Re: Security : Server side validation / SQL injection / XSS

Anonymous
Not applicable

Security : Server side validation / SQL injection / XSS

Hi,

Our security scan on Marketo form is now revealing that Marketo form accepts invalid inputs such as HTML code etc.
For example, <script>Alert(‘Hacked’);

This flaw may cause several security issues, such as SQL Injection, Cross site scripting (XSS), etc.

I do many researches on Marketo community and find no articles talking about how Marketo handle such invalid inputs/SQL injection/XSS on Marketo form.

Does Marketo have server side validation or any security mechanisms to validate invalid inputs and mitigate risks such as SQL injection, Cross site scripting (XSS), etc.? Any suggestion to overcome this security flaw is appreciated.

Thank you in advance for all comments.
Regards,
Taworn D.

Tags (1)
27 REPLIES 27
Anonymous
Not applicable

Re: Security : Server side validation / SQL injection / XSS

to follow the discussion
Anonymous
Not applicable

Re: Security : Server side validation / SQL injection / XSS

I have the same concern.
Can we disable form fields from allowing html?
Anonymous
Not applicable

Re: Security : Server side validation / SQL injection / XSS

An old issue, but I have seen the same problem. Any repsonse from Marketo?
Kenny_Elkington
Marketo Employee

Re: Security : Server side validation / SQL injection / XSS

Hi Domenic,

Could you please log a support ticket demonstrating your concerns with regard to any potential XSS vulnerabilities?
Jonathan_Marzin
Level 2

Re: Security : Server side validation / SQL injection / XSS

It's an old thread, but did anything come of this? How does Marketo account for SQL/HTML injection?

Kenny_Elkington
Marketo Employee

Re: Security : Server side validation / SQL injection / XSS

I don't recall if anything came from this specific thread, but we take security seriously and employee modern security practices to combat XSS and SQL injection, in addition to many other attack vectors.  You can read more here: TRUST - Security and Customer Data Protection - Marketo

Anonymous
Not applicable

Re: Security : Server side validation / SQL injection / XSS

Well, we don't have that particular concern...in our case we have someone reading the form fields, then auto-submitting a few thousand per day with a 13-digit hex number in the name field. It's easy enough to filter that out of a smart list, but I want to keep it from getting into the db in the first place. Marketo just lets it in, no apparent way to insert some server-side filter that just drops the record.

SanfordWhiteman
Level 10 - Community Moderator

Re: Security : Server side validation / SQL injection / XSS

Approach your forms workflow from a different angle. Require a valid reCAPTCHA response or delete the lead immediately. Bot-generated posts will not pass reCAPTCHA.

Anonymous
Not applicable

Re: Security : Server side validation / SQL injection / XSS

Might work, if your form design tool was able to create a form that looked like it belonged in the 21st century. We stopped using your form designs years ago because it was nigh unto impossible to make them look and act the way modern forms should. But that's a different topic entirely.