Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 935
  • Last Modified:

I scan my website with acunetix web vulnerability scanner and I got this report, Please brief me the major risks or changes I should made

I purchase acunetix web vulnerability scanner , and I scan my website and I attach the report,
Please advise me about this report.
Thanks in advance

[file deleted by slightwv ZA]
0
Ihab
Asked:
Ihab
  • 3
  • 3
1 Solution
 
Patrick BogersDatacenter platform engineer LindowsCommented:
Hi

Two advises, get this report offline a.s.a.p. because your website is now known and prown to attacks. (happy to see it appears not to be vulnerable to SQLi attacks)

You purchase Acunetix without knowing how to fix XSS? Please explain... are you learning pentesting and have big budgets?

Next to understand XSS scripting. It is about executing a script from user input, this is not good but can be easily avoided if you install MS URLSCAN.
I see you are using IIS 7 so this tool will work perfectly.

Click here to download.
0
 
IhabAuthor Commented:
Mr. Patrick
I will submit this report to the management, and they will hire someone  or they will assign someone to fix this errors.
I will remove the report once I got some advices and support
Thanks Mr. Patrick
0
 
Patrick BogersDatacenter platform engineer LindowsCommented:
Please know Acunetix uses pretty 'safe' Cross Side (java) Scripts to test your website, if a 'blackhat' visitor catches this report before you fix the issues he can create BIG DAMAGE to your website. (deface it, upload other content etc etc)

Simplest advise i can give you is install URLSCAN from Microsoft like advised.

If you really want to show this report to more people please take it offsite and anonymise it.
0
Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

 
IhabAuthor Commented:
0
 
IhabAuthor Commented:
Mr. Patrick
I uploaded the edited version of the report, can you help me?
0
 
Patrick BogersDatacenter platform engineer LindowsCommented:
Yes of course.

First URLSCAN is a tool made by Microsoft which prevents users to input dangerous characters like < % ' etc. This is the most easiest way to protect against XSS.

If not desired (which i can understand if e.g. you only have one production server so you cannot test it) you should filter your scripts.
Acunetix has this page for you or your developers to read. LINK

Last thing i could recommend it installing ACUSENSOR in your project. This gives you an even better pentest results and will advise on how to improve your source code. For the latter you need .NET3.5 installed on the IIS server.

i had a quick look at your website and found some very dangerous flaws which should be fixed right away.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now