Preventing XSS

Tamir_Belzer
Level 3

Preventing XSS

Hi, one of our security people noted that the visualforce Marketo window within Salesforce (the Marketo sales insights) is a security threat especially for XSS attacks, meaning people trying to inject a script to a Marketo form and hack the system. 

Is that true? if so, is there something we can do? He said that using captcha or recaptcha will not help in these cases and the fix should be on the server side. 

Does anyone have any information about that? 

9 REPLIES 9
SanfordWhiteman
Level 10 - Community Moderator

Re: Preventing XSS

This has the distinctive ring of FUD. (Hint: if someone tries to scare you by mentioning only an acronym like "XSS", but won't even provide a glancing example of the exploit, it's probably FUD.)

Exactly what field, when you inject an HTML <script> tag into it using an end user exposed function -- be that a form post, web activity, or anything you can do without authentication -- is not HTML-escaped in the MSI frame?

Can you show an alert() popping up from the MSI frame based on untrusted data/activities in Marketo?

Tamir_Belzer
Level 3

Re: Preventing XSS

HI Sanford, 

We did get examples and maybe my explanation was not complete because I didn't understand our security guy's explanation fully but we are concerned about it. 

What more information do I need to write here or ask our security guy? 

Thank you. 

SanfordWhiteman
Level 10 - Community Moderator

Re: Preventing XSS

What more information do I need to write here or ask our security guy?

How, acting as a public end user (not an authenticated Marketo user) are you getting script content into Marketo fields or activities and having it be executed, instead of escaped, in MSI?

For one counterexample, if someone's Last Name contains an HTML script tag, it is escaped as text content (i.e. the "source code" is displayed) in MSI -- not executed.

An XSS vulnerability means there's a way of getting unfiltered script content into Marketo, such that it is not HTML-escaped when output into MSI.

It's possible that there is such a vulnerability, using some creative encoding on the way into Marketo -- bugs always happen, that's the nature of software -- but merely saying so doesn't prove it.

Tamir_Belzer
Level 3

Re: Preventing XSS

Hi Sanford, our security guy just told me that the sfdc plugin executes the script. If it would show it escaped, as it should, we would not be having this conversation

SanfordWhiteman
Level 10 - Community Moderator

Re: Preventing XSS

What script and what field and how are you getting it into the field?

This is still vague information.

It's only XSS if the script content is injected into Marketo by an unauthenticated user (viz. a Munchkin activity, a form fillout, a clicked link).

Tamir_Belzer
Level 3

Re: Preventing XSS

HI Sanford, it was by a form fill out and he insists that he saw that the script was executed and not escaped. Unfortunately I can't send you the exact example as it was deleted from our systems. 

Is there anything we can do? 

SanfordWhiteman
Level 10 - Community Moderator

Re: Preventing XSS

You have to reproduce it.

It's irresponsible for your guy to make an accusation like this (that would rise to the level of a private/public disclosure if true) without repro. 

I'm interested in the repro but not gonna say there's a problem at all until it's made available.

My_Nguyen
Level 2

Re: Preventing XSS

Is the script code automatically escaped as text or do we have to do something to make that happen?

SanfordWhiteman
Level 10 - Community Moderator

Re: Preventing XSS

This was fixed long ago. You don't have to do anything.