Cross Site Scripting

Home Forums BulletProof Security Free Cross Site Scripting

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #3215
    AITpro Admin
    Keymaster

    Email Question:

    hi there, I am struggling with something, I run BPS on my website, but found that someone got through. See below :-

    Cross Site Scripting
    URL: http: //new.example.com/portfolios/media/?cpt_item=liberty-professionals
    Affected Parameter: yit_contact[email]
    Vector Used: “>
    Pattern found: “>
    Complete Attack:

    http: //new.example.com/portfolios/media?cpt_item=liberty-professionals [yit_contact[name]= &yit_contact[email]="> &yit_contact[message]= &yit_bot= &yit_action=sendemail &yit_referer=http: //new.example.com/portfolios/media/?cpt_item=liberty-professionals &id_form=228 &yit_sendemail=Say Hello]

    I would like to have the htaccess filter out < > characters and stop cross browser, is this something PRO would bet better at?? Thanks.

    #3216
    AITpro Admin
    Keymaster

    I ran some tests and BPS did block this attack string successfully.  There are several security filters in BPS that block the angle brackets.

    >>>>>>>>>>> 403 GET or Other Request Error Logged - March 19, 2013 - 9:42 am <<<<<<<<<<<
    REMOTE_ADDR: 108.213.94.121
    Host Name: xxxxx
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /aitpro-blog/?src=liberty-professionals%20yit_contactname=%20&yit_contactemail=%22%3E
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.172 Safari/537.22 AlexaToolbar/alxg-3.1

     

Viewing 2 posts - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.