CVE-2008-3843
MS07-040
First you should know what is Cross-site scripting (XSS) ?
Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to 
compromise the interactions that users have with a vulnerable application. It allows an attacker to circumvent the same origin policy, which is designed to segregate different websites from each other. Cross-site scripting vulnerabilities normally allow an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform, and to access any of the user's data. If the victim user has privileged access within the application, then the attacker might be able to gain full control over all of the application's functionality and data.
I don't want to waste your time, i will let you know how to close this vulnerability
Solution :
Go to your IIS web server where website is hosted and add below values to mitigate both vulnerability
Below entry will be added under HTTP Response Headers
Name Value
Strict-Transport-Security max-age=31536000; includeSubDomains;preload
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
X-XSS-Protection 1;mode=block
Now ask your QSA/ASV to re-run the scan and he can confirm you the vulnerability is gone๐
If you enjoyed this article, follow and share it with your friends and colleagues!!!!!!!!!!! ๐
Posted By : Kamlesh Gaur
Comments
Post a Comment