|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Cross Site Scripting - Newbie QuestionGuys
I've been informed today that one of my websites (at work) is allowing CSS. Apart from Sp'ing and HF'ing the server is there a IIS security tool I can install on Server 2003 that will prevent all known forms of attacks on the box, such as a security roll up tool that used to exist for Server 2000 In anticipation --------- We don't stop playing because we get old We get old because we stop playing Steve Ray wrote:
> I've been informed today that one of my websites (at work) is Why are they allowing Cross Site Scripting? If you are the server admin then > allowing CSS. Apart from Sp'ing and HF'ing the server is there a IIS > security tool I can install on Server 2003 that will prevent all > known forms of attacks on the box, such as a security roll up tool > that used to exist for Server 2000 put your foot down! Otherwise ASP.NET has a default block for any form values that have anything looking like javascript. Try exploiting the site yourself and see if you can do it. If you can then you can send them a very stiff email with a demo saying that you will terminate their account unless they fix the problem. Hi,
Steve Ray wrote: > I've been informed today that one of my websites (at work) is allowing One doesn't fix cross-site scripting vulnerabilities (the preferred acronym > CSS. Apart from Sp'ing and HF'ing the server is there a IIS security tool > I can install on Server 2003 ... is XSS, as CSS stands for something else) by doing something to the server. Instead, one fixes it in the coding of the affected page(s). XSS potential is created through lousy server-side code (ASP[.NET], PHP, Perl, whatever), which can be manipulated to inject HTML in your page. The risk exists in any web page that takes a POST or GET variable and somehow includes its content in the response (confirmation, link target, etc.). For more information, read: http://www.cgisecurity.com/articles/xss-faq.shtml As Leon pointed out, ASP.NET attempts to block the potential by default. This protection may be turned off by setting ValidateRequest to false in the application's web.config file. If your site contains any ASP.NET, you may want to check your web.config files -- however, be aware many applications require request validation off for intended functionality. Having validation turned off doesn't necessarily make the application exploitable -- only responsible for doing its own checking. What you really need to do is identify the pages that are exploitable and get them fixed. If they are part of a third party web application (e.g. forums, shopping carts), check for a newer version or contact the author. -- Chris Priede 
Other interesting topics
Problems with IIS6 / SSL
Locking down FPSE Moved to new server, I_USR not showing Intermittent login issue Lock user in website folder IISADMPWD Vulerabilities Getting Server SSL Cert Expiration Info IIS requires credentials all the time....PART II ASP app upgrade to IIS6 with new Authentication scheme SSL redirect to non-SSL |
|||||||||||||||||||||||
