I am using Latest Web server(Any) which are by default enabled with X-XSS-Protection:1; mode=block to block the possible XSS attackes.
So tried to assess my server with injection of script on to a GET request which was rejected by the server due the above filter enabled.My request looks like https://localhost:431/report/api/createlist.ams?subscriberID=%3Cscript%3Ealert(1)%3C/script%3E&_=1490175834029 ==> Rejeted by server because the source code of a script was found within the request. The server sent an 'X-XSS-Protection' header requesting this behavior.
I have some GET requests via AJAX which are still not blocked by server. Server is treating normal GET request and AJAX GET request are different. How could i reject a XSS attack is case of AJAX request as below mentioned. https://localhost:43261/tabular/reports-data/items.json?startDate=2017-03-01&endDate=2017-03-22&Type=All&bound=Inbound&dataGrouping=%3C%2Ftitle%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Ctitle%3E&=1490244895514 OR https://localhost:43261/tabular/reports-data/items.json?startDate=2017-03-01&endDate=2017-03-22&Type=All&bound=Inbound&dataGrouping=%alert(1)%&=1490244895514
Thanks