On 2015-Aug-11 19:57, Ellen Shull wrote:
On Tue, Aug 11, 2015 at 4:46 AM, Proxy One proxy-one@mail.ru wrote:
I haven't used <Location /perl-status> but Trustwave still finds me vulnerable.
[...]
Response: HTTP/1.1 404 Not Found
You clearly aren't serving perl-status; that's a red herring here.
Indeed, I don't have mod_proxy installed.
[...]
Body: contains '"><script>alert('xss')</script>'
That's your problem; they're flagging you for an XSS "vulnerability". I'm guessing you have a custom 404 page that naively echoes the entire request URL as part of the page? You need to be using htmlspecialchars() or HTML::Entities or whatever your language/environment has to escape strings for safe inclusion in HTML content.
There is PHP generated 404 page. I'll check that with web developer. What's strange, I'm trying to reproduce this and I don't see that string. Trustwave support suggested I use Burp Suite and it's repeater tool. I find some windows machine, installed it and all I see inside body is "Unable to resolve the request "perl-status/APR::SockAddr::port".
Is there way to use curl for testing? I'm getting new line because of the single quote inside string and escaping it with back slash gives me bash: syntax error near unexpected token `<'
There is of course more to it than that (sigh), try for starters: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Ch...
Very nice reading, thanks!