This forum has been moved here:
Helicon Tech Community Forum

  Active TopicsActive Topics  Display List of Forum MembersMemberlist  HelpHelp   RegisterRegister  LoginLogin
ISAPI_Rewrite 2.x (Forum Locked Forum Locked)
 Helicon Tech : ISAPI_Rewrite 2.x
Subject Topic: Block XSS attacks
Author
Message |
beastie050
Newbie


Joined: 19 November 2010
Location: United States
Posts: 2
Posted: 19 November 2010 at 4:32pm

One of our sites is failing a PCI scan because of an XSS
scripting attack. Is it possible to restrict the allowed
characters in a GET request?

Here is the example of what I would like to deny

?bcd=%22%27%3e%3cqqs%20%60%3b!--%3d%26%7b()%7d%3e&sc=300002

Back to Top
 
Lexey
Moderator Group


Joined: 15 August 2002
Location: Russian Federation
Posts: 8119
Posted: 20 November 2010 at 10:44am

Show your rules, please.
Back to Top
 
beastie050
Newbie


Joined: 19 November 2010
Location: United States
Posts: 2
Posted: 22 November 2010 at 12:35pm

they don't exist yet, i want to create them.
Back to Top
 
Lexey
Moderator Group


Joined: 15 August 2002
Location: Russian Federation
Posts: 8119
Posted: 25 November 2010 at 6:33am

For example, the following rule could be used to deny requests having < or > inside a query string:

RewriteRule [^?]*\?.*(?:<|>|%3C|%3E).* . [I,F]

But it would be much better to update you web application to disallow such things instead of relying on an "external" protection.
Back to Top
 

Sorry, you can NOT post a reply.
This forum has been locked by a forum administrator.

Printable version Printable version
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot delete your posts in this forum
You cannot edit your posts in this forum
You cannot create polls in this forum
You cannot vote in polls in this forum