T
Tony
Hi,
I've searched high and low looking for information on reflected or
non-persistent cross site scripting. An automated scan shows that my
website is vulnerable to such attacks, but everything I find when
searching just talks about validating inputs, which I do.
The information is appended to the URL, but they're not querystring
elements that I'm processing and I don't know why the stuff is being
embedded into the page.
This is an example of what's appended to the url:
?>"></title></iframe></script></form><sCriPt>alert("XSS_DETECTED")</sCriPt>
though it would be encoded thus
?%3E%22%3E%3C%2Ftitle%3E%3C%2Fiframe%3E%3C%2Fscript%3E%3C%2Fform%3E%3CsCriPt%3Ealert%28%22XSS+DETECTED%22%29%3C%2FsCriPt%3E=1
The site is running ASP.NET 2 and the server is IIS7
Any help would be greatly appreciated.
Tony
I've searched high and low looking for information on reflected or
non-persistent cross site scripting. An automated scan shows that my
website is vulnerable to such attacks, but everything I find when
searching just talks about validating inputs, which I do.
The information is appended to the URL, but they're not querystring
elements that I'm processing and I don't know why the stuff is being
embedded into the page.
This is an example of what's appended to the url:
?>"></title></iframe></script></form><sCriPt>alert("XSS_DETECTED")</sCriPt>
though it would be encoded thus
?%3E%22%3E%3C%2Ftitle%3E%3C%2Fiframe%3E%3C%2Fscript%3E%3C%2Fform%3E%3CsCriPt%3Ealert%28%22XSS+DETECTED%22%29%3C%2FsCriPt%3E=1
The site is running ASP.NET 2 and the server is IIS7
Any help would be greatly appreciated.
Tony