+ Start a Discussion
SiimSiim 

Cross Site Reference Forgery error for Visualforce pages

Hello,

I have the following VF page

<apex:page standardController="Call__c" recordSetVar="call" extensions="CallSetExt" action="{!removeAndRedirect}"></apex:page>

and the controller as follows

public with sharing class CallSetExt {

    private ApexPages.StandardSetController con;
    public CallSetExt(ApexPages.StandardSetController controller) {
        con = controller;
    }
    public PageReference removeAndRedirect()
    {
        delete con.getSelected();
        return new PageReference(ApexPages.currentPage().getParameters().get('retURL'));
    }
    public PageReference callPlanRedirect()
    {
        return (new PageReference('/apex/CallPlanning'));
    }
    public PageReference callReDirect()
    {
        return (new PageReference('/apex/CallPage1'));
    }

}

 

 When I try scanning my code for the security review, I get Cross Site Reference Forgery error for the above page.

Can anyone please help on how should I enforce Cross Site Reference Forgery in the above VF page? I saw the examples salesforce gave but i couldn't apply it to my case.

 

Thanks in advance,

Siim

 

 

Best Answer chosen by Admin (Salesforce Developers) 
Shashikant SharmaShashikant Sharma

Read this 

 

Here again, the developer might bypass the built-in defenses without realizing the risk. For example, suppose you have acustom controller where you take the object ID as an input parameter, then use that input parameter in an SOQL call. Considerthe following code snippet.

 

<apex:page controller="myClass" action="{!init}"</apex:page>
public class myClass {
public void init() {
Id id = ApexPages.currentPage().getParameters().get('id');
Account obj = [select id, Name FROM Account WHERE id = :id];
delete obj;
return ;
}
}

 In this case, the developer has unknowingly bypassed the anti-CSRF controls by developing their own action method. Theid parameter is read and used in the code. The anti-CSRF token is never read or validated. An attacker Web page mighthave sent the user to this page using a CSRF attack and provided any value they wish for the id parameter.

 

There are no built-in defenses for situations like this and developers should be cautious about writing pages that take actionbased upon a user-supplied parameter like the id variable in the preceding example. A possible work-around is to insert anintermediate confirmation page before taking the action, to make sure the user intended to call the page. Other suggestionsinclude shortening the idle session timeout for the organization and educating users to log out of their active session and notuse their browser to visit other sites while authenticated.

All Answers

Shashikant SharmaShashikant Sharma

Read this 

 

Here again, the developer might bypass the built-in defenses without realizing the risk. For example, suppose you have acustom controller where you take the object ID as an input parameter, then use that input parameter in an SOQL call. Considerthe following code snippet.

 

<apex:page controller="myClass" action="{!init}"</apex:page>
public class myClass {
public void init() {
Id id = ApexPages.currentPage().getParameters().get('id');
Account obj = [select id, Name FROM Account WHERE id = :id];
delete obj;
return ;
}
}

 In this case, the developer has unknowingly bypassed the anti-CSRF controls by developing their own action method. Theid parameter is read and used in the code. The anti-CSRF token is never read or validated. An attacker Web page mighthave sent the user to this page using a CSRF attack and provided any value they wish for the id parameter.

 

There are no built-in defenses for situations like this and developers should be cautious about writing pages that take actionbased upon a user-supplied parameter like the id variable in the preceding example. A possible work-around is to insert anintermediate confirmation page before taking the action, to make sure the user intended to call the page. Other suggestionsinclude shortening the idle session timeout for the organization and educating users to log out of their active session and notuse their browser to visit other sites while authenticated.

This was selected as the best answer
SiimSiim

Thank you for your quick reply. I know where the error is but i cannot find a solution for it. I would be nice if some one could provide a solution where i only need the logic in the action of the apex page tag and resolve the issue of Cross Site Reference Forgery where i do not need any other button save etc on my page.

 

 

Sridhar BonagiriSridhar Bonagiri

Hi Siim,

 

Did you able to find any solution to the mentioned problem?, as we are also facing same problem when we are running our code through security scannber.

 

Regards,

Sridhar Bonagiri.

SiimSiim

Hi Sridhar,

 
Since we didn't have time, we changed the functionality and didn't use the button.
 
You can consider Shashikant's reply!
 
Thanks Shashikant!
 
Hope it helps!
Siim