• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 956
  • Last Modified:

I scan my website with acunetix web vulnerability scanner and I got this report, Please brief me the major risks or changes I should made

I purchase acunetix web vulnerability scanner , and I scan my website and I attach the report,
Please advise me about this report.
Thanks in advance

[file deleted by slightwv ZA]
0
Ihab
Asked:
Ihab
  • 3
  • 3
1 Solution
 
Patrick BogersDatacenter platform engineer LindowsCommented:
Hi

Two advises, get this report offline a.s.a.p. because your website is now known and prown to attacks. (happy to see it appears not to be vulnerable to SQLi attacks)

You purchase Acunetix without knowing how to fix XSS? Please explain... are you learning pentesting and have big budgets?

Next to understand XSS scripting. It is about executing a script from user input, this is not good but can be easily avoided if you install MS URLSCAN.
I see you are using IIS 7 so this tool will work perfectly.

Click here to download.
0
 
IhabAuthor Commented:
Mr. Patrick
I will submit this report to the management, and they will hire someone  or they will assign someone to fix this errors.
I will remove the report once I got some advices and support
Thanks Mr. Patrick
0
 
Patrick BogersDatacenter platform engineer LindowsCommented:
Please know Acunetix uses pretty 'safe' Cross Side (java) Scripts to test your website, if a 'blackhat' visitor catches this report before you fix the issues he can create BIG DAMAGE to your website. (deface it, upload other content etc etc)

Simplest advise i can give you is install URLSCAN from Microsoft like advised.

If you really want to show this report to more people please take it offsite and anonymise it.
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
IhabAuthor Commented:
0
 
IhabAuthor Commented:
Mr. Patrick
I uploaded the edited version of the report, can you help me?
0
 
Patrick BogersDatacenter platform engineer LindowsCommented:
Yes of course.

First URLSCAN is a tool made by Microsoft which prevents users to input dangerous characters like < % ' etc. This is the most easiest way to protect against XSS.

If not desired (which i can understand if e.g. you only have one production server so you cannot test it) you should filter your scripts.
Acunetix has this page for you or your developers to read. LINK

Last thing i could recommend it installing ACUSENSOR in your project. This gives you an even better pentest results and will advise on how to improve your source code. For the latter you need .NET3.5 installed on the IIS server.

i had a quick look at your website and found some very dangerous flaws which should be fixed right away.
0

Featured Post

[Webinar] Kill tickets & tabs using PowerShell

Are you tired of cycling through the same browser tabs everyday to close the same repetitive tickets? In this webinar JumpCloud will show how you can leverage RESTful APIs to build your own PowerShell modules to kill tickets & tabs using the PowerShell command Invoke-RestMethod.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now