Web Connection
Re: Cross-site scripting & PCI Compliance
07/03/2009
07:23:49 AM
2OV0FUTU7 Show this entire thread in new window
Gratar Image based on email address
From:
Steve W
To:
Aaron G 
Attachments:
None
Hi Aaron,

We recently went through the whole PCI Compliance issue and also used Security Metrics.

I'm not sure if this will help or not, but if ISA Server is involved anywhere along the route then this link might help: http://www.microsoft.com/technet/security/bulletin/ms09-016.mspx

Steve W

Security Metrics notified me that my site was not passing a new compliance test that they added. The guy told me the exact reason I am failing is because my web site will return a response with this entered into my email address login: "><script>alert('XSS')</script>

The server will respond XSS. They told me that my server can not respond to this type of request because it is a security weakness. (cross site scripting)

We tried to setup an "email trap" for the phrase: "><script>alert('XSS')</script> and issue a 404 response. It is not working because IIS will process the request.

Here is the code I am using to try and "trap" this request:

IF ATC(["><script>alert('XSS')</script>],pcUsername) > 0 .OR. ATC([>],pcUsername) > 0 && ><script>alert('XSS' </script> we send a 404 response
oHeader = CREATE("wwHTTPHeader",Response)
oHeader.setprotocol([HTTP/1.1 404 Not Found])
oHeader.CompleteHeader()

If i enter this: "><script>alert('XSS')</script> the webserver responds with XSS

How can I prevent this request from being processed and make my site PCI compliant again?

Here is a article i found about this known issue: http://www.ibm.com/developerworks/tivoli/library/s-csscript/

Thanks!