[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[WEB SECURITY] Cross-Site Scripting PCI Question
- From: Joe Hargrove <ae31337@xxxxxxxxx>
- Subject: [WEB SECURITY] Cross-Site Scripting PCI Question
- Date: Wed, 4 Mar 2009 14:50:15 -0500
--0016364d2439531fdc0464505c34
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
Let=92s say that we have a website that consists of many different subdomai=
ns,
like this:
http://www.example.com
http://blogs.example.com
http://shopping.example.com
https://payment.example.com
All of the pages that take credit card information as input are hosted unde=
r
the payment.example.com subdomain. Would XSS vulnerabilities on pages
within the first 3 subdomains be issues that would/should cause the company
to fail a PCI compliance audit?
--0016364d2439531fdc0464505c34
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dutf-8"><m=
eta name=3D"ProgId" content=3D"Word.Document"><meta name=3D"Generator" cont=
ent=3D"Microsoft Word 11"><meta name=3D"Originator" content=3D"Microsoft Wo=
rd 11"><link rel=3D"File-List" href=3D"file:///C:%5CUsers%5CBrian%5CAppData=
%5CLocal%5CTemp%5Cmsohtml1%5C01%5Cclip_filelist.xml"><style>
<!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-parent:"";
margin:0in;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";
mso-bidi-language:AR-SA;}
span.EmailStyle15
{mso-style-type:personal;
mso-style-noshow:yes;
mso-ansi-font-size:10.0pt;
mso-bidi-font-size:10.0pt;
font-family:Arial;
mso-ascii-font-family:Arial;
mso-hansi-font-family:Arial;
mso-bidi-font-family:Arial;
color:windowtext;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;
mso-header-margin:.5in;
mso-footer-margin:.5in;
mso-paper-source:0;}
div.Section1
{page:Section1;}
-->
</style>
<p class=3D"MsoNormal"><font size=3D"2" face=3D"Arial"><span style=3D"font-=
size: 10pt; font-family: Arial;">Let=92s say that we have a website that co=
nsists of many
different subdomains, like this:</span></font></p>
<p class=3D"MsoNormal"><font size=3D"2" face=3D"Arial"><span style=3D"font-=
size: 10pt; font-family: Arial;">=A0</span></font></p>
<p class=3D"MsoNormal"><font size=3D"2" face=3D"Arial"><span style=3D"font-=
size: 10pt; font-family: Arial;"><a href=3D"http://www.example.com";>http://=
www.example.com</a></span></font></p>
<p class=3D"MsoNormal"><font size=3D"2" face=3D"Arial"><span style=3D"font-=
size: 10pt; font-family: Arial;"><a href=3D"http://blogs.example.com";>http:=
//blogs.example.com</a> </span></font></p>
<p class=3D"MsoNormal"><font size=3D"2" face=3D"Arial"><span style=3D"font-=
size: 10pt; font-family: Arial;"><a href=3D"http://shopping.example.com";>ht=
tp://shopping.example.com</a></span></font></p>
<p class=3D"MsoNormal"><font size=3D"2" face=3D"Arial"><span style=3D"font-=
size: 10pt; font-family: Arial;"><a href=3D"https://payment.example.com";>ht=
tps://payment.example.com</a></span></font></p>
<p class=3D"MsoNormal"><font size=3D"2" face=3D"Arial"><span style=3D"font-=
size: 10pt; font-family: Arial;">=A0</span></font></p>
<p class=3D"MsoNormal"><font size=3D"2" face=3D"Arial"><span style=3D"font-=
size: 10pt; font-family: Arial;">All of the pages that take credit card inf=
ormation as input
are hosted under the <a href=3D"http://payment.example.com";>payment.example=
.com</a> subdomain.<span style=3D"">=A0 </span>Would XSS vulnerabilities on
pages within the first 3 subdomains be issues that would/should cause the c=
ompany
to fail a PCI compliance audit?</span></font></p><p class=3D"MsoNormal"></p=
>
--0016364d2439531fdc0464505c34--
Brought to you by http://www.webappsec.org
Search this site
|