[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [WEB SECURITY] Cross-Site Scripting PCI Question

From: "Cook, Geoffrey" <gcook@xxxxxxxxxxxx>
Subject: RE: [WEB SECURITY] Cross-Site Scripting PCI Question
Date: Wed, 4 Mar 2009 17:21:02 -0500

------_=_NextPart_001_01C99D17.81057820
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

I would be inclined to say yes as the existence of those vulnerabilities
imply deficiencies in either their development processes and/or their
vulnerability management processes.  You are certifying the operation of
the company as a whole and not just the details of one URL in
particular.  I believe it is requirement 6.5 that states all web
applications have to be developed in a manner that is consistent with
secure coding best practices.

=20

Geoff

=20

From: Joe Hargrove [mailto:ae31337@gmail.com]=20
Sent: Wednesday, March 04, 2009 2:50 PM
To: websecurity@webappsec.org
Subject: [WEB SECURITY] Cross-Site Scripting PCI Question

=20

Let's say that we have a website that consists of many different
subdomains, like this:

=20

http://www.example.com

http://blogs.example.com=20

http://shopping.example.com

https://payment.example.com

=20

All of the pages that take credit card information as input are hosted
under the payment.example.com subdomain.  Would XSS vulnerabilities on
pages within the first 3 subdomains be issues that would/should cause
the company to fail a PCI compliance audit?


------_=_NextPart_001_01C99D17.81057820
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml"; =
xmlns=3D"http://www.w3.org/TR/REC-html40";>

<head>
<meta http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">
<style>
<!--
 /* Font Definitions */
 @font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
	{mso-style-priority:99;
	mso-style-link:"Balloon Text Char";
	margin:0in;
	margin-bottom:.0001pt;
	font-size:8.0pt;
	font-family:"Tahoma","sans-serif";}
span.BalloonTextChar
	{mso-style-name:"Balloon Text Char";
	mso-style-priority:99;
	mso-style-link:"Balloon Text";
	font-family:"Tahoma","sans-serif";}
span.EmailStyle19
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
	{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext=3D"edit">
  <o:idmap v:ext=3D"edit" data=3D"1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I would be inclined to say yes as the existence of those
vulnerabilities imply deficiencies in either their development processes =
and/or
their vulnerability management processes.&nbsp; You are certifying the
operation of the company as a whole and not just the details of one URL =
in
particular. &nbsp;I believe it is requirement 6.5 that states all web =
applications
have to be developed in a manner that is consistent with secure coding =
best
practices.<o:p></o:p></span></p>

<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Geoff<o:p></o:p></span></p>

<p class=3DMsoNormal style=3D'margin-bottom:12.0pt'><span =
style=3D'font-size:11.0pt;
font-family:"Calibri","sans-serif";color:#1F497D'><o:p>&nbsp;</o:p></span=
></p>

<div style=3D'border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt =
0in 0in 0in'>

<p class=3DMsoNormal><b><span =
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span>=
</b><span
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Joe =
Hargrove
[mailto:ae31337@gmail.com] <br>
<b>Sent:</b> Wednesday, March 04, 2009 2:50 PM<br>
<b>To:</b> websecurity@webappsec.org<br>
<b>Subject:</b> [WEB SECURITY] Cross-Site Scripting PCI =
Question<o:p></o:p></span></p>

</div>

<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>

<p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style=3D'font-size:10.0pt;font-family:"Arial","sans-serif"'>Let&#8217;s =
say that
we have a website that consists of many different subdomains, like =
this:</span><o:p></o:p></p>

<p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style=3D'font-size:10.0pt;font-family:"Arial","sans-serif"'>&nbsp;</span>=
<o:p></o:p></p>

<p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style=3D'font-size:10.0pt;font-family:"Arial","sans-serif"'><a
href=3D"http://www.example.com";>http://www.example.com</a></span><o:p></o=
:p></p>

<p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style=3D'font-size:10.0pt;font-family:"Arial","sans-serif"'><a
href=3D"http://blogs.example.com";>http://blogs.example.com</a> =
</span><o:p></o:p></p>

<p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style=3D'font-size:10.0pt;font-family:"Arial","sans-serif"'><a
href=3D"http://shopping.example.com";>http://shopping.example.com</a></spa=
n><o:p></o:p></p>

<p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style=3D'font-size:10.0pt;font-family:"Arial","sans-serif"'><a
href=3D"https://payment.example.com";>https://payment.example.com</a></spa=
n><o:p></o:p></p>

<p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style=3D'font-size:10.0pt;font-family:"Arial","sans-serif"'>&nbsp;</span>=
<o:p></o:p></p>

<p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style=3D'font-size:10.0pt;font-family:"Arial","sans-serif"'>All of the =
pages that
take credit card information as input are hosted under the <a
href=3D"http://payment.example.com";>payment.example.com</a> =
subdomain.&nbsp;
Would XSS vulnerabilities on pages within the first 3 subdomains be =
issues that
would/should cause the company to fail a PCI compliance =
audit?</span><o:p></o:p></p>

</div>

</body>

</html>

------_=_NextPart_001_01C99D17.81057820--

Follow-Ups:
- Re: [WEB SECURITY] Cross-Site Scripting PCI Question
  - From: Raymond Forbes

References:
- [WEB SECURITY] Cross-Site Scripting PCI Question
  - From: Joe Hargrove

Prev by Date: RE: [WEB SECURITY] Cross-Site Scripting PCI Question
Next by Date: Re: [WEB SECURITY] Cross-Site Scripting PCI Question
Previous by thread: RE: [WEB SECURITY] Cross-Site Scripting PCI Question
Next by thread: Re: [WEB SECURITY] Cross-Site Scripting PCI Question
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site