Cross-site scripting (XSS) filters in browsers check if the URL contains possible harmful XSS payloads
and if they are reflected in the response page. If such a condition is recognized, the injected code is
changed in a way, that it is not executed anymore to prevent a successful XSS attack. The downside of
these filters is, that the browser has no possibility to distinguish between code fragments which
were reflected by a vulnerable web application in an XSS attack and these which are already present
attacked web page. Sometimes the XSS filters itself are vulnerable in a way, that web applications
which were protected properly against XSS attacks became vulnerable under certain conditions.
In the SB2BI application it was noted that no XSS filter headers are being set.
The web application should be configured to send the äóìX-XSS-Protectionäó header in every page
X-XSS-Protection: 1; mode=block