As I thought. Then all he need do is sanitize his output using HTMLEncode(). After my suggestion he stated that this company was adamant that he block the request on the server end. As far as I am concerned that is ludicrous as it presents no threat to the server per-say as the script is never server side executed.

As far as I know XSS relies on unsantized script executing within the browser allowing for unauthorised execution of code within anothers domain. You are able to retrieve all sort of client based information such as cookies and client side input. I'm not sure how critical it is under these circumstances but unofficial script sent by the server should be considered a big no no within a web app.

Regards

Richard

I think the security company's request is reasonable. Look at Aaron's original post:
Security Metrics notified me that my site was not passing a new compliance test that they added. The guy told me the exact reason I am failing is because my web site will return a response with this entered into my email address login: "><script>alert('XSS')</script> The server will respond XSS.

That tells me that Aaron's application is getting the results from the login field and echoing it back as output without sanitizing it. They aren't concerned that he's accepting the injected script but that his page is allowing it to be executed. That is a security hole that needs to be fixed, either by filtering the input or by ensuring that all output is encoded, per your earlier suggestion.

--stein

I know you cannot argue with the compliancy and maybe they know something I don't but it seems a bit over the top to block the request at the level your suggesting. I mean I don't think there is a way to get IIS to block this, it would have to be at some handler level. This would be the store application or some other ISAPI application, likely to be an ISAPI filter.

In all fairness its makes more sense to do this in your application but its going to add overhead. As I said using regex should do it and you can then throw an HTTP error code to block the request when detected. I haven't any code to hand but this is hot stuff on the net so I'm sure you can dig it up.

Regards

Richard

Hi Richard,

The PCI company told me that my server can not respond to any type of request like this. It is a "cross-scripting" attack vulnerability. Pretty much, I need to somehow make it where my web server will not process any request where the email field contains <script> I had some code put in place to catch it, but it appears IIS is processing the request before it gets to the wwstore software if it contains the word Script.

I need to somehow stop this before they penalize me for not being PCI Compliant.

Any help is appreciated!

Thanks

Hi Aaron,

I might be missing the point but is the problem that you are returning the result to the browser that the script is executed?

I cannot believe they would fail you on the fact the server did not reject script. As its a login request I cannot see any reason to check for script?? All I make sure I do is if I'm ever returning output from input that it is santized. You should also call HTMLEncode() to encode strings before output to the browser. There should be no issue from this kind of XSS on the server as XSS is a client-side vulnerability. The issue is only caused by bad server output not input.

In theory you have no need to block script in this scenareo even storing it is no has no harm as long as it never gets executed in a client browser. This test seems pointless unless the script is actually executing in the browser.

If this is what they expect then your in for a headache. The biggest problem you have is there are so many ways to inject script. If you need some tags excepted your better with a white list than a black list. If you do not need any tags you should use a regular expression to block all HTML or script related tags. Problem you have you have no way of making sure its fullproof. Changes in HTML specification always can get in the way. Blocking all HTML content in this respect is the only sure way to do the job. Unfortunately I have no regex examples but googling for it should turn up plenty of results.

HTH

Regards

Richard

Security Metrics notified me that my site was not passing a new compliance test that they added. The guy told me the exact reason I am failing is because my web site will return a response with this entered into my email address login: "><script>alert('XSS')</script>

The server will respond XSS. They told me that my server can not respond to this type of request because it is a security weakness. (cross site scripting)

We tried to setup an "email trap" for the phrase: "><script>alert('XSS')</script> and issue a 404 response. It is not working because IIS will process the request.

Here is the code I am using to try and "trap" this request:

IF ATC(["><script>alert('XSS')</script>],pcUsername) > 0 .OR. ATC([>],pcUsername) > 0 && ><script>alert('XSS' </script> we send a 404 response
oHeader = CREATE("wwHTTPHeader",Response)
oHeader.setprotocol([HTTP/1.1 404 Not Found])
oHeader.CompleteHeader()

If i enter this: "><script>alert('XSS')</script> the webserver responds with XSS

How can I prevent this request from being processed and make my site PCI compliant again?

Here is a article i found about this known issue: http://www.ibm.com/developerworks/tivoli/library/s-csscript/

Thanks!