Search code examples
securityiis-6xsspci-compliance

Trying to pass pci complience but have a cross-site scripting issue

I'm currently trying to pass PCI compliance for one of my client's sites but the testing company are flagging up a vulnerability that I don't understand!

The (site removed) details from the testing company are as follows:

The issue here is a cross-site scripting vulnerability that is commonly associated with e-commerce applications. One of the tests appended a harmless script in a GET request on the end of the your site url. It flagged as a cross-site scripting vulnerability because this same script that was entered by the user (our scanner) was returned by the server unsanitized in the header. In this case, the script was returned in the header so our scanner flagged the vulnerability.

Here is the test I ran from my terminal to duplicate this:

GET /?osCsid=%22%3E%3Ciframe%20src=foo%3E%3C/iframe%3E HTTP/1.0 Host:(removed)

HTTP/1.1 302 Found
Connection: close
Date: Tue, 11 Jan 2011 23:33:19 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: http://www.(removed).co.uk/index.aspx?osCsid="><iframe src=foo></iframe>
Set-Cookie: ASP.NET_SessionId=bc3wq445qgovuk45ox5qdh55; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 203

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://www.(removed).co.uk/index.aspx?osCsid=&quot;>&lt;iframe src=foo>&lt;/iframe>">here</a>.</h2>
</body></html>

The solution to this issue is to sanitize user input on these types of requests, making sure characters that could trigger executable scripts are not returned on the header or page.

Firstly, I can't get the result that the tester did, it only ever returns a 200 header which doesn't include the location, nor will it return the object moved page. Secondly, i'm not sure how (on iis 6) to stop it returning a header with the query string in it! Lastly, why does code in the header matter, surely browsers wouldn't actually execute code from the http header?

Solution

  • It turned out that I have a Response.redirect for any pages which are accessed by https which don't need to be secure and this was returning the location as part of the redirect. Changing this to:

    Response.Status = "301 Moved Permanently";
Response.AddHeader("Location", Request.Url.AbsoluteUri.Replace("https:", "http:"));
Response.End();

    Fixed the issue