All geek questions in one place

Trying to pass pci compatibility but cross-site scripting problem

I am currently trying to transfer PCI compliance for one of my client sites, but the testing company is placing a vulnerability that I do not understand!

Details (remote sites) from the testing company are as follows:

The problem here is cross-site scripting vulnerability, which is usually related to e-commerce applications. One of the tests attached a harmless script in a GET request at the end of your site URL. It is marked as a cross-site site of scripting vulnerabilities, since this is the same script that the user entered (our scanner) was returned the server is not parsed in the header. In this case, the script was returned to the header, so our scanner noted the vulnerability.

Here is a test that I ran out of my own to duplicate this:

Get /? OsCsid =% 22% 3E% 3Ciframe% 20src = Foo% 3E% 3C / IFrame% 3E HTTP / 1.0 Host: (deleted)

HTTP/1.1 302 Found Connection: close Date: Tue, 11 Jan 2011 23:33:19 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Location: http://www.(removed).co.uk/index.aspx?osCsid="><iframe src=foo></iframe> Set-Cookie: ASP.NET_SessionId=bc3wq445qgovuk45ox5qdh55; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 203 <html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="http://www.(removed).co.uk/index.aspx?osCsid=&quot;>&lt;iframe src=foo>&lt;/iframe>">here</a>.</h2> </body></html>

The solution to this problem is to misinform data entry on these types of requests, verifying that characters who can run executable scripts do not return to the header or page.

Firstly, I can’t get the result that the tester did, it only ever returns a 200 header, which does not include the location, and will not return the moved object. Secondly, I'm not sure how (on iis 6) to stop it by returning a header with a query string in it! Finally, why does the code in the header matter, of course, browsers will not actually execute the code from the http header?

+4
source share
2 answers

It turned out that I have Response.redirect for any pages accessed by https that do not need security, and this returned the location as part of the redirect. Change this setting to:

 Response.Status = "301 Moved Permanently"; Response.AddHeader("Location", Request.Url.AbsoluteUri.Replace("https:", "http:")); Response.End();

Fixed problem

0
source

Request: GET /?osCsid=%22%3E%3Ciframe%20src=foo%3E%3C/iframe%3E HTTP/1.0 Host:(removed)

Here's the problem <iframe src=foo></iframe> .

Answer text:

  <html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="http://www.(removed).co.uk/index.aspx?osCsid=&quot;>&lt;iframe src=foo>&lt;/iframe>">here</a>.</h2> </body></html>

Reply link:

  http://www.(removed).co.uk/index.aspx?osCsid=&quot;>&lt;iframe src=foo>&lt;/iframe>

Which contains the content from the query string.

Basically, someone can send someone a link where your osCsid contains text that allows you to display the page in a different way. You must make sure that osCsid deactivates the input or filters it against things that may be like that. For example, I could provide a line that allows you to load any javascript I want, or make the page render completely different.

As a side note, it tries to redirect your browser to a page that doesn't exist.

+2
source

Source: https://habr.com/ru/post/1335275/

More articles:


All Articles