Your Achievements
Level 1
0% to
Level 2
Next /
to gain points, level up, and earn exciting badges like the new Applaud 5 BadgeLearn more!
View All BadgesSign in to view all badges
Open Alert Bar
SOLVED

Security questions about the Marketo forms we embedded on our WP website

Go to solution
Eve_Yu
Level 2
Level 2
‎11-20-2023 07:32 PM
‎11-20-2023 07:32 PM

Security questions about the Marketo forms we embedded on our WP website

We just scanned our WP website to check the security issues, and we found two issues related to Marketo forms. Do you have any solutions to resolve them? 

  1. Script Src Integrity Check: app-ab24.marketo.com/js/forms2/js/forms2.min.js can't generate SRI Hash, so, we can't pass this check.  FYI, the description of this check: The remote host may be vulnerable to payment entry data exfiltration due to javascript included from potentially untrusted and unverified third parties script src.
  2. CGI Generic Cross-Site Request Forgery Detection: it is also related to Marketo forms, the problem shows that on the pages we used Marketo forms. CGIs are not protected by a random token. 

Any solutions?  

0 Likes
858
Reply
2 ACCEPTED SOLUTIONS

Accepted Solutions
SanfordWhiteman
Level 10 - Community Moderator
Level 10 - Community Moderator
‎11-20-2023 07:44 PM
‎11-20-2023 07:44 PM

Re: Security questions about the Marketo forms we embedded on our WP website

  1. Script Src Integrity Check: app-ab24.marketo.com/js/forms2/js/forms2.min.js can't generate SRI Hash, so, we can't pass this check.  FYI, the description of this check: 

There’s no reason you can’t generate an SRI hash for that file. Of course if the file changes (i.e. is updated by Marketo, as naturally happens) your hash will become invalid, which is exactly what should happen.

 

Your choice is either (a) to monitor the file for changes and change the hash immediately or (b) make a copy of the file, upload it to Design Studio, and use that static copy — which of course means you will miss updates.

 

 

View solution in original post

0 Likes
850
Reply
SanfordWhiteman
Level 10 - Community Moderator
Level 10 - Community Moderator
‎11-20-2023 08:10 PM
‎11-20-2023 08:10 PM

Re: Security questions about the Marketo forms we embedded on our WP website

CGI Generic Cross-Site Request Forgery Detection: it is also related to Marketo forms, the problem shows that on the pages we used Marketo forms. CGIs are not protected by a random token.

There’s no “CGI” (as in cgi-bin) involved here. Sounds like a generic form check.

 

It’s true that Marketo forms don’t use a CSRF token/nonce. This is true of the overwhelming majority of embedded marketing forms from any vendor, though. Such forms are by their nature anonymously submitted and are not considered to pose the danger of, say, an actual web app. (I’m not passing judgment on whether that assessment is correct, but it’s near-universal.) If an attacker wished to submit a Marketo form to your instance, they wouldn’t need to hit the form endpoint directly, they could just embed the form itself!

View solution in original post

0 Likes
846
Reply
2 REPLIES 2
SanfordWhiteman
Level 10 - Community Moderator
Level 10 - Community Moderator
‎11-20-2023 07:44 PM
‎11-20-2023 07:44 PM

Re: Security questions about the Marketo forms we embedded on our WP website

  1. Script Src Integrity Check: app-ab24.marketo.com/js/forms2/js/forms2.min.js can't generate SRI Hash, so, we can't pass this check.  FYI, the description of this check: 

There’s no reason you can’t generate an SRI hash for that file. Of course if the file changes (i.e. is updated by Marketo, as naturally happens) your hash will become invalid, which is exactly what should happen.

 

Your choice is either (a) to monitor the file for changes and change the hash immediately or (b) make a copy of the file, upload it to Design Studio, and use that static copy — which of course means you will miss updates.

 

 

0 Likes
851
Reply
SanfordWhiteman
Level 10 - Community Moderator
Level 10 - Community Moderator
‎11-20-2023 08:10 PM
‎11-20-2023 08:10 PM

Re: Security questions about the Marketo forms we embedded on our WP website

CGI Generic Cross-Site Request Forgery Detection: it is also related to Marketo forms, the problem shows that on the pages we used Marketo forms. CGIs are not protected by a random token.

There’s no “CGI” (as in cgi-bin) involved here. Sounds like a generic form check.

 

It’s true that Marketo forms don’t use a CSRF token/nonce. This is true of the overwhelming majority of embedded marketing forms from any vendor, though. Such forms are by their nature anonymously submitted and are not considered to pose the danger of, say, an actual web app. (I’m not passing judgment on whether that assessment is correct, but it’s near-universal.) If an attacker wished to submit a Marketo form to your instance, they wouldn’t need to hit the form endpoint directly, they could just embed the form itself!

0 Likes
847
Reply
Home