Welcome to the Question2Answer Q&A. There's also a demo if you just want to try it out.
0 votes
486 views
in Q2A Core by

We've recently signed up for SiteLock on our web server and it's reporting an XSS in the login page:


URL:http://q2a.our-site.com/login?=LogIn&code=0-1441040883-7ad6946dd99e52fbef6d480fb07ff889b9381c19&dologin=Login&emailhandle=1&password=1&remember=1&to=

Cross site scripting vulnerability found in args: ,code,dologin,emailhandle,password,remember,to

Is this a false-positive? I can see that any args sent are reproduced in the 'qa-part-form' but they seem to be correctly escaped and I can't see how to abuse this.

1 Answer

0 votes
by
edited by

I am sure everyone knows, but just in case, XSS relates to inputing <script> tag which would then be executed and do bad things.

I tried to put in this script as username:

<script>alert('hello');</script>

It did not execute but left that code intact in the html.  I think that is why vulnerability is reported.

So agreed, looks like false positive.

Same for search box...

I think as soon as input is received, it should be stripped of html tags, and such tags would never be shown in any form. That is easy to do.  Such tags make no sense for user input or search input.

asked Sep 8, 2015 in Q2A Core by Text being cut off
...