We are trying to fix the following PCI vulnerabilit
Microsoft ASP.NET ValidateRequest Filters Bypass Cross-Site Scripting Vulnerability
The current workaround for this issue is as follows:
In web.config, in the <system.web> section, add:
<httpRuntime enableVersionHeader="false"
However,the external website does not contain thesystem.web section. If we add it there, the site breaks.
Two questions:
1. What is the best way to fix this vulnerability? Can we add this header somewhere else?
2. Can we update the application pool in IIS to ASP.net 4 from 2.0? According to our security team that will fix the problem as well.
Any help is greatly appreciated. Thank you
ASP.net security change
