Here's the thing. I'm trying to protect my server from XSS Attacks (And so far with no trouble at all, changing HTTP response Headers and other things) But a Generic vulnerability is still going on, and it happens because in the URL some javascript code can be inserted
(i.e. http://myhost.com/thisfile.jsp?<script>alert("hello")</script> )
when I type this, the response is HTTP 202 OK Status (It redirects to my 404 page). But I need to do one of these actions:
- throw another HTTP Status (405, 500, Or any status giving an error)
- Throw an error.
What can I do? Is there any way to strip the tags or recognize them via web.config file to throw an error?... I've been trying with the rewrite module and the request filtering with no success at all.
Thank you so much in advance, regards.
Thank you... I solved it and it was so easy (I can't believe i didn't try that first).
I went to IIS manager and then click on request filtering.
Then, on the "Rules" tab I added a "Filtering Rule". Applying to all file extensions and in the field "Deny Query String" I added
<script>,<scr+ipt>, etc. So when the URL comes with a tag like that the connection is closed without showing 404 or any error page.It worked and now the vulnerability scanner doesn't show any risk.