Security : Server side validation / SQL injection / XSS

Highlighted
Anonymous
Not applicable

Security : Server side validation / SQL injection / XSS

Hi,

Our security scan on Marketo form is now revealing that Marketo form accepts invalid inputs such as HTML code etc.
For example, <script>Alert(‘Hacked’);

This flaw may cause several security issues, such as SQL Injection, Cross site scripting (XSS), etc.

I do many researches on Marketo community and find no articles talking about how Marketo handle such invalid inputs/SQL injection/XSS on Marketo form.

Does Marketo have server side validation or any security mechanisms to validate invalid inputs and mitigate risks such as SQL injection, Cross site scripting (XSS), etc.? Any suggestion to overcome this security flaw is appreciated.

Thank you in advance for all comments.
Regards,
Taworn D.

Tags (1)
25 REPLIES 25
Highlighted
Anonymous
Not applicable

Re: Security : Server side validation / SQL injection / XSS

to follow the discussion
Highlighted
Anonymous
Not applicable

Re: Security : Server side validation / SQL injection / XSS

I have the same concern.
Can we disable form fields from allowing html?
Highlighted
Anonymous
Not applicable

Re: Security : Server side validation / SQL injection / XSS

An old issue, but I have seen the same problem. Any repsonse from Marketo?
Highlighted
Marketo Employee

Re: Security : Server side validation / SQL injection / XSS

Hi Domenic,

Could you please log a support ticket demonstrating your concerns with regard to any potential XSS vulnerabilities?
Highlighted

Re: Security : Server side validation / SQL injection / XSS

It's an old thread, but did anything come of this? How does Marketo account for SQL/HTML injection?

Highlighted
Marketo Employee

Re: Security : Server side validation / SQL injection / XSS

I don't recall if anything came from this specific thread, but we take security seriously and employee modern security practices to combat XSS and SQL injection, in addition to many other attack vectors.  You can read more here: TRUST - Security and Customer Data Protection - Marketo

Highlighted
Anonymous
Not applicable

Re: Security : Server side validation / SQL injection / XSS

Well, we don't have that particular concern...in our case we have someone reading the form fields, then auto-submitting a few thousand per day with a 13-digit hex number in the name field. It's easy enough to filter that out of a smart list, but I want to keep it from getting into the db in the first place. Marketo just lets it in, no apparent way to insert some server-side filter that just drops the record.

Highlighted
Level 10 - Community Moderator

Re: Security : Server side validation / SQL injection / XSS

Approach your forms workflow from a different angle. Require a valid reCAPTCHA response or delete the lead immediately. Bot-generated posts will not pass reCAPTCHA.

Highlighted
Anonymous
Not applicable

Re: Security : Server side validation / SQL injection / XSS

Might work, if your form design tool was able to create a form that looked like it belonged in the 21st century. We stopped using your form designs years ago because it was nigh unto impossible to make them look and act the way modern forms should. But that's a different topic entirely.