Apache :: XSS Vulnerability

lostapachepilot · Joined: 28 Apr 2017 Posts: 1

Hello All,

Looking for some help to determine if I can configure Apache 2.0.59 to address a couple Cross Site Scripting (XSS) vulnerabilities. I'm not able to upgrade to a later version, so I'm trying to understand if there is functionality within this version to address the XSS issue.

I have 2 specific issues:

1. Validating input (whitelisting acceptable characters)

2. Sanitizing or encoding output (For instance, the character < ould be encoded as < which would be displayed by the browser as the “less-than” character instead of being interpreted as the start
of an HTML tag.)

I am not an experienced apache administrator, so any help would be most appreciated.

Thanks.

glsmith

No, other than adding the XSS header to your config.

Header always set X-Xss-Protection "1; mode=block"

Both 1 & 2 are tragically the responsibility of what is accepting user input like wordpress, forum software, etc.

C0nw0nk

I think you should look at a WAF (Web application Firewall)

Insert some rules to prevent XSS attacks.

ModSecurity i think is decent for Apache in this.

https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project

While i think you should update and fix your web application itself to fix the known XSS exploits that you are aware of (if any).

The decent alternative for any potential XSS attacks or people trying to test to find them is to get a WAF since it covers you against the exploits that may crop up in the future and unknown ones.

Better to be safe than sorry. Just because a exploit does not exist today doe snot mean tomorrow you will be so lucky. Plan ahead and protect yourself from what could happen to your site later on.