웹취약점 점검시 조치방법좀 알려주세요 채택완료

대학교 도메인 네임서버을 연결사용하려고하는데

Acunetix 취약점 스캐너로 점검해다고합니다. 그런데 

high 1개 와  Medium 6개가 나와서 연결시켜줄수가 없다고하네요..........

기관이나 학교에서 웹취약점 통과하신 분 설명 좀 부탁드립니다.

Cross site scripting 1개 Severity    ---------------------     High

Reported by module  ---------    Scripting (XSS.script)

Description Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can execute malicious scripts into a legitimate website or web application. XSS occurs when a web application makes use of unvalidated or unencoded user input within the output it generates.

Impact Malicious JavaScript has access to all the same objects as the rest of the web page, including access to cookies and local storage, which are often used to store session tokens. If an attacker can obtain a user's session cookie, they can then impersonate that user. Furthermore, JavaScript can read and make arbitrary modifications to the contents of a page being displayed to a user. Therefore, XSS in conjunction with some clever social engineering opens up a lot of possibilities for an attacker.

Recommendation Apply context-dependent encoding and/or validation to user input rendered on a page

References Cross-site Scripting (XSS) Attack - Acunetix (https://www.acunetix.com/websitesecurity/cross-site-scripting/) Types of XSS - Acunetix (https://www.acunetix.com/websitesecurity/xss/) Cross-site Scripting - OWASP (http://www.owasp.org/index.php/Cross_Site_Scripting) XSS Filter Evasion Cheat Sheet (https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet) Excess XSS, a comprehensive tutorial on cross-site scripting (https://excess-xss.com/) Cross site scripting (http://en.wikipedia.org/wiki/Cross-site_scripting ) Affected items

/bbs/board.php

Details URL encoded GET input sca was set to 1'"()&% Request headers GET /bbs/board.php?ajax_ck=1&bo_table=notice&page=2&sca=1'"()%26%25 WcfL(9336) HTTP/1.1 Referer: http://altobnc.com Cookie: PHPSESSID=31063qv02pdko2jufl3e7vpbm7; 2a0d2363701f23f8a75028924a3af643=MTY4LjExNS43Ny45MA%3D%3D; e1192aefb64683cc97abb83c71057733=cHJvZmVzc29y; ck_font_resize_rmv_class=; ck_font_resize_add_class= Host: altobnc.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21 Acunetix-Product: WVS/11.0 (Acunetix - WVSE) Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htm Accept: */*

 HTML form without CSRF protection  총4개 /bbs/login.php 1개 /bbs/new.php 1개

/bbs/password_lost.php 1개 

/bbs/register.php 1개  

User credentials are sent in clear text 총2개

/bbs/login.php 1개

/bbs/register_form.php 1개