A PCI scan has failed my site due to Path-Based Cross-Site Scripting (XSS) vulnerability. Microsoft IIS resolved this problem years ago by enabling the "Validate Request = true" in the Pages and Control under your site. If I do this on my site it disables the ability to edit pages on the site from the admin. It might also disable other features and customer shopping experience. Your default web.config file has validate request = false. What do you recommend to resolve this PCI failure? Can you provide a letter or statement I can send to my scanning company to get past this failure?
Running 2008 R2 Server with newest Gold build 12 SP1 (something like that).
Path-Based Cross-Site Scripting (XSS) Failure
-
mseachrist
- Lieutenant, Jr. Grade (LT JG)
- Posts: 33
- Joined: Wed Apr 05, 2006 10:42 am
-
Shopping Cart Admin
- AbleCommerce Admin
- Posts: 3055
- Joined: Mon Dec 01, 2003 8:41 pm
- Location: Vancouver, WA
- Contact:
Re: Path-Based Cross-Site Scripting (XSS) Failure
Hello,
We have sites being scanned by a half dozen+ different vendors and have never seen that issue. Please open up a support ticket and attach the .pdf results of the scan.
https://www.ablecommerce.com/helpdesk.aspx
We have sites being scanned by a half dozen+ different vendors and have never seen that issue. Please open up a support ticket and attach the .pdf results of the scan.
https://www.ablecommerce.com/helpdesk.aspx
-
gdelorey@mitcs.com
- Commander (CMDR)
- Posts: 129
- Joined: Thu Oct 19, 2006 5:33 pm
Re: Path-Based Cross-Site Scripting (XSS) Failure
Similar issue here with a Qualys web application scan. I've just submitted a support ticket to the helpdesk.