+ Start a Discussion

Security issue - apex:selectlist value tampering

I have recently performed a Cross-site scripting (XSS) security test in a customer portal and I have received a concerning issue regarding picklists. The results are:


The following changes were applied to the original request:

- Set the value of the parameter 'formName:dropDown' to


Risk(s): It is possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user,
allowing the hacker to view or alter user records, and to perform transactions as that user


The code for generating the dropdown is:

<apex:selectList id="dropDown" value="{!recordName}" size="1" >
    <apex:selectOptions value="{!listOptions}" />


I have tried to manually modify the value ot the picklist options in the HTML generated and I have not been able to submit them.

My doubts are: Can the dropdown values actually be tampered? Should I check that the submitted values correspond to the available options?


Do not hesitate in contact me for any related queries.