Guys
I've been informed today that one of my websites (at work) is allowing CSS.
Apart from Sp'ing and HF'ing the server is there a IIS security tool I can
install on Server 2003 that will prevent all known forms of attacks on the
box, such as a security roll up tool that used to exist for Server 2000
In anticipation
---------
We don't stop playing because we get old
We get old because we stop playing
Steve Ray wrote:
> I've been informed today that one of my websites (at work) is
> allowing CSS. Apart from Sp'ing and HF'ing the server is there a IIS
> security tool I can install on Server 2003 that will prevent all
> known forms of attacks on the box, such as a security roll up tool
> that used to exist for Server 2000
Why are they allowing Cross Site Scripting? If you are the server admin then
put your foot down!
Otherwise ASP.NET has a default block for any form values that have anything
looking like javascript. Try exploiting the site yourself and see if you can
do it. If you can then you can send them a very stiff email with a demo
saying that you will terminate their account unless they fix the problem.
Hi,
Steve Ray wrote:
> I've been informed today that one of my websites (at work) is allowing
> CSS. Apart from Sp'ing and HF'ing the server is there a IIS security tool
> I can install on Server 2003 ...
One doesn't fix cross-site scripting vulnerabilities (the preferred acronym
is XSS, as CSS stands for something else) by doing something to the server.
Instead, one fixes it in the coding of the affected page(s).
XSS potential is created through lousy server-side code (ASP[.NET], PHP,
Perl, whatever), which can be manipulated to inject HTML in your page. The
risk exists in any web page that takes a POST or GET variable and somehow
includes its content in the response (confirmation, link target, etc.). For
more information, read:
http://www.cgisecurity.com/articles/xss-faq.shtml
As Leon pointed out, ASP.NET attempts to block the potential by default.
This protection may be turned off by setting ValidateRequest to false in the
application's web.config file. If your site contains any ASP.NET, you may
want to check your web.config files -- however, be aware many applications
require request validation off for intended functionality. Having
validation turned off doesn't necessarily make the application
exploitable -- only responsible for doing its own checking.
What you really need to do is identify the pages that are exploitable and
get them fixed. If they are part of a third party web application (e.g.
forums, shopping carts), check for a newer version or contact the author.
--
Chris Priede