On Tue, Aug 11, 2015 at 4:46 AM, Proxy One <proxy-one at mail.ru> wrote: > I haven't used <Location /perl-status> but Trustwave still finds me > vulnerable. > [...] > Response: HTTP/1.1 404 Not Found You clearly aren't serving perl-status; that's a red herring here. [...] > Body: contains '"><script>alert('xss')</script>' That's your problem; they're flagging you for an XSS "vulnerability". I'm guessing you have a custom 404 page that naively echoes the entire request URL as part of the page? You need to be using htmlspecialchars() or HTML::Entities or whatever your language/environment has to escape strings for safe inclusion in HTML content. There is of course more to it than that (sigh), try for starters: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet --ln