Web Connection
Re: Cross-site scripting & PCI Compliance
07/02/2009
07:19:41 AM
2OU0FPH2B Show this entire thread in new window
Gratar Image based on email address
From:
Aaron G
To:
Richard Norris 
Attachments:
None
Hi Richard,

The PCI company told me that my server can not respond to any type of request like this. It is a "cross-scripting" attack vulnerability. Pretty much, I need to somehow make it where my web server will not process any request where the email field contains <script> I had some code put in place to catch it, but it appears IIS is processing the request before it gets to the wwstore software if it contains the word Script.

I need to somehow stop this before they penalize me for not being PCI Compliant.

Any help is appreciated!

Thanks


Hi Aaron,

I might be missing the point but is the problem that you are returning the result to the browser that the script is executed?

I cannot believe they would fail you on the fact the server did not reject script. As its a login request I cannot see any reason to check for script?? All I make sure I do is if I'm ever returning output from input that it is santized. You should also call HTMLEncode() to encode strings before output to the browser. There should be no issue from this kind of XSS on the server as XSS is a client-side vulnerability. The issue is only caused by bad server output not input.

In theory you have no need to block script in this scenareo even storing it is no has no harm as long as it never gets executed in a client browser. This test seems pointless unless the script is actually executing in the browser.

If this is what they expect then your in for a headache. The biggest problem you have is there are so many ways to inject script. If you need some tags excepted your better with a white list than a black list. If you do not need any tags you should use a regular expression to block all HTML or script related tags. Problem you have you have no way of making sure its fullproof. Changes in HTML specification always can get in the way. Blocking all HTML content in this respect is the only sure way to do the job. Unfortunately I have no regex examples but googling for it should turn up plenty of results.

HTH

Regards

Richard

Security Metrics notified me that my site was not passing a new compliance test that they added. The guy told me the exact reason I am failing is because my web site will return a response with this entered into my email address login: "><script>alert('XSS')</script>

The server will respond XSS. They told me that my server can not respond to this type of request because it is a security weakness. (cross site scripting)

We tried to setup an "email trap" for the phrase: "><script>alert('XSS')</script> and issue a 404 response. It is not working because IIS will process the request.

Here is the code I am using to try and "trap" this request:

IF ATC(["><script>alert('XSS')</script>],pcUsername) > 0 .OR. ATC([>],pcUsername) > 0 && ><script>alert('XSS' </script> we send a 404 response
oHeader = CREATE("wwHTTPHeader",Response)
oHeader.setprotocol([HTTP/1.1 404 Not Found])
oHeader.CompleteHeader()

If i enter this: "><script>alert('XSS')</script> the webserver responds with XSS

How can I prevent this request from being processed and make my site PCI compliant again?

Here is a article i found about this known issue: http://www.ibm.com/developerworks/tivoli/library/s-csscript/

Thanks!