locked
CRM 2011: Should I use AntiXss Security Run-time Engine to secure CRM web site? RRS feed

  • Question

  • Hi all,
    When doing a Pentration test, our team member found that the following URL is vulnerable to Cross Site Scripting.
    /CRMORG/tools/systemcustomization/entities/manageentity.aspx

    We are advised to apply AntiXSS Security Runtime engine available from http://wpl.codeplex.com/
    However, it seems that modification in web.config is required. CRM application page is black box to us and we do not know what would happen if antiXSS SRE is applied to CRM production.

    Can anyone let me know what is the proper way to prevent XSS or jsut escalate to MS Support for the vulnerability?
    Friday, September 21, 2012 3:36 AM

Answers

  • Technically I think making a change to the web.config would be considered an unsupported modification - so if you believe there is an issue you should probably speak with MS Support. 

    Jason Lattimer

    Saturday, September 22, 2012 2:17 PM
    Moderator