Home/ Questions/Q 4007304
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-20T08:37:00+00:00

I have had a scan performed on my website looking for vulnerabilities, etc. The

  • 0

I have had a scan performed on my website looking for vulnerabilities, etc. The report was returned saying there was a risk of an XSS attack, I have looked in to my website code and the only issue I can find (which is causing a W3C validation error) is that I have accidentally added ‘language=”javascript”‘ to my script tag…could this have thrown the error which they have reported? I don’t have any form inputs and it is not connected to a database.

Many thanks, in advance.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Any reputable consultant should make it clear in their report exactly what the risk is and how it is reproduced. I’d expect to see documented methodology, findings and conclusions.

    If they can’t demonstrate a risk then they can’t say they have found one.

    UPDATE:

    Based on your comment I’ve found the following, which identifies this as a general vulnerability with the Apache webserver rather than your particular code. You should ask whoever manages your webhosting to comment.

    A flaw in the handling of invalid Expect headers. If an attacker can influence the Expect header that a victim sends to a target site they could perform a cross-site scripting attack. It is known that some versions of Flash can set an arbitrary Expect header which can trigger this flaw. Not marked as a security issue for 2.0 or 2.2 as the cross-site scripting is only returned to the victim after the server times out a connection.

    UPDATE 2:

    The following is a description of the vulnerability (link). Ask your hosting people to check their servers are properly patched.

    In May 2006 a reporter found a bug in Apache where an invalid Expect header sent
    to the server (Apache 1.3.3 onwards) would be returned to the user in an error
    message, unescaped. This could allow a cross-site scripting attack only if a
    victim can tricked into connecting to a site and sending such a carefully
    crafted Expect header. Whist browsers do not provide this functionality, it was
    recently discovered that Flash allows you to make a connection with arbitrary
    headers. The attack mechanism is therefore:

    1. User is tricked into visiting a malicious web site with a flash-enabled browser
    2. Malicious web site uses a flash movie to make a connection to the target site
      with custom Expect header
    3. This results in cross-site scripting (attacker could steal your cookies from
      the third party site, or inject content etc)
    • 0