is /.well-known/acme-challenge/ an xss risk
Posted: Thu Aug 02, 2018 12:00 pm
Hi,
I use https://detectify.com to scan of any possible vulnerabilities, the site gives me that /.well-known/acme-challenge/ is an xss risk and an attacker can inject JavaScript into the victim's browsers, which will execute under the vulnerable domain.
is that real?
and if that real, why it is allowed to be accessed from every one,
Can I remove it, or deny access to it?
I think Lets encrypt read the file only once, then it did not need it.
please help me in this to be more clear to me and others too?
I use https://detectify.com to scan of any possible vulnerabilities, the site gives me that /.well-known/acme-challenge/ is an xss risk and an attacker can inject JavaScript into the victim's browsers, which will execute under the vulnerable domain.
is that real?
and if that real, why it is allowed to be accessed from every one,
Can I remove it, or deny access to it?
I think Lets encrypt read the file only once, then it did not need it.
please help me in this to be more clear to me and others too?