Our security scan on Marketo form is now revealing that Marketo form accepts invalid inputs such as HTML code etc.For example, <script>Alert(‘Hacked’);
This flaw may cause several security issues, such as SQL Injection, Cross site scripting (XSS), etc.
I do many researches on Marketo community and find no articles talking about how Marketo handle such invalid inputs/SQL injection/XSS on Marketo form.
Does Marketo have server side validation or any security mechanisms to validate invalid inputs and mitigate risks such as SQL injection, Cross site scripting (XSS), etc.? Any suggestion to overcome this security flaw is appreciated.
Thank you in advance for all comments.
It's an old thread, but did anything come of this? How does Marketo account for SQL/HTML injection?
I don't recall if anything came from this specific thread, but we take security seriously and employee modern security practices to combat XSS and SQL injection, in addition to many other attack vectors. You can read more here: TRUST - Security and Customer Data Protection - Marketo
Well, we don't have that particular concern...in our case we have someone reading the form fields, then auto-submitting a few thousand per day with a 13-digit hex number in the name field. It's easy enough to filter that out of a smart list, but I want to keep it from getting into the db in the first place. Marketo just lets it in, no apparent way to insert some server-side filter that just drops the record.
Approach your forms workflow from a different angle. Require a valid reCAPTCHA response or delete the lead immediately. Bot-generated posts will not pass reCAPTCHA.
Might work, if your form design tool was able to create a form that looked like it belonged in the 21st century. We stopped using your form designs years ago because it was nigh unto impossible to make them look and act the way modern forms should. But that's a different topic entirely.