Re: Security : Server side validation / SQL injection / XSS

Anonymous · ‎04-18-2017

What we first tried was to create a filter that dropped all leads with a name beginning with a number. Problem was the spammer was using hexadecimal, so that only reached some of the bad leads. The available filter tools were a bit limited, so we switched to manually finding and deleting them. We were lucky in that there were two fairly reliable fields we could search for that would return a list of 90%+ spammed addresses, so we searched, then manually deleted all the bad records from the returned list. Took quite a while, but we brought it down significantly. I added some javascript and attached it to the form submit on our end, to prevent the form from being submitted through us with bad data, and that effected a reduction, but not complete elimination. It's not an ultimate solution; I expect it will be just a matter of time before that measure falls as well.

Since then we've been evaluating the idea of presenting and handling the form ourselves, so we can write and enforce our own spam-filter rules, then using an API to insert them into Marketo. No reports available from that effort, yet; we're still evaluating the Marketo APIs for usability and fitness for that purpose.

Anonymous · ‎04-18-2017

You can also add code to do your own custom validation right in Marketo. Just look up the form.onValidate examples. We wrote a validation routine and put it in a snippet that we drag onto the landing pages that need the validation.

SanfordWhiteman · ‎04-18-2017

While we've done some very elegant things with the Forms 2.0 API, that's still client-side validation. Client-side validation is all bypassed by bots (or any noscript environment). If bots are a direct problem, that's not the solution.

Erin_Van_Leer · ‎08-11-2017

Am I understanding correctly:

- Bot spammers often bypass client-side validation on Marketo forms (including default Marketo validation and any custom JS/CSS I've added) so that's useless against anything but the most basic spam bots,

- Marketo has no server-side validation measures in place so there's no protection offered there,

- Marketo has known about this vulnerability for 4 years now and hasn't done anything to fix it?

Tim_Tran5 · ‎08-27-2019

Do we know if this critical security flaw been resolved? or its been 6+ years and Marketo has made no progress?

SanfordWhiteman · ‎08-27-2019

Escape your output. That's how you deal with untrusted input (always).

Exactly what vulnerability exists when you properly escape output?

(And all user-supplied input should be considered untrusted, regardless of whether it's said to be "sanitized".)

tware · ‎12-27-2023

Hi Tim, MKTO hasn't done anything about this, we currently have an open Support Ticket and they have acknowledged that a hacker can bypass the form and inject malicious values into MKTO however they do not consider it a vulnerability to the MKTO database and deem it harmless.

Since this has been going on for some years, curious what others have been able to do on the client side to remedy this?

SanfordWhiteman · ‎12-27-2023

You can’t do anything on the client input side, by definition.

On the client output side, make sure everything is HTML-escaped. Marketo does this automatically with LPs and allows manual control with emails.

Have yet to hear what actual vulnerability is being described here. The correct practice is always to escape output.