Security : Server side validation / SQL injection / XSS

Highlighted
Anonymous
Not applicable

Re: Security : Server side validation / SQL injection / XSS

What we first tried was to create a filter that dropped all leads with a name beginning with a number. Problem was the spammer was using hexadecimal, so that only reached some of the bad leads. The available filter tools were a bit limited, so we switched to manually finding and deleting them. We were lucky in that there were two fairly reliable fields we could search for that would return a list of 90%+ spammed addresses, so we searched, then manually deleted all the bad records from the returned list. Took quite a while, but we brought it down significantly. I added some javascript and attached it to the form submit on our end, to prevent the form from being submitted through us with bad data, and that effected a reduction, but not complete elimination. It's not an ultimate solution; I expect it will be just a matter of time before that measure falls as well.

Since then we've been evaluating the idea of presenting and handling the form ourselves, so we can write and enforce our own spam-filter rules, then using an API to insert them into Marketo. No reports available from that effort, yet; we're still evaluating the Marketo APIs for usability and fitness for that purpose.

Highlighted
Anonymous
Not applicable

Re: Security : Server side validation / SQL injection / XSS

You can also add code to do your own custom validation right in Marketo. Just look up the form.onValidate examples. We wrote a validation routine and put it in a snippet that we drag onto the landing pages that need the validation.

Highlighted
Level 10 - Community Moderator

Re: Security : Server side validation / SQL injection / XSS

While we've done some very elegant things with the Forms 2.0 API, that's still client-side validation.  Client-side validation is all bypassed by bots (or any noscript environment). If bots are a direct problem, that's not the solution.

Highlighted

Re: Security : Server side validation / SQL injection / XSS

Am I understanding correctly:

- Bot spammers often bypass client-side validation on Marketo forms (including default Marketo validation and any custom JS/CSS I've added) so that's useless against anything but the most basic spam bots,

- Marketo has no server-side validation measures in place so there's no protection offered there,

- Marketo has known about this vulnerability for 4 years now and hasn't done anything to fix it?

Highlighted
Level 1

Re: Security : Server side validation / SQL injection / XSS

Do we know if this critical security flaw been resolved? or its been 6+ years and Marketo has made no progress?

Highlighted
Level 10 - Community Moderator

Re: Security : Server side validation / SQL injection / XSS

Escape your output. That's how you deal with untrusted input (always).

Exactly what vulnerability exists when you properly escape output?

(And all user-supplied input should be considered untrusted, regardless of whether it's said to be "sanitized".)