[ic] PCI scan suddenly failing?
richard at endpoint.com
Thu Jun 27 19:02:07 UTC 2013
On Thu, Jun 27, 2013 at 01:46:20PM -0500, Steve Graham wrote:
> Hi - today I'm seeing a number of problems with a PCI compliance scan
> which previously had not been an issue. They're all similar to:
> A reflected cross-site scripting vulnerability was identified in this
> web application. Reflected cross-site scripting is when HTML or
> then displayed (aka: reflected) back to the user and rendered or
> interpreted by their browser.
> Paramter: id
> Request: GET /index.html?id=%3Cscript%3Ealert('TK00000008')%3C/script%3E
> Accept: */*
> Even my index.html page now has such an error, so I'd think many other
> IC users would see the same thing. Does anyone have any idea what the
> scanner is complaining about, or how to correct it?
The issue is when you have a malformed id in your query string Interchange actually prints out something along the lines of "Invalid session ID: 3Cscript%3Ealert('TK00000008')%3C/script%3E. Logged". Well the security scanner sees the fact that it printed the alert on the page and determines that you have an cross-site scripting vulnerability. I've had to challenge their finding and have them run it by hand to show them that it's not actually running the alert. I think for another client we modified that part of Interchange so it didn't print out the invalid id.
More information about the interchange-users