Page 1 of 1

Path-Based Cross-Site Scripting (XSS) Failure

Posted: Fri Jan 20, 2017 3:54 am
by mseachrist
A PCI scan has failed my site due to Path-Based Cross-Site Scripting (XSS) vulnerability. Microsoft IIS resolved this problem years ago by enabling the "Validate Request = true" in the Pages and Control under your site. If I do this on my site it disables the ability to edit pages on the site from the admin. It might also disable other features and customer shopping experience. Your default web.config file has validate request = false. What do you recommend to resolve this PCI failure? Can you provide a letter or statement I can send to my scanning company to get past this failure?

Running 2008 R2 Server with newest Gold build 12 SP1 (something like that).

Re: Path-Based Cross-Site Scripting (XSS) Failure

Posted: Sun Jan 22, 2017 12:35 pm
by Shopping Cart Admin
Hello,

We have sites being scanned by a half dozen+ different vendors and have never seen that issue. Please open up a support ticket and attach the .pdf results of the scan.

https://www.ablecommerce.com/helpdesk.aspx

Re: Path-Based Cross-Site Scripting (XSS) Failure

Posted: Thu Feb 16, 2017 5:32 am
by gdelorey@mitcs.com
Similar issue here with a Qualys web application scan. I've just submitted a support ticket to the helpdesk.