Activity logs and Marketo API

Liudmila_Te
Level 1

Activity logs and Marketo API

Hello,

Our web-security team told us that added marketo forms to other web sites via scripts (embed code) is not secure and advised to use Marketo API.

While researching info about Marketo API I faced 1 problem I really hope you can help me with:

As I understood from this post Trigger Marketo Flow using REST API​ when you push leads info from other form to Marketo using API - the status in User Activity Log will be "Person is Pushed".

1.Can we change this log message somehow or at least track from what page user was added to Marketo (needs for marketo triggers)?

2. Does anyone have security issues with adding marketo forms as ember code?

Thanks in advance.

14 REPLIES 14
SanfordWhiteman
Level 10 - Community Moderator

Re: Activity logs and Marketo API

"Not secure" is meaningless without details.

In fact, simply switching to REST API push instead of forms immediately opens a Denial of Service vulnerability.

So they have it backwards.

Liudmila_Te
Level 1

Re: Activity logs and Marketo API

"Not secure" means that in embed code marketo show the marketo user id without any "masking":

<script src=“//00000.marketo.com/js/forms2/js/forms2.min.js”></script>

<form id=“mktoForm_1039"></form>

<script>MktoForms2.loadForm(“//000000.marketo.com”, “000-000-000", 1039);</script>

SanfordWhiteman
Level 10 - Community Moderator

Re: Activity logs and Marketo API

Haha, what?

You can see that same public information in the Munchkin embed code (without which you can't do any web tracking).

That's like saying people can see your GTM ID in view-source. You have to be able to see information that is used in embed codes on public websites, whether for GA, Facebook, Twitter, any tracking pixel.

Liudmila_Te
Level 1

Re: Activity logs and Marketo API

I got it, thanks ))

And what about changing activity log from "Person is Pushed" to something specific? Is it possible?

Or we need to create some new field in marketo to add the info about page / form type (subscription, event, etc) from hidden field inside non-marketo form?

SanfordWhiteman
Level 10 - Community Moderator

Re: Activity logs and Marketo API

And what about changing activity log from "Person is Pushed" to something specific? Is it possible?

No, it is not possible.

I haven't heard an informed justification for not using forms, so you should be using an embedded Marketo form to post, period.

When non-knowledgeable people make security suggestions, usually they lower the real security and reliability of a system.

Dmitry_Yanchenk
Level 1

Re: Activity logs and Marketo API

I haven't heard an informed justification for not using forms, so you should be using an embedded Marketo form to post, period.

Hi Sanford, here are some approved examples of Marketo forms abuse:

Lack of input sanitization in Marketo form leads to execution of HTML in lead emails

Stealing contact form data using Marketo Forms XSS with postMessage frame-jumping and jQuery-JSONP

SanfordWhiteman
Level 10 - Community Moderator

Re: Activity logs and Marketo API

The first is equally true of an API-based update without separate sanitization. Also, sanitization should be part of the output pipeline, not input; in Marketo, it's done via the HTML encode tokens checkbox (for LPs) or Velocity (for emails). For validation (input filtering) on Marketo forms, you can use proxy fields and/or sign prevalidated requests.

The second one is fixed, so I hardly see that as current justification. You could find any number of outdated vulnerabilities for any product!

Anyway, neither has any bearing on "exposing your Munchkin ID" as a vulnerability, and I was asking about sounder justifications from the original team.

Grant_Booth
Level 10

Re: Activity logs and Marketo API

SanfordWhiteman
Level 10 - Community Moderator

Re: Activity logs and Marketo API

Right, there's a whole blog post on HTML encoding tokens for security.