Security Metrics is a company that we use to test for PCI security complience. Occasionally they add new tests to their battery, and they’re not always tested very well. Today I received notice that we did not pass due to CSS testing. That testing was a complete and utter failure on their part to write a valid test.

It turns out that what they were complaining about was that the script was returned in the query they performed against several pages, such as;}alert(9823);function%20x(){v%20=%22. Those queries were returning 301s as we redirect all http queries to https. The standard 301 response from apache produces html that includes the injected script:

<title>301 Moved Permanently</title>
<h1>Moved Permanently</h1>
<p>The document has moved <a href=";}alert(9823);function%20x(){v%20=%22">here</a>.</p>

Since the response was a 301 with a “Location” header, they should have ignored any body.

Rather than acknowledge that and fix their problem, they start by demanding that I waste my time proving that we sanitize the output from all our scripts.

That’s not going to happen. They need to fix their flawed testing procedures.