0

In our vulnerability report there is one vulnerability which I have mentioned below.

"it was found that the Microsoft ASP.NET validate Request filters could allow a remote attacker to bypass it's filters and conduct cross-site scripting attacks using a less-than slashand less-than tilde slash (<~/) sequence. These vulnerabilities are described in CVE-2008-3842 and CVE-2008-3843."

We are using windows server 2008r2 service pack1 enterprise edition. Our current .Net framework is 4.0.30319 and for creating application pool we are using .Net framework 2.0.50727 because this is the developer requirement.

Please suggest your opinion to resolve this issue.

Ratheesh
  • 25
  • 4

1 Answers1

0

Microsoft has yet to actually confirm this issue it seems as far as I know but it's best to filter data yourself. They're just saying if you rely on native built-in XSS protection, you may be disappointed.

As for how to protect against XSS:

OWASP covers XSS well here, even with a prevention sheet, but the rule of thin is to just not trust user input to any real degree and implement checks and filtering to ensure whatever they enter is what they're supposed to enter (e.x. %s and

tl;dr best practices in your code means this vulnerability is of minimum impact to you. Poor practices means you may have an XSS vector on your hands. Whoever is running the site should just be aware of how to avoid XSS vectors.

Michael Bailey
  • 462
  • 2
  • 12