salesforce_security_impl_guide
salesforce_security_impl_guide
salesforce_security_impl_guide
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Security Tips for Apex and Visualforce Development<br />
Cross-Site Request Forgery (CSRF)<br />
requires that the double quote character be escaped with its URL encoded equivalent of %22 instead of the HTML escaped ", since it is<br />
probably going to be used in a link. Otherwise, the request:<br />
http://example.com/demo/redirect.htmlretURL= foo%22%3Balert('xss')%3B%2F%2F<br />
results in:<br />
var ret = "foo";alert('xss');//";<br />
Additionally, the ret variable might need additional client-side escaping later in the page if it is used in a way which can cause included<br />
HTML control characters to be interpreted.<br />
Formula tags can also be used to include platform object data. Although the data is taken directly from the user's organization, it must<br />
still be escaped before use to prevent users from executing code in the context of other users (potentially those with higher privilege<br />
levels). While these types of attacks must be performed by users within the same organization, they undermine the organization's user<br />
roles and reduce the integrity of auditing records. Additionally, many organizations contain data which has been imported from external<br />
sources and might not have been screened for malicious content.<br />
Cross-Site Request Forgery (CSRF)<br />
Cross-Site Request Forgery (CSRF) flaws are less of a programming mistake as they are a lack of a defense. The easiest way to describe<br />
CSRF is to provide a very s<strong>impl</strong>e example. An attacker has a Web page at www.attacker.com . This could be any Web page, including<br />
one that provides valuable services or information that drives traffic to that site. Somewhere on the attacker's page is an HTML tag that<br />
looks like this:<br />
<br />
In other words, the attacker's page contains a URL that performs an action on your website. If the user is still logged into your Web page<br />
when they visit the attacker's Web page, the URL is retrieved and the actions performed. This attack succeeds because the user is still<br />
authenticated to your Web page. This is a very s<strong>impl</strong>e example and the attacker can get more creative by using scripts to generate the<br />
callback request or even use CSRF attacks against your AJAX methods.<br />
For more information and traditional defenses, see the following articles:<br />
• http://www.owasp.org/index.php/Cross-Site_Request_Forgery<br />
• http://www.cgi<strong>security</strong>.com/csrf-faq.html<br />
• http://shiflett.org/articles/cross-site-request-forgeries<br />
Within the Force.com platform, <strong>salesforce</strong>.com has <strong>impl</strong>emented an anti-CSRF token to prevent this attack. Every page includes a random<br />
string of characters as a hidden form field. Upon the next page load, the application checks the validity of this string of characters and<br />
does not execute the command unless the value matches the expected value. This feature protects you when using all of the standard<br />
controllers and methods.<br />
Here again, the developer might bypass the built-in defenses without realizing the risk. For example, suppose you have a custom controller<br />
where you take the object ID as an input parameter, then use that input parameter in an SOQL call. Consider the following code snippet.<br />