When detecting Cross-site scripting, Vex checks whether HTML special characters (&, <, >, ",',') and JavaScript special characters ({\fnDroid,', /, <, >, 0x0D(CR), 0x0A(LF)) in the payloads inserted for the scan have been properly escaped in the response, regardless of whether or not an alert box pops up.
Therefore, a pop-up alert box may not appear on the screen capture or on the HTML display in the scan result that detected the vulnerability, depending on the position where the payload is output.
To verify false positives, you should check whether or not special characters have been properly escaped in the response of the scan result rather than whether an alert box has appeared.
For details of the security measure against the vulnerability, see the signature information and the end of the report (Word) that can be output from Vex.
[Related articles] ”How to verify scan results”
Comments
0 comments
Please sign in to leave a comment.