Vulnerability reports from PCI-DSS scan

Question

We have had a PCI scan on one of our websites passed on to us by one of our clients. There are a number of reports of vulnerabilities that look something like this:

Network service: 80/443 Application URL: http://www.oursite.com/signup.php The response contains SQL Server errors. This suggests that the hazardous characters inserted by the test penetrated the application and reached the SQL query itself (i.e. that the application is vulnerable to SQL Injection).

Summary test information: header: header X-Forwarded-For=%2527

I'm not sure how they are saying they have injected code here?

another example they provide for a different URL with supposedly the same issue has this as the exploit:

Summary test information: header: header X-Forwarded-For='

EDIT
I've had a look into this header and it seems its only set by Proxy's or Load Balancers (which we dont use anyway). Either way, i've spoofed it myself and there is no vulnerability at our end at all so i'm not sure what they are highlighting. Since we make no use of this header i'm not sure what the supposed point of attack would be anyway?

Another example we have of a so-called vulnerability is this:

Network service: 80/443 Application URL: http://www.oursite.com/products/product-na-here/370 The test successfully embedded a script in the response, and it will be executed once the page is loaded in the user's browser. This means the application is vulnerable to Cross-Site Scripting.

Summary test information:

path: path /products/product-na-here/370 -> /products/product-na-here/370,parameter: header >'">alert(957652)

Again, i'm not sure what is being flagged here at all?

Thanks.

Answer 1

The scans are automated and can generate false positives. It is to alert you to possibilities of vulnerabilities, and you need to either explain how you aren't vulnerable or close the vulnerabilities. (Assuming you're doing this for PCI compliance audit....if not, then you just try to justify/close them internally.)

The scans are based on the OWASP top 10 vulnerabilities (http://www.owasp.org/index.php/Category%3AOWASP%5FTop%5FTen%5FProject) as mandated by PCI DSS. Take a look there; there are a lot of nice examples and really in-depth explanations of the vulnerabilities.

Answer 2

As mentioned by other user most PCI scan results seem to flag either false positives or changing practices. I saw one once recommending that we didnt use bind and that allowing FTP access was a major security hole. I would suggest you challenge their findings where you see fit.

Answer 3

Another option is to use an ASV that does not provide solely automated results. There are some good ASVs around that take a blended approach to security results. They manually vet to confirm or deny each and every automatically found vulnerability, as well as providing manual testing to find things that only a human reliably can, such as SQL injection, cross-site scripting and sensitive information leakage, amongst many others, always providing clear examples of the attack vectors required.

Full disclosure: I work for an ASV that provides a service similar to what i describe.