You need to sign in to do that
Don't have an account?
John Commute Tracker Dev
Force.com Security Scanner Results - Frame Spoofing for Survey force application
Hi All,
I am trying to include survey force application with our existing app and creating a manage package. After submitting the code for Force.com Security review I have received below error messages:
Frame Spoofing
==============
If a user supplied value is used to construct a frame within the page, it can lead to an attacker controlling what is rendered into the page. By modifying the URL value to a malicious site, an attacker can successfully launch a phishing scam to attempt to steal user credentials. Given the base domain is from an application they trust, they are more likely to believe the request as legitimate and provide the details requested.
Demonstrative Examples:
======================
In the example below, the developer is taking input from the user from the querystring and using that to load into an iframe on the page:
<apex:iframe src="{!$CurrentPage.parameters.iframesrc}"></apex:iframe>
With input provided from an attacker, the iframe will be rendered into the page with the host of the attackers choosing, such as the link below.
<iframe src="http://www.badguy.com/stealcreds.php" >
Potential Mitigations
=====================
Frame spoofing can be mitigated by strongly validating the user input provided to your application. In the case where
user input is needed to construct the parameters used in a frame, the developer should control the domain loaded
through a constant or white list if possible. The example below shows a very simplistic method
<apex:iframe src="http://domainofchoice.com/page?{!$CurrentPage.parameters.iframesrc}"></apex:iframe>
===================================================================================================================
Issue in Classes
42. get //viewsharesurveycomponentcontroller.cls
...
48. String urlPrefix = setupUrlPrefix(surveySite);
163. private String setupUrlPrefix(String site) //viewsharesurveycomponentcontroller.cls
...
167. return site+'/';
42. get //viewsharesurveycomponentcontroller.cls
48. String urlPrefix = setupUrlPrefix(surveySite);
...
50. String urlToSave= domain+'/'+urlPrefix+'TakeSurvey?';
...
55. return urlToSave;
41. <apex:iframe src="!surveyURLBase + surveyURL}" scrolling="True" /> //viewsharesurveycomponent.component
63. public viewShareSurveyComponentController() //viewsharesurveycomponentcontroller.cls
...
66. urlType.add(new SelectOption('Email Link w/ Contact Merge',System.Label.LABS_SF_Email_Link_w_Contact_Merge));
41. <apex:iframe src="!surveyURLBase + surveyURL}" scrolling="True" /> //viewsharesurveycomponent.component
42. get //viewsharesurveycomponentcontroller.cls
...
48. String urlPrefix = setupUrlPrefix(surveySite);
163. private String setupUrlPrefix(String site) //viewsharesurveycomponentcontroller.cls
167. return site+'/';
...
42. get //viewsharesurveycomponentcontroller.cls
...
48. String urlPrefix = setupUrlPrefix(surveySite);
...
50. String urlToSave= domain+'/'+urlPrefix+'TakeSurvey?';
...
55. return urlToSave;
41. <apex:iframe src="!surveyURLBase + surveyURL}" scrolling="True" /> //viewsharesurveycomponent.component
Any Idea ??
I am trying to include survey force application with our existing app and creating a manage package. After submitting the code for Force.com Security review I have received below error messages:
Frame Spoofing
==============
If a user supplied value is used to construct a frame within the page, it can lead to an attacker controlling what is rendered into the page. By modifying the URL value to a malicious site, an attacker can successfully launch a phishing scam to attempt to steal user credentials. Given the base domain is from an application they trust, they are more likely to believe the request as legitimate and provide the details requested.
Demonstrative Examples:
======================
In the example below, the developer is taking input from the user from the querystring and using that to load into an iframe on the page:
<apex:iframe src="{!$CurrentPage.parameters.iframesrc}"></apex:iframe>
With input provided from an attacker, the iframe will be rendered into the page with the host of the attackers choosing, such as the link below.
<iframe src="http://www.badguy.com/stealcreds.php" >
Potential Mitigations
=====================
Frame spoofing can be mitigated by strongly validating the user input provided to your application. In the case where
user input is needed to construct the parameters used in a frame, the developer should control the domain loaded
through a constant or white list if possible. The example below shows a very simplistic method
<apex:iframe src="http://domainofchoice.com/page?{!$CurrentPage.parameters.iframesrc}"></apex:iframe>
===================================================================================================================
Issue in Classes
42. get //viewsharesurveycomponentcontroller.cls
...
48. String urlPrefix = setupUrlPrefix(surveySite);
163. private String setupUrlPrefix(String site) //viewsharesurveycomponentcontroller.cls
...
167. return site+'/';
42. get //viewsharesurveycomponentcontroller.cls
48. String urlPrefix = setupUrlPrefix(surveySite);
...
50. String urlToSave= domain+'/'+urlPrefix+'TakeSurvey?';
...
55. return urlToSave;
41. <apex:iframe src="!surveyURLBase + surveyURL}" scrolling="True" /> //viewsharesurveycomponent.component
63. public viewShareSurveyComponentController() //viewsharesurveycomponentcontroller.cls
...
66. urlType.add(new SelectOption('Email Link w/ Contact Merge',System.Label.LABS_SF_Email_Link_w_Contact_Merge));
41. <apex:iframe src="!surveyURLBase + surveyURL}" scrolling="True" /> //viewsharesurveycomponent.component
42. get //viewsharesurveycomponentcontroller.cls
...
48. String urlPrefix = setupUrlPrefix(surveySite);
163. private String setupUrlPrefix(String site) //viewsharesurveycomponentcontroller.cls
167. return site+'/';
...
42. get //viewsharesurveycomponentcontroller.cls
...
48. String urlPrefix = setupUrlPrefix(surveySite);
...
50. String urlToSave= domain+'/'+urlPrefix+'TakeSurvey?';
...
55. return urlToSave;
41. <apex:iframe src="!surveyURLBase + surveyURL}" scrolling="True" /> //viewsharesurveycomponent.component
Any Idea ??
private String setupUrlPrefix(String site)
{
if(site == null || site=='EMPTY')
return '';
else
return site+'/';
}
Thanks for your code, however, I believe both the methods would provide same result i.e. return ' ' if site is blank otherwise return site + '/' . As I understand we are getting issue since we are generating whole src of apex:iframe dynamically. As per the below point in security scanner doc:
Potential Mitigations
=====================
Frame spoofing can be mitigated by strongly validating the user input provided to your application. In the case where user input is needed to construct the parameters used in a frame, the developer should control the domain loaded through a constant or white list if possible. The example below shows a very simplistic method
<apex:iframe src="http://domainofchoice.com/page?{!$CurrentPage.parameters.iframesrc}"></apex:iframe>
----------------------------
They are suggesting us to hardcode the domain or white list of possible. But in our case we can not hardcode the domain since its a manage package.
1. Make your domain as "Custom Label" and store domain name in that.
2. Change your iFrame as
Hope this helps!