-
Titolo
Cross Site Scripting Vulnerability (XSS) found in security scan -
Descrizione
Cross Site Scripting Vulnerability (XSS) found in security scan.
The Web application is vulnerable to cross-site scripting (XSS), which allows attackers to take advantage of Web server scripts to inject JavaScript or HTML code that is executed on the client-side browser. This vulnerability is often caused by server-side scripts written in languages such as PHP, ASP, .NET, Perl or Java, which do not adequately filter data sent along with page requests or by vulnerable HTTP servers.
The report description includes the HTTP request and response with the message "Invalid character found in the request target ..."; for example:
Invalid character found in the request target [/<script>xss</script>.asp ]. The valid characters are defined in RFC 7230 and RFC 3986
-
Risoluzione
This is considered to be a false positive; the server is replying with a HTTP/1.1 400 status code for an invalid request (400 Bad Request), but some tools may find a match because they see the injected text that is included as part of the error message in the response.
STATUSThis issue has been logged as defect Id. FOG-8564 to prevent false positives from security scans. Waiting for a fix in a future release of Foglight.
-
ID difetto
FOG-8564