You need to sign in to do that
Don't have an account?
CustomDataIntegrations
Help with CSRF Vulnerability
I have the following code that has a CSRF Vulnerability and has improper use of user credentials being passed back to the page. How can I automatically submit a form with the following info and still pass the Salesforce Security checks?
<apex:page showHeader="false" sidebar="false" standardstylesheets="false" controller="PageController"> <html> <body onLoad='javascript: document.forms[0].submit();'> <form action='https://www.somesite/Incoming.aspx' method='POST'> <input type='hidden' name='destinationpage' value='../summary.aspx'/> <input type='hidden' name='useraction' value='transfer'/> <input type='hidden' name='username' value='{!inpLoginValue }'/> <input type='hidden' name='password' value='{!inpPasswordValue }'/> <input type='hidden' name='subclientname' value=''/> <input type='hidden' name='userdatabaseid' value='8d5e1c5f-9a8b-473e-a608-012be1c665d8'/> <input type='hidden' name='channelid' value='03fccd9b-6d40-4cf8-b10e-20e65bb778ea'/> <input type='hidden' name='productid' value='b51e6d12-6fbc-4e08-bcb1-a0ac528a94f3'/> </form> </body> </html> </apex:page>
The recieving page is expecting these parameters to be posted. Is there a way to post to this page from behind a button click instead that would be more secure?
Actually, thinking about it, I think they may simply be warning you that the page is insecure because you're not properly escaping your values. You should change {!impLoginValue} to {!HTMLESCAPE(impLoginValue)}, and likewise for the password. This makes sure that someone won't input a value that could compromise the form's security.
As far as passing an explicit username/password pair, I don't think they'll actually complain about the automated action so much as making sure that, at minimum, password is encrypted at the database level for protection against other users borrowing passwords (if applicable).
Even better, if the receiving page can login using multiple means, perhaps an OAuth login would be ideal, as this precludes the need to store a username or password in salesforce.com at all (but you still need to encrypt the refresh token). There's just a lot of considerations when it comes to storing sensitive data.
Check out the following page:
http://wiki.developerforce.com/page/Secure_Coding_Storing_Secrets