+ Start a Discussion
John Commute Tracker DevJohn Commute Tracker Dev 

Force.com Security Scanner Results - Frame Spoofing for Survey force application

Hi All,
I am trying to include survey force application with our existing app and creating a manage package. After submitting the code for Force.com Security review I have received below error messages:

Frame Spoofing
==============
If a user supplied value is used to construct a frame within the page, it can lead to an attacker controlling what is rendered into the page.  By modifying the URL value to a malicious site, an attacker can successfully launch a phishing scam to attempt to steal user credentials.  Given the base domain is from an application they trust, they are more likely to believe the request as legitimate and provide the details requested.

Demonstrative Examples:
======================
In the example below, the developer is taking input from the user from the querystring and using that to load into an iframe on the page:

<apex:iframe src="{!$CurrentPage.parameters.iframesrc}"></apex:iframe>

With input provided from an attacker, the iframe will be rendered into the page with the host of the attackers choosing, such as the link below.

<iframe src="http://www.badguy.com/stealcreds.php" >

Potential Mitigations  
=====================
Frame spoofing can be mitigated by strongly validating the user input provided to your application.  In the case where

user input is needed to construct the parameters used in a frame, the developer should control the domain loaded

through a constant or white list if possible.  The example below shows a very simplistic method

<apex:iframe src="http://domainofchoice.com/page?{!$CurrentPage.parameters.iframesrc}"></apex:iframe>

===================================================================================================================
Issue in Classes

42. get //viewsharesurveycomponentcontroller.cls      
...
48. String urlPrefix = setupUrlPrefix(surveySite);

163. private String setupUrlPrefix(String site) //viewsharesurveycomponentcontroller.cls       
...

167. return site+'/';

42. get //viewsharesurveycomponentcontroller.cls

48. String urlPrefix = setupUrlPrefix(surveySite);
...

50. String urlToSave= domain+'/'+urlPrefix+'TakeSurvey?';
...
55. return urlToSave;
41. <apex:iframe src="!surveyURLBase + surveyURL}" scrolling="True" /> //viewsharesurveycomponent.component

63. public viewShareSurveyComponentController() //viewsharesurveycomponentcontroller.cls      
...
66. urlType.add(new SelectOption('Email Link w/ Contact Merge',System.Label.LABS_SF_Email_Link_w_Contact_Merge));
41. <apex:iframe src="!surveyURLBase + surveyURL}" scrolling="True" /> //viewsharesurveycomponent.component      
42. get //viewsharesurveycomponentcontroller.cls      
...
48. String urlPrefix = setupUrlPrefix(surveySite);
163. private String setupUrlPrefix(String site) //viewsharesurveycomponentcontroller.cls      
167. return site+'/';
...
42. get //viewsharesurveycomponentcontroller.cls
...
48. String urlPrefix = setupUrlPrefix(surveySite);      
...
50. String urlToSave= domain+'/'+urlPrefix+'TakeSurvey?';
...
55. return urlToSave;

41. <apex:iframe src="!surveyURLBase + surveyURL}" scrolling="True" /> //viewsharesurveycomponent.component

Any Idea ??
Sumitkumar_ShingaviSumitkumar_Shingavi
All isssues sound to be in your setupUrlPrefix() method. So, can you publish code inside it.
John Commute Tracker DevJohn Commute Tracker Dev
Sure please find the code below:
private String setupUrlPrefix(String site)
{    
 if(site == null || site=='EMPTY')      
return '';    
else     
return site+'/';   
}
Sumitkumar_ShingaviSumitkumar_Shingavi
I think, you are over-complicating it and your code should be
private String setupUrlPrefix(String site) {    
    if(!String.isBlank(site)) { 
        return site+'/';   
    } else {
        return '';
    }
}
Finally, you might put that slash directly in URL. Your issue is more around parameters in URL which you creating so you have to use syntax like
PageReference pref = Page.MyPage;
pref.getParameters().put('pname', 'pvalue');
//Add additional parameters here like above line
pref.setRedirect(true);
return pref;
if this solves your problem then mark it as solution so it will help others.
John Commute Tracker DevJohn Commute Tracker Dev
@Sumit
Thanks for your code, however, I believe both the methods would provide same result i.e. return ' ' if site is blank otherwise return site + '/' . As I understand we are getting issue since we are generating whole src of apex:iframe dynamically. As per the below point in security scanner doc:

Potential Mitigations  
=====================
Frame spoofing can be mitigated by strongly validating the user input provided to your application.  In the case where user input is needed to construct the parameters used in a frame, the developer should control the domain loaded through a constant or white list if possible.  The example below shows a very simplistic method

<apex:iframe src="http://domainofchoice.com/page?{!$CurrentPage.parameters.iframesrc}"></apex:iframe>

----------------------------
They are suggesting us to hardcode the domain or white list of possible. But in our case we can not hardcode the domain since its a manage package.
 
Sumitkumar_ShingaviSumitkumar_Shingavi
Oh! I think, I got why you facing this!
1. Make your domain as "Custom Label" and store domain name in that.
2. Change your iFrame as
<apex:iframe src="{!Label.DomainName}/page?{!$CurrentPage.parameters.iframesrc}"></apex:iframe>

Hope this helps!