Since the browser is sending an alert with "xss", do you know if it is running any code in the process class?
Is the code getting to you username name testing? Otherwise, I don't see how you can trap it.
Jim
Security Metrics notified me that my site was not passing a new compliance test that they added. The guy told me the exact reason I am failing is because my web site will return a response with this entered into my email address login: "><script>alert('XSS')</script>
The server will respond XSS. They told me that my server can not respond to this type of request because it is a security weakness. (cross site scripting)
We tried to setup an "email trap" for the phrase: "><script>alert('XSS')</script> and issue a 404 response. It is not working because IIS will process the request.
Here is the code I am using to try and "trap" this request:
IF ATC(["><script>alert('XSS')</script>],pcUsername) > 0 .OR. ATC([>],pcUsername) > 0 && ><script>alert('XSS' </script> we send a 404 response
oHeader = CREATE("wwHTTPHeader",Response)
oHeader.setprotocol([HTTP/1.1 404 Not Found])
oHeader.CompleteHeader()
If i enter this: "><script>alert('XSS')</script> the webserver responds with XSS
How can I prevent this request from being processed and make my site PCI compliant again?
Here is a article i found about this known issue: http://www.ibm.com/developerworks/tivoli/library/s-csscript/
Thanks!