Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • #27537

    hi

    my site scanner says that my site is vulterable to xss attacks – this is the message I get

    Using the POST HTTP method, Site Scanner found that :

    + The following resources may be vulnerable to cross-site scripting (quick test) :

    + The ‘avia_e-mail’ parameter of the /contact-us/ CGI :

    /contact-us/ [avia_e-mail=–><script>alert(112)</script>]


    output


    <h2></h2>

    <p>or</p>

    […] “avia_e-mail” value=”–><script>alert(112)</script>”/><label for=”avia_e […]

    </div>

    every time the site scanner does a scan a get a WHOLE BUNCH of blank contact form emails

    #134337

    Hi Frankmaione,

    What version of Replete do you have installed?

    Regards,

    Devin

    #134338

    Hi Devin

    I Have version 1.5

    thanks

    Frank

    #134339

    Hey!

    Since I have not had any reports lately and a security expert also checked the site for XSS vectors some time ago I would say that this is a false alarm. Trying to enter any form of script tag to produce an XSS output didnt work for me yet, I am going to do a few more tests though, just to make sure ;)

    Cheers!

    #134340

    Hi..

    ok.. there must be a vulnerability though, because of all the blank contact emails I get, despite there being a catcha or the agree to T&C box checked…

    #134341

    That doesn’t necessarily indicate a XSS vulnerability. I dont know what tool you are using to scan your site but there are a multitude of scanning tools that are able to fill in forms correctly even with simple captchas :)

Viewing 6 posts - 1 through 6 (of 6 total)

The topic ‘Vulnerable to Cross site scripting’ is closed to new replies.