Re: Activity logs and Marketo API

Liudmila_Te · ‎08-21-2018

Hello,

Our web-security team told us that added marketo forms to other web sites via scripts (embed code) is not secure and advised to use Marketo API.

While researching info about Marketo API I faced 1 problem I really hope you can help me with:

As I understood from this post Trigger Marketo Flow using REST API when you push leads info from other form to Marketo using API - the status in User Activity Log will be "Person is Pushed".

1.Can we change this log message somehow or at least track from what page user was added to Marketo (needs for marketo triggers)?

2. Does anyone have security issues with adding marketo forms as ember code?

Thanks in advance.

SanfordWhiteman · ‎08-21-2018

"Not secure" is meaningless without details.

In fact, simply switching to REST API push instead of forms immediately opens a Denial of Service vulnerability.

So they have it backwards.

Liudmila_Te · ‎08-21-2018

"Not secure" means that in embed code marketo show the marketo user id without any "masking":

SanfordWhiteman · ‎08-21-2018

Haha, what?

You can see that same public information in the Munchkin embed code (without which you can't do any web tracking).

That's like saying people can see your GTM ID in view-source. You have to be able to see information that is used in embed codes on public websites, whether for GA, Facebook, Twitter, any tracking pixel.

Liudmila_Te · ‎08-21-2018

I got it, thanks ))

And what about changing activity log from "Person is Pushed" to something specific? Is it possible?

Or we need to create some new field in marketo to add the info about page / form type (subscription, event, etc) from hidden field inside non-marketo form?

SanfordWhiteman · ‎08-21-2018

And what about changing activity log from "Person is Pushed" to something specific? Is it possible?

No, it is not possible.

I haven't heard an informed justification for not using forms, so you should be using an embedded Marketo form to post, period.

When non-knowledgeable people make security suggestions, usually they lower the real security and reliability of a system.

Dmitry_Yanchenk · ‎08-21-2018

I haven't heard an informed justification for not using forms, so you should be using an embedded Marketo form to post, period.

Hi Sanford, here are some approved examples of Marketo forms abuse:

Lack of input sanitization in Marketo form leads to execution of HTML in lead emails

Stealing contact form data using Marketo Forms XSS with postMessage frame-jumping and jQuery-JSONP

SanfordWhiteman · ‎08-21-2018

The first is equally true of an API-based update without separate sanitization. Also, sanitization should be part of the output pipeline, not input; in Marketo, it's done via the HTML encode tokens checkbox (for LPs) or Velocity (for emails). For validation (input filtering) on Marketo forms, you can use proxy fields and/or sign prevalidated requests.

The second one is fixed, so I hardly see that as current justification. You could find any number of outdated vulnerabilities for any product!

Anyway, neither has any bearing on "exposing your Munchkin ID" as a vulnerability, and I was asking about sounder justifications from the original team.

Grant_Booth · ‎08-21-2018

For #1, I believe you can use this: HTML Encode Tokens in Emails - Marketo Docs - Product Documentation

SanfordWhiteman · ‎08-21-2018

Right, there's a whole blog post on HTML encoding tokens for security.