You need to sign in to do that
Don't have an account?
Force.com Security Review....
Hi Guys,
Please I need some help regarding the force.com secutiry review.
We have an application which we sent for security review.... the application is completly based on force.com and do not have
any other integration...
We did run the chexmax report and it did not receive any Vulnerability messages and was clean..
now we have recived the feedback and have 3 major problems could you please help me with the same
below are the 3 problem, how can i overcome them..
1. DOM based XSS Vulnerability
Code
if (desc.length > 0){ tdesc = "<span class='desc'>" + unescape(desc) + "</span>"; } if (cmt.length > 0){ tcmt = "<span class='h'>Comment</span><span class='cmt'>" + unescape(cmt) + "</span>"; } title = tdesc + tcmt; return title;
File
Winscope_MVPs.page
Notes
Data from custom object is written into the DOM and then placed, via js, into an html execution context.
How can overcome the above problem in the page.
2. FLS Create Vulnerability
Code
Line 77: edit = true; Line 78: Line 79: ap = new Action_Plan__c(Opportunity__c=oppId, From__c=fromModule, Who__c=UserInfo.getUserId(),Related_Record_ID__c=recId); Line 80: if (recId==null) ap.Winscope_Page__c = WinscopePage; //Action added from respective module page Line 81: }//End of WS_AddActionCon Line 82: Line 83: public void saveAction() {
What can be done to pass the review in above case....
3. URL Redirection Attack Vulnerability
Code
Line 133: } Line 134: Line 135: public pageReference backToAction(){ Line 136: String PageName = apexPages.currentPage().getParameters().get('pageName'); Line 137: PageReference pg = new pageReference(PageName); Line 138: pg.setRedirect(true); Line 139: return pg;
Please guys I am looking into it but if you could please let me know what is the Vulnerability and how it can be fixed.
Awaiting your reply guys thanks.
Hi Atul,
Now i am doing with the development of app,and started working on security review process,and i have cleared all the bugs which came up from Checkmark secure code scanner.
I am very much worried even i my app is only on force.com platform without any other integration.I am facing some problem in manual testing the app of XSS attack can you tell me the major problems which would arise in clearing the security review process.
Thanks,
Atif
I don't think there are quick code-fixes to these problem. The fix is the application design.
For (1), why is "desc" and "cmt" unescaped? If users need to format the field, perhaps the fields should be broken down so that the system can do the formatting instead.
For (2) and (3), why is navigation determined by dynamic parameter? Are there any alternative options? Sometimes Custom Settings can be used in place of session scope, so one page could set a value for a user, and another page could retrieve it, without exposing the paramter to HTTP.
-Ted.
Ready Set Prep!
* http://appexchange.salesforce.com/listingDetail?listingId=a0N30000009h4laEAA
If it's a native application, two things to avoid are unescaping output and using unchecked input. Force.com already has a lot of built-in protection against XSS, it's just a matter of making sure your application doesn't defeat the built-in safeguards.
Here are two key ponmts about XSS
* In order to prevent XSS attacks, does your application escape all queried
data, page elements, and request parameters by replacing the characters
< ' > & " with their HTML-safe counterparts before use in any rendering
operations (e.g. element.innerHTML=…)?
* If your application dynamically creates API queries, does it escape all
include page elements, request parameters, or queried data by replacing
the characters ' and \ with \' and \\ before their inclusion in API query
strings?
There questions come up after the review is submitted. I don't know why they are not asked sooner, since they drive the pont home.
-Ted.
Ready Set Prep!
* http://appexchange.salesforce.com/listingDetail?listingId=a0N30000009h4laEAA
Hi Atul,
Did you find any solution to your security review issues? If yes please share those with me, as I also got the same issues list from checkmarx, eventhough we fixed them but the checkmarx tool is still showing them as not resolved.
Thanks in advance.
Regards,
Sridhar Bonagiri