They’ve done it again. @SecurityMetrics has irritated me with their insufficiently tested scan scripts and poor customer service. Is there someone else we should be using for PCI testing?
https://www.edwyse.com/homeapplication.php) has hidden fields that are reporting as vulnerable to cross-site scripting. This is probably why it would be more difficult to have this vulnerability appear via a browser.
Once you feel you have removed the cross-site scripting issues a new scan should be run as it will clarify that the issue has been resolved.
Well duh! Like I thought they had minions clicking through every page of every website of every customer looking for vulnerabilities by hand. Any CSS vulnerability check should, IMHO, filter out the places where scripts canno t be executed. Form input value fields are one of them.
My expectation, for the company that we pay to be the professionals in security, is that they not only implement the tests but understand them. They should know how these potential vulnerabilities could be a problem and be able to communicate that effectively. They should ** __**NOT be insisting that their testing techniques are correct simply for lack of prior feedback. This is especially false as I, personally, have provided feedback that has pointed out false-positives in the past that have resulted in changes to the tests.
Is there a better PCI compliance company that we should be using?