On Tue, Aug 11, 2015 at 4:46 AM, Proxy One proxy-one@mail.ru wrote:
I haven't used <Location /perl-status> but Trustwave still finds me vulnerable.
[...]
Response: HTTP/1.1 404 Not Found
You clearly aren't serving perl-status; that's a red herring here.
[...]
Body: contains '"><script>alert('xss')</script>'
That's your problem; they're flagging you for an XSS "vulnerability". I'm guessing you have a custom 404 page that naively echoes the entire request URL as part of the page? You need to be using htmlspecialchars() or HTML::Entities or whatever your language/environment has to escape strings for safe inclusion in HTML content.
There is of course more to it than that (sigh), try for starters: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Ch...
--ln