Re: PCI Security and cross-site scripting issues

Giganews Newsgroups
Subject: Re: PCI Security and cross-site scripting issues
Posted by:  Andy Dingley (dingb…
Date: Mon, 18 Feb 2008

On 18 Feb, 08:31, MarkB <reelm.…> wrote:
> Hey, I have a question regarding your experiences and expertise with
> PCI(Payment Card Industry; Visa,MC) security. I am writing this
> because I have been, as of late, struggling to get a web site
> certified recently

There is no real "PCI certification" or official compliance checking.
If only there was! We'd have a few less problems from some of the
gross errors that are indeed out there.

Also the CISP standards talk very little about "web apps" as such and
are focussed far more on back-end DB issues. This is understandable
given their legacy and their core competencies, but it doesn't mean
the web server aspect can be ignored. Where they do state
requirements, it's in broad terms such as "Card numbers must be
encrypted", "Card numbers shouldn't be stored at all, unless needed
for repeat billing", "Repeat billing setup should be clearly flagged
to the customer" and "Don't even think about storing the CVV2". They
don't even specify algorithms or standards for encryption, or indicate
the benefits of PK for this rather than a symmetric key algorithm.

> our site started failing security
> scans and the error message was threefold: Citrix, ClearTrust Server,
> & ASP Portal are vulnerable to cross-site scripting.

You're going to have to ask the scanner what they're looking for and
what they've found. The implementation details of a scan just aren't
specified in this level of detail by the PCI people.

You may actually have a problem. You might even be in a state where
you really ought to be working rapidly to fix it and downing the site
in the meantime - that bad! I rather doubt though if you have a
problem that even flickers onto PCI's radar - just very few of them

> many of which were filtered out by default such as "<" and ">".

I've never seen a site that filtered these characters _out_ and yet
_wasn't_ open to injection attacks. Don't filter the bad stuff out,
filter the good stuff in! Otherwise you're just forever playing catch-
up character by character through the Unicode set.

Without knowing just what is running on there, I couldn't comment in
any detail. However if you even have a Citrix directory accessible to
a web server, I'd be worried. If you have one that you didn't know
about, I'd regard the site as insecure simply because you no longer
know just what is running on your site.


In response to

PCI Security and cross-site scripting issues posted by MarkB on Mon, 18 Feb 2008