, get this report offline a.s.a.p. because your website is now known and prown to attacks. (happy to see it appears not to be vulnerable to SQLi attacks)

You purchase Acunetix without knowing how to fix XSS? Please explain... are you learning pentesting and have big budgets?

Next to understand XSS scripting. It is about executing a script from user input, this is not good but can be easily avoided if you install MS URLSCAN.
I see you are using IIS 7 so this tool will work perfectly.

Click here to download.
0
 

Author Comment

by:Ihab
ID: 39851370
Mr. Patrick
I will submit this report to the management, and they will hire someone  or they will assign someone to fix this errors.
I will remove the report once I got some advices and support
Thanks Mr. Patrick
0
 
LVL 19

Expert Comment

by:Patricksr1972
ID: 39851395
Please know Acunetix uses pretty 'safe' Cross Side (java) Scripts to test your website, if a 'blackhat' visitor catches this report before you fix the issues he can create BIG DAMAGE to your website. (deface it, upload other content etc etc)

Simplest advise i can give you is install URLSCAN from Microsoft like advised.

If you really want to show this report to more people please take it offsite and anonymise it.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:Ihab
ID: 39851482
0
 

Author Comment

by:Ihab
ID: 39852399
Mr. Patrick
I uploaded the edited version of the report, can you help me?
0
 
LVL 19

Accepted Solution

by:
Patricksr1972 earned 500 total points
ID: 39854170
Yes of course.

First URLSCAN is a tool made by Microsoft which prevents users to input dangerous characters like < % ' etc. This is the most easiest way to protect against XSS.

If not desired (which i can understand if e.g. you only have one production server so you cannot test it) you should filter your scripts.
Acunetix has this page for you or your developers to read. LINK

Last thing i could recommend it installing ACUSENSOR in your project. This gives you an even better pentest results and will advise on how to improve your source code. For the latter you need .NET3.5 installed on the IIS server.

i had a quick look at your website and found some very dangerous flaws which should be fixed right away.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Black boxes showing up in Chrome - OS X El Capitan 4 62
DNS, website, godaddy 6 75
change time in cron 4 65
WordPress Header Issue 9 37
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
These days, all we hear about hacktivists took down so and so websites and retrieved thousands of user’s data. One of the techniques to get unauthorized access to database is by performing SQL injection. This article is quite lengthy which gives bas…
This video teaches viewers how to create their own website using cPanel and Wordpress. Tutorial walks users through how to set up their own domain name from tools like Domain Registrar, Hosting Account, and Wordpress. More specifically, the order in…
This Micro Tutorial will demonstrate how nuggets on the Web are formatted by using Chrome Developer Tools. These tools would not only view the site's CSS but it can also modify it and save the CSS to use on your own site.

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now