开发者

Could this have caused an XSS vulnerability?

I have had a scan performed on my website looking for vulnerabilities, etc. The report was returned saying there was a risk of an XSS attack, I have looked in to my website code and the only iss开发者_运维问答ue I can find (which is causing a W3C validation error) is that I have accidentally added 'language="javascript"' to my script tag...could this have thrown the error which they have reported? I don't have any form inputs and it is not connected to a database.

Many thanks, in advance.


No, using language="javascript" on your script tags won't make an XSS vulnerability, even though it's bad practice. I can't discern what your possible XSS vulnerability comes from without any relevant code, unfortunately.


Any reputable consultant should make it clear in their report exactly what the risk is and how it is reproduced. I'd expect to see documented methodology, findings and conclusions.

If they can't demonstrate a risk then they can't say they have found one.

UPDATE:

Based on your comment I've found the following, which identifies this as a general vulnerability with the Apache webserver rather than your particular code. You should ask whoever manages your webhosting to comment.

A flaw in the handling of invalid Expect headers. If an attacker can influence the Expect header that a victim sends to a target site they could perform a cross-site scripting attack. It is known that some versions of Flash can set an arbitrary Expect header which can trigger this flaw. Not marked as a security issue for 2.0 or 2.2 as the cross-site scripting is only returned to the victim after the server times out a connection.

  • see: http://www.rapid7.com/vulndb/lookup/http-apache-expect-header-xss
  • also: http://www.iss.net/security_center/reference/vuln/HTTP_Apache_Expect_XSS.htm

UPDATE 2:

The following is a description of the vulnerability (link). Ask your hosting people to check their servers are properly patched.

In May 2006 a reporter found a bug in Apache where an invalid Expect header sent to the server (Apache 1.3.3 onwards) would be returned to the user in an error message, unescaped. This could allow a cross-site scripting attack only if a victim can tricked into connecting to a site and sending such a carefully crafted Expect header. Whist browsers do not provide this functionality, it was recently discovered that Flash allows you to make a connection with arbitrary headers. The attack mechanism is therefore:

  1. User is tricked into visiting a malicious web site with a flash-enabled browser
  2. Malicious web site uses a flash movie to make a connection to the target site with custom Expect header
  3. This results in cross-site scripting (attacker could steal your cookies from the third party site, or inject content etc)


If you're sure that no user input can ever make its way to be served on your pages, then there can't be any XSS.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜