+ Start a Discussion
marc_romeumarc_romeu 

Security issue - apex:selectlist value tampering

I have recently performed a Cross-site scripting (XSS) security test in a customer portal and I have received a concerning issue regarding picklists. The results are:

 

The following changes were applied to the original request:

- Set the value of the parameter 'formName:dropDown' to
'%3E%22%27%3E%3Cscript%3Ealert%2876%29%3C%2Fscript%3E'

 

Risk(s): It is possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user,
allowing the hacker to view or alter user records, and to perform transactions as that user

 

The code for generating the dropdown is:

<apex:selectList id="dropDown" value="{!recordName}" size="1" >
    <apex:selectOptions value="{!listOptions}" />
</apex:selectList>

 

I have tried to manually modify the value ot the picklist options in the HTML generated and I have not been able to submit them.

My doubts are: Can the dropdown values actually be tampered? Should I check that the submitted values correspond to the available options?

 

Do not hesitate in contact me for any related queries.

 

Thanks!