We have had a PCI scan on one of our websites passed on to us by one of our clients. There are a number of reports of vulnerabilities that look something like this:
Network service: 80/443 Application URL: http://www.oursite.com/signup.php The response contains SQL Server errors. This suggests that the hazardous characters inserted by the test penetrated the application and reached the SQL query itself (i.e. that the application is vulnerable to SQL Injection).
Summary test information: header: header X-Forwarded-For=%2527
I'm not sure how they are saying they have injected code here?
another example they provide for a different URL with supposedly the same issue has this as the exploit:
Summary test information: header: header X-Forwarded-For='
EDIT
I've had a look into this header and it seems its only set by Proxy's or Load Balancers (which we dont use anyway). Either way, i've spoofed it myself and there is no vulnerability at our end at all so i'm not sure what they are highlighting. Since we make no use of this header i'm not sure what the supposed point of attack would be anyway?
Another example we have of a so-called vulnerability is this:
Network service: 80/443 Application URL: http://www.oursite.com/products/product-na-here/370 The test successfully embedded a script in the response, and it will be executed once the page is loaded in the user's browser. This means the application is vulnerable to Cross-Site Scripting.
Summary test information:
path: path /products/product-na-here/370 -> /products/product-na-here/370,parameter: header >'">alert(957652)
Again, i'm not sure what is being flagged here at all?
Thanks.
The scans are automated and can generate false positives. It is to alert you to possibilities of vulnerabilities, and you need to either explain how you aren't vulnerable or close the vulnerabilities. (Assuming you're doing this for PCI compliance audit....if not, then you just try to justify/close them internally.)
The scans are based on the OWASP top 10 vulnerabilities (http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project) as mandated by PCI DSS. Take a look there; there are a lot of nice examples and really in-depth explanations of the vulnerabilities.