+ Start a Discussion
atul_Bharmalatul_Bharmal 

Force.com Security Review....

Hi Guys,

 

Please I need some help regarding the force.com secutiry review.

 

We have an application which we sent for security review.... the application is completly based on force.com and do not have

any other integration...

 

We did run the chexmax report and it did not receive any Vulnerability messages and was clean..

 

now we have recived the feedback and have 3 major problems could you please help me with the same

 

below are the 3 problem, how can i overcome them..

 

1. DOM based XSS Vulnerability

Code

           if (desc.length > 0){
                tdesc = "<span class='desc'>" + unescape(desc) + "</span>"; 
           }
           if (cmt.length > 0){
                tcmt = "<span class='h'>Comment</span><span class='cmt'>" + unescape(cmt) + "</span>"; 
           }
           title = tdesc + tcmt;
           return title;

File

Winscope_MVPs.page

Notes

Data from custom object is written into the DOM and then placed, via js, into an html execution context. 

How can overcome the above problem in the page.

 

2. FLS Create Vulnerability

Code

Line 77:         edit = true;
Line 78:         
Line 79:         ap = new Action_Plan__c(Opportunity__c=oppId, From__c=fromModule, Who__c=UserInfo.getUserId(),Related_Record_ID__c=recId);
Line 80:         if (recId==null) ap.Winscope_Page__c = WinscopePage; //Action added from respective module page
Line 81:     }//End of WS_AddActionCon
Line 82: 
Line 83:     public void saveAction() {


 

What can be done to pass the review in above case....

 

3. URL Redirection Attack Vulnerability

 

Code

Line 133:     }
Line 134:     
Line 135:     public pageReference backToAction(){
Line 136:         String PageName = apexPages.currentPage().getParameters().get('pageName');    
Line 137:         PageReference pg = new pageReference(PageName);
Line 138:         pg.setRedirect(true);
Line 139:         return pg;

 

 

Please guys I am looking into it but if you could please let me know what is the Vulnerability and how it can be fixed.

 

Awaiting your reply guys thanks.

Atif MohammedAtif Mohammed

Hi Atul,

 

Now i am doing with the development of app,and started working on security review process,and i have cleared all the bugs which came up from Checkmark secure code scanner.

 

I am very much worried even i my app is only on force.com platform without any other integration.I am facing some problem in manual testing the app of XSS attack can you tell me the major problems which would arise in clearing the security review process.

 

 

Thanks,

Atif

Nimble TedNimble Ted

I don't think there are quick code-fixes to these problem. The fix is the application design.

 

For (1), why is "desc" and "cmt" unescaped? If users need to format the field, perhaps the fields should be broken down so that the system can do the formatting instead. 

 

For (2) and (3), why is navigation determined by dynamic parameter? Are there any alternative options? Sometimes Custom Settings can be used in place of session scope, so one page could set a value for a user, and another page could retrieve it, without exposing the paramter to HTTP.

 

-Ted. 

 

Ready Set Prep!

* http://appexchange.salesforce.com/listingDetail?listingId=a0N30000009h4laEAA

Nimble TedNimble Ted

If it's a native application, two things to avoid are unescaping output and using unchecked input. Force.com already has a lot of built-in protection against XSS, it's just a matter of making sure your application doesn't defeat the built-in safeguards. 

 

Here are  two key ponmts about XSS 

 

* In order to prevent XSS attacks, does your application escape all queried
data, page elements, and request parameters by replacing the characters
< ' > & " with their HTML-safe counterparts before use in any rendering
operations (e.g. element.innerHTML=…)?

 

* If your application dynamically creates API queries, does it escape all

include page elements, request parameters, or queried data by replacing
the characters ' and \ with \' and \\ before their inclusion in API query
strings?

 

 

There questions come up after the review is submitted. I don't know why they are not asked sooner, since they drive the pont home. 

 

-Ted. 

 

Ready Set Prep!

http://appexchange.salesforce.com/listingDetail?listingId=a0N30000009h4laEAA

Sridhar BonagiriSridhar Bonagiri

Hi Atul,

 

Did you find any solution to your security review issues? If yes please share those with me, as I also got the same issues list from checkmarx, eventhough we fixed them but the checkmarx tool is still showing them as not resolved.

 

Thanks in advance.

 

Regards,

Sridhar Bonagiri