The attack vector and evidence of vulnerability associated with each item is listed below with a description of the vulnerability. Remediation steps and additional educational resources for each class of vulnerability are also provided.
1. Stored XSS Vulnerability –
Cross-Site Scripting attacks are the type of injection problems, in which the malicious scripts get injected on the trusted web sites. Cross-site scripting (XSS) attacks occur when the attacker uses a web application to send the malicious code, generally in the form of a browser side script, to a different end-user.
<script type=”text/javascript”>
function popupwindow4(){
window.open(‘/apex/cancelSubscriptionPage?id={!Opportunity.Id}&subdomain={!Opportunity.SubDomain__c}
‘,’Popup1′,’height=400,width=500,left=400,top=200,scrollbars=yes,toolbar=no,status=no’);
}
</script>
No escaping performed on Visual force pages especially when displaying data inside script tags, you should encode displayed data In the example above the “raw” HTML data received in the JSON response is not escaped in the “subdomain” parameter and result in an XSS in the native application Visualforce page.
Fix:-
window.open(‘/apex/cancelSubscriptionPage?id={!Opportunity.Id}&subdomain={
!JSENCODE(Opportunity.SubDomain__c)
} ‘,’Popup1′,’height=400,width=500,left=400,top=200,scrollbars=yes,toolbar=no,status=no’);
2. Sensitive Information in Debug Vulnerability –
Revealing information in debug statements can help to reveal the potential attack vectors to an attacker. Debug statements can be invaluable for diagnosing issues in the functionality of an application, but they should not publicly disclose sensitive or overly-detailed information (this includes passwords, keys, and stack traces as error messages, among other things).
OpportunityOj =[select id,name, specific__c from Opportunity where id =: tempId ]; system.debug(‘*******OpportunityOj’+OpportunityOj);
Fix:-We have to remove the system.debug(); everywhere from our code.
3. CRUD/FLS Enforcement Vulnerability –
Object (CRUD) and Field Level Security (FLS) are configured on profiles and can be also used to restrict access to the object types and individual fields. Force.com developers should design their all applications to enforce the organization CRUD and FLS settings and to gracefully degrade if a user’s access has been restricted
OpportunityOj =[select id,name, Coupon_Code__c from Opportunity where id =:tempId ]; update OpportunityOj;
CRUD/FLS check needs to be enforced before doing a DML, Please review all your class files and add the following check before doing DML operations or accessing data. You should also need to perform a check before querying data using a select statement.
Use the isAccessible() check before accessing data (for example performing a query) Use the isUpdateable() check before updating data. Use the isCreateable() before inserting data. Use the isDeletable() before deleting data.
Fix:-
if(!Schema.sObjectType.Opportunity.isAccessible()){
ApexPages.addMessage(new ApexPages.Message(ApexPages.Severity.FATAL,’Insufficient access’));
return null;
} else {
OpportunityOj =[select id,name, Coupon_Code__c from Opportunity where id =:tempId ];
}
4. Sharing Violation Vulnerability –
The platform of the Force.com makes extensive use of data sharing rules. Each object can have unique permissions for which the users and profiles can read, create, edit, and delete permission. These restrictions are enforced when using all the standard controllers. But when using a custom Apex class, the built-in profile permissions and the field-level security restrictions are not respected during the execution.
public class CreateProductThroughSFDC {
}
Please use the “with sharing” keyword when declaring a new Class.
Fix:
public with sharing class CreateProductThroughSFDC {
}
5. External Resources in VF Page Vulnerability –
<script src=”https://code.jquery.com/jquery-1.10.2.js” ></script>
All resources for the VF page should be included inside the package statically and not referenced from an external source. e.g. https://code.jquery.com/jquery-1.10.2.js should be within a relative path and included statically “/jquery-1.10.2.js”.
Fix:
It should be included in the static resources and not called externally.
6. Unused Code Vulnerability –
/* JSONGenerator gen = JSON.createGenerator(true); gen.writeStartObject(); gen.writeFieldName(‘charge’); gen.writeStartObject(); gen.writeNumberField(‘amount’,Amount); gen.writeStringField(‘memo’,memo); gen.writeEndObject(); gen.writeEndObject(); String generate = gen.getAsString();*/
Please remove unused code from your solution.
Image Reference:
http://image.slidesharecdn.com/tipstopasssalesforcesecurityreview-150430062035-conversion-gate02/95/tips-to-pass-salesforce-security-review-1-638.jpg?cb=1430374941
