function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
CustomDataIntegrationsCustomDataIntegrations 

Help with CSRF Vulnerability

I have the following code that has a CSRF Vulnerability and has improper use of user credentials being passed back to the page.  How can I automatically submit a form with the following info and still pass the Salesforce Security checks?

 

 

<apex:page showHeader="false" sidebar="false" standardstylesheets="false" controller="PageController">
<html>
<body onLoad='javascript&colon; document.forms[0].submit();'>
<form action='https://www.somesite/Incoming.aspx' method='POST'>

<input type='hidden' name='destinationpage' value='../summary.aspx'/>
<input type='hidden' name='useraction' value='transfer'/>
<input type='hidden' name='username' value='{!inpLoginValue }'/>
<input type='hidden' name='password' value='{!inpPasswordValue }'/>
<input type='hidden' name='subclientname' value=''/>
<input type='hidden' name='userdatabaseid' value='8d5e1c5f-9a8b-473e-a608-012be1c665d8'/>
<input type='hidden' name='channelid' value='03fccd9b-6d40-4cf8-b10e-20e65bb778ea'/>
<input type='hidden' name='productid' value='b51e6d12-6fbc-4e08-bcb1-a0ac528a94f3'/>

</form>
</body>
</html>
</apex:page>

 

sfdcfoxsfdcfox
You won't pass review because of the automated form submit anyways, so the rest is moot. Why do you need to pass those values, and what is the point of a security review for you? Can you not offer a more secure approach?
CustomDataIntegrationsCustomDataIntegrations

The recieving page is expecting these parameters to be posted.  Is there a way to post to this page from behind a button click instead that would be more secure?
sfdcfoxsfdcfox

Actually, thinking about it, I think they may simply be warning you that the page is insecure because you're not properly escaping your values. You should change {!impLoginValue} to {!HTMLESCAPE(impLoginValue)}, and likewise for the password. This makes sure that someone won't input a value that could compromise the form's security.

 

As far as passing an explicit username/password pair, I don't think they'll actually complain about the automated action so much as making sure that, at minimum, password is encrypted at the database level for protection against other users borrowing passwords (if applicable).

 

Even better, if the receiving page can login using multiple means, perhaps an OAuth login would be ideal, as this precludes the need to store a username or password in salesforce.com at all (but you still need to encrypt the refresh token). There's just a lot of considerations when it comes to storing sensitive data.

 

Check out the following page:

 

http://wiki.developerforce.com/page/Secure_Coding_Storing_Secrets