Apex Code Development You need to sign in to do that
Don't have an account?
Spencer Mac Security Scanner Issue - XSS and Spoofing with Survey Force - False Positives?
I recently submitted a package for review throught the security scanner that includes Survey Force from Force Labs. I got results back that identified potential vulnerabilties with XSS (Cross site scripting) and Frame Spoofing. Does anyone know if these are false positives?
some of the excerpt of the scanner results:
Reviewing For
False
Positives
The following conditions may lead to false positives in the output of the report:
l Under certain conditions user input may pass into an apex:iframe and be incorrectly labeled as a bug. If the
attacker does not control the beginning of the string being passed into the iframe's source, it is not a
vulnerability.
l Validation may be performed on user input in a mechanism that the source code scanner does not recognize.
References n/a
Path 1:
Query Name - Frame_Spoofing
Severity - Serious
42. get //viewsharesurveycomponentcontroller.cls
...
48. String urlPrefix = setupUrlPrefix(surveySite);
163. private String setupUrlPrefix(String site) //viewsharesurveycomponentcontroller.cls
...
167. return site+'/';
42. get //viewsharesurveycomponentcontroller.cls
...
48. String urlPrefix = setupUrlPrefix(surveySite);
...
50. String urlToSave= domain+'/'+urlPrefix+'TakeSurvey?';
...
55. return urlToSave;
41. <apex:iframe src="!surveyURLBase + surveyURL}" scrolling="True" /> //viewsharesurveycomponent.component
Path 2:
Query Name - Frame_Spoofing
Severity - Serious
63. public viewShareSurveyComponentController() //viewsharesurveycomponentcontroller.cls
...
66. urlType.add(new SelectOption('Email Link w/ Contact Merge',System.Label.LABS_SF_Email_Link_w_Contact_Merge));
41. <apex:iframe src="!surveyURLBase + surveyURL}" scrolling="True" /> //viewsharesurveycomponent.component
42. get //viewsharesurveycomponentcontroller.cls
...
48. String urlPrefix = setupUrlPrefix(surveySite);
163. private String setupUrlPrefix(String site) //viewsharesurveycomponentcontroller.cls
...
167. return site+'/';
42. get //viewsharesurveycomponentcontroller.cls
...
48. String urlPrefix = setupUrlPrefix(surveySite);
...
50. String urlToSave= domain+'/'+urlPrefix+'TakeSurvey?';
...
55. return urlToSave;
41. <apex:iframe src="!surveyURLBase + surveyURL}" scrolling="True" /> //viewsharesurveycomponent.component
Path 3:
Query Name - Frame_Spoofing
Severity - Serious
63. public viewShareSurveyComponentController() //viewsharesurveycomponentcontroller.cls
...
67. urlType.add(new SelectOption('Email Link w/ Contact & Case
Merge',System.Label.LABS_SF_Email_Link_w_Contact_Case_Merge));
41. <apex:iframe src="!surveyURLBase + surveyURL}" scrolling="True" /> //viewsharesurveycomponent.component
42. get //viewsharesurveycomponentcontroller.cls
...
48. String urlPrefix = setupUrlPrefix(surveySite);
163. private String setupUrlPrefix(String site) //viewsharesurveycomponentcontroller.cls
...
167. return site+'/';
42. get //viewsharesurveycomponentcontroller.cls
...
48. String urlPrefix = setupUrlPrefix(surveySite);
...
50. String urlToSave= domain+'/'+urlPrefix+'TakeSurvey?';
...
55. return urlToSave;
41. <apex:iframe src="!surveyURLBase + surveyURL}" scrolling="True" /> //viewsharesurveycomponent.component
Thank you for bringing this to our attention. This app was originally designed to be used just by administrators and we did not have a check in place for other users.
We have made an update to the application for a more secure experience within the confines of the original design and this should no longer be an issue.
Please let me know if you have any further questions.
Regards,
Benjamin James
Salesforce.com
Thanks for the reply Benjamin, how can I get the update pushed to my instance? I tried to reinstall and it failed saying it's already installed.
Since this is an umnaged package you will need to un-install the package and re-install.