As part of the process to be PCI compliant, one of our eBusiness
customers recently underwent a security scan by their processor's
PCI audit vendor. The results of the initial scan of their
eCommerce website were less than I'd expected - a failure.
Failure?!? How? Why?
1. "The remote service accepts connections encrypted using SSL
2.0."
2. "Possible cross site scripting"
#1 was simple enough to resolve... make a quick registry change,
reboot the server, and you're done (see here for Micrsoft's instructions). Why did we
need to do this - SSL 2.0 is open to "man in the middle"
attacks where someone could potentially intercept the data
transmission and essentially control the transmission, unbeknownst
to those at either end of the data transmission.
For any eBusiness using a SSL Certificate on their eCommerce
website, and thinking they are providing safe commerce to their
customers - beware, you may be vulnerable.
#2, in my opinion, was crap. Here's the situation - we have a
textbox on the webpage that takes user input and appends it to the
querystring while redirecting to the search results page. This
search results page takes the search criteria from the querystring
and passes it to a stored procedure that scrubs it for SQL
injection and returns the results. One additional thing the page
does is display the search criteria in a label. Sounds pretty
straight forward, right? Apparently since we weren't scrubbing the
search criteria before displaying it on the page, we were
"vulnerable" to cross-site scripting.
I do not agree - the definition (thanks Wikipedia!) of
cross-site scripting is "a type of computer security vulnerability
typically found in web applications which enable malicious
attackers to inject client-side script into web pages viewed by
other users." The key here is "other users." Sure, the page ran
whatever script was entered into the Search textbox, but it
would've only been for that user session... these results would not
appear for others. Congratulations, Mr. Hacker! You just fell
victim to your own script! So I sucked up my pride and added code
to scrub the search criteria before passing it to the next page -
you win this round, PCI Compliance...
So after implementing both "fixes," the eCommerce website passed
and is now PCI Compliant. I'm sad, though, that I can no longer
search for <script>You're an awesome guy!</script> and
have the browser give me a little pat on the back for doing a good
job.