TSPlus and Cross Site Scripting Attacks

[dcipher]

Hi

As I have mentioned previously our server fails PCI compliance because the web server is prone to cross site scripting attacks. The only web server on this particular server is TSPlus ver 8.30 Is there anyway to fix this issue? I have shown the results of the cross site scripting test below.

Description: Web Server Generic XSS

Synopsis: The remote web server is prone to cross-site scripting
attacks.

Impact: The remote host is running a web server that fails to adequately
sanitize request strings of malicious JavaScript. By leveraging this
issue, an attacker may be able to cause arbitrary HTML and script code
to be executed in a user's browser within the security context of the
affected site.

See also :
en.wikipedia.org/wiki/Cross- site_scripting

Data Received: The request string used to detect this flaw was :

/<script>cross_site_scripting plugin</script>.asp

The output was :
HTTP/1.1 404 Not Found\r Content-Type: text/plain; charset=UTF-8\r \r

Failure: 404 Not Found 1 /<script>cross_site_scripting
plugin</script>.asp

Note that this XSS attack may only work against web browsers that have
"content sniffing" enabled.

Thanks,
Simon

[juwagn]

Hello,

if output contains the < and > content will not be shown, will come with next version..

However for my knowledge, how this can be exploited? I mean, ok, you can inject into this wrong path message some own script and execute in your own browser and make requests in the refferer of attacked server, but only refferer, everything gets executed only by attacker locally in his own browser and he is quasi attackimg him self. It will not help you to reroute traffic, so no way to hide IP on this way. And if somebody really would like to set own referrer to any requested domain he can do that much easier with any http requesting tool.
So how can be that exploited? I mean, show me please real use case where you can attack somebody else except your self.

Even when some attacker would like to attack some domain and prepare such page to steal his cookies, the attacker will not get much useful data, it is just not stored in cookies. The webserver as self does not support php/mysql etc, so you will not be able to reuse it for own services. But you can replace the webserver by your own like Apache..

[dcipher]

Hi

I understand your comments and I do not know of a practical outcome for this issue but unfortunately PCI standards are required in the Credit Card business whether they are sensible or not. My only concern is that I can find a way to pass the PCI standards while maintaining the use of TSPlus.

Thanks,
Simon

[Robert]

Simon,
I am using TSplus HTML5 client on the web which has passed the PCI scan. However I am not using the TSplus built in web server. I have configured TSplus to an alternate web server. Our web server is a custom build designed for other web application besides TSplus. Thus I suspect the issue is in the TSplus web server. You may wish to try using IIS as an alternate web server. Also if you have not upgraded the Java on the server to version to 8, you should upgrade first.
I hope this helps.
Rob

[dcipher]

Hi

I am using Java 8 and the TSPlus builtin web server. I will have to experiment with IIS8 and see how to configure it with TSPlus.

Thanks,
Simon