Resources/services for PCI compliance? Fix for "Cross-site scripting vulnerability in category parameter" vulnerability?

An auditing firm said we are not PCI compliant, but provided unhelpful instructions on how to resolve the issues. They are clearly hoping we will engage their consulting unit.

What resources/services have you used to plug gaps after receiving a PCI compliance audit alert?

Are there web sites that provide helpful resources on resolving PCI compliance issues?

For instance, here is one of the cryptic failure messages we were flagged on:

"Description: Cross-site scripting vulnerability in category parameter to URL X"

But th开发者_高级运维ere is no clear guidance on how to close this vulnerability.

Thanks.

Did they say which URL is causing the vulnerability, or was it literally an "X"?

Check to make sure that no user input, or input that is being grabbed from the URL, is being displayed anywhere on the page (or being used in your javascript) without being properly sanitized.

If you post the URL I'm sure people here would be happy to look for the vulnerability.

[Edit after you posted the URL:]

Here is a link to a malformed request displaying the vulnerability:

http://www.cengraving.com/s/category?category=Outdoor+signs+'-'alert("Cross%20Site%20Scripting%20Vulnerability%20Here");

A way to prevent this attack would be to validate all user input.

Client side you can remove any suspicious characters like <>'"-

Server side you should use regex to whitelist valid queries before entering them into your database.