Preventing XSS | Community
Skip to main content
Tamir_Belzer
Tamir_Belzer
Level 2
January 1, 2020
Question

Preventing XSS

  • January 1, 2020
  • 1 reply
  • 6140 views

Hi, one of our security people noted that the visualforce Marketo window within Salesforce (the Marketo sales insights) is a security threat especially for XSS attacks, meaning people trying to inject a script to a Marketo form and hack the system. 

Is that true? if so, is there something we can do? He said that using captcha or recaptcha will not help in these cases and the fix should be on the server side. 

Does anyone have any information about that? 

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

1 reply

SanfordWhiteman
SanfordWhiteman
Level 10
January 1, 2020

This has the distinctive ring of FUD. (Hint: if someone tries to scare you by mentioning only an acronym like "XSS", but won't even provide a glancing example of the exploit, it's probably FUD.)

Exactly what field, when you inject an HTML <script> tag into it using an end user exposed function -- be that a form post, web activity, or anything you can do without authentication -- is not HTML-escaped in the MSI frame?

Can you show an alert() popping up from the MSI frame based on untrusted data/activities in Marketo?

Tamir_Belzer
Tamir_BelzerAuthor
Level 2
January 2, 2020

HI Sanford, 

We did get examples and maybe my explanation was not complete because I didn't understand our security guy's explanation fully but we are concerned about it. 

What more information do I need to write here or ask our security guy? 

Thank you. 

SanfordWhiteman
SanfordWhiteman
Level 10
January 2, 2020

What more information do I need to write here or ask our security guy?

How, acting as a public end user (not an authenticated Marketo user) are you getting script content into Marketo fields or activities and having it be executed, instead of escaped, in MSI?

For one counterexample, if someone's Last Name contains an HTML script tag, it is escaped as text content (i.e. the "source code" is displayed) in MSI -- not executed.

An XSS vulnerability means there's a way of getting unfiltered script content into Marketo, such that it is not HTML-escaped when output into MSI.

It's possible that there is such a vulnerability, using some creative encoding on the way into Marketo -- bugs always happen, that's the nature of software -- but merely saying so doesn't prove it.

Terms & ConditionsAccessibility statement

Loading footer...