Announcement

Collapse
No announcement yet.

Web Server Cross Site Scripting

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Web Server Cross Site Scripting

    I am scanning my server regularly with the service ScanMyServer from Beyond Security. Recently I have got following result:

    The remote web server seems to be vulnerable to the Cross Site Scripting vulnerability.
    The vulnerability is caused when the result returned to the user when a non-existing file is requested contains the original URL (e.g. the result contains the JavaScript provided in the request).
    The vulnerability would allow an attacker to make the server present the user with the attacker's JavaScript/HTML code.
    Since the content is presented by the server, the user will give it the trust level of the server (for example, the trust level of banks, shopping centers, etc. would usually be high).
    Code:
    Sample URL: https://www.mydomain.com:443/index.php?param=">alert(document.cookie)< /script>.php
    Sample Request:
    ===
    GET /index.php?param=">alert(document.cookie)</script>.php HTTP/1.1
    Connection: Close
    Host: www.mydomain.com
    Pragma: no-cache
    User-Agent: Mozilla/5.0 (X11
    U
    Linux i686
    en-US
    rv:1.7.8)
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
    Accept-Language: en
    Accept-Charset: iso-8859-1,*,utf-8
    How can I change the setting to protect the server?

    My virtual server:
    Ubuntu 16.04.4 LTS‬
    Plesk Onyx 17.8.11

  • #2
    After my research I had to realize that this is not a Plesk or OS issue. I have adapted the htaccess file and will wait for the result of the next security scan.

    Comment


    • #3
      after my research, i had to realize Hp DL 380 security bezel actually I have this server .this is good server security.

      Comment

      Working...
      X