hi,
i have a full asp classic website and it has some cross side script bugs.
i scaned it and it found som errors like this: - Severity High Affects /search.asp DetailsThe GET variable yider has been set to %3C/xss/*-*/style=xss:e/**/xpression(alert(294762585))%3E. TypeValidation DescriptionThis script is possibly vulnerable to Cross Site Scripting (XSS) attacks.
-
-
Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser. ImpactMalicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user. RecommendationYour script should filter metacharacters from user input. Reported by moduleParameter manipulation References Acunetix Cross Site Scripting Attackhttp://www.acunetix.com/websitesecurity/cross-site-scripting.htm Security Focus - Penetration Testing for Web Applications (Part Two)http://www.securityfocus.com/infocus/1709 The Cross Site Scripting Faqhttp://www.cgisecurity.com/articles/xss-faq.shtml OWASP Cross Site Scriptinghttp://www.owasp.org/index.php/Cross_Site_Scripting XSS Annihilationhttp://ha.ckers.org/blog/20060602/xss-annihilation/ XSS cheat sheethttp://ha.ckers.org/xss.html PHP XSS (cross site scripting) filter functionhttp://quickwired.com/kallahar/smallprojects/php_xss_filter_function.php Cross site scriptinghttp://en.wikipedia.org/wiki/Cross-site_scripting OWASP PHP Top 5http://www.owasp.org/index.php/PHP_Top_5 RequestGET /search.asp?yider=%3C/xss/*-*/style=xss:e/**/xpression(alert(294762585))%3E&btnsearch=%D8%AC%D8%B3%D8%AA%D8%AC%D9%88%20%D8%AF%D8%B1%20%D9%BE%D8%A7%D9%8A%DA%AF%D8%A7%D9%87 HTTP/1.0
-
Accept: */*
-
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
-
Host: www.mysite.com
-
Cookie: ASPSESSIONIDSCASQTQB=CCIBHAOAGBLNHBNPIAGANGCM;Poll=PollID=2;ASP.NET_SessionId=2vn5ue45dygerf550seakc55;__utma=177195445.991742699.1180354728.1180354728.1180354728.1;path=/;expires=Tue, 27 Nov 2007 00:19:34 UTC;domain=acunetix.com;;__utmb=177195445;__utmc=177195445;__utmz=177195445.1180354775.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)
-
Connection: Close
-
Pragma: no-cache
-
ResponseHTTP/1.1 200 OK
-
Connection: close
-
Date: Mon, 28 May 2007 12:40:01 GMT
-
Server: Microsoft-IIS/6.0
-
X-Powered-By: ASP.NET
-
Content-Length: 23900
-
Content-Type: text/html; Charset=utf-8
-
Cache-control: private
now how can i fix them?
thanks,
M.H.H
0 1602 Sign in to post your reply or Sign up for a free account.
Similar topics |
by: Velvet |
last post by:
Can someone tell me to what process I need to attach to be able to step
through my classic ASP code in VS.net 2003. I'm working on an XP box with
IIS installed. I also have VS.net 2005 (The final, never installed beta)
installed on this box if it makes a difference (I did not install VS
Development Web Server as I'm already using the XP web...
|
by: UnglueD |
last post by:
Hello.
I have written a console application in ASP.NET that will move an
order from a website database and send it to an ERP database. Nothing
special here, just reads from the database and calls a webservice I've
written to add it to the ERP database.
What I want to do now is have this .exe run whenever an order is
created on the...
|
by: =?Utf-8?B?SmltIFJvZGdlcnM=?= |
last post by:
My question is simple:
How does one debug ASP Classic with Microsoft Visual Web
Developer Express 2005 ("VWD")?
Looming in the back of anyone's mind when you see a posting
like this on any newsgroup is "didn't this guy read the docs?"
Frankly, I "sort of did" a number of times. I feel the days of
"things that are intuitively obvious" to...
|
by: andwan0 |
last post by:
I have a legacy classic ASP website with lots of classic AJAX (many ASP files specially made for processing AJAX requests).
We are slowly migrating the website to ASP.NET 2.0 and developing under Visual Web Developer 2005/2008. I notice VWD doesn't debug ASP files. Since we are still migrating a very large website, we are mixing ASP.NET code...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main...
| |
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it. ...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in...
| |
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating...
| |