Can anyone provide me an error free report of Secure Code scanner report and web scanner report at mohammedatifuddin3@gmail.com

The system we have created needs to be able to display HTML from stored data. I understand that using outputText with escape set to false, poses as a security risk.

So what I managed to do was create a method that manages all the security risks and then output that value to the page. This method will do the following:

• Removes all script and iframe tags
• Removes any images from an external source
• Removes any CSS expressions
• Removes all javascript attributes (anything prefixed with "on")
• Removes javascript from links
• Removes any retrieving a source (apart from internal images sources)
• Removes all link tags to external sources.

Is it alright to do something like this and how would this come across to a security review?

If this is sounds ok to do, are there any missing vulnerabilities in that list that I may have forgotten?

Hi,

we are using javascript in our VF page which accesses the value of controller varible using merge fileds as below

var temp = {!itemList};

To avoid XSS problem we want to use it as 

var temp = '{!JSENCODE(itemList)}'

but as the controller variable  "itemList" is of type  List we are getting an error while saving. but for primitive varibles we are not getting any error. 

list declaration in Controller  :

List<string> itemList{get;set}

please can anyone suggest what should be done for arrays.

thank you

We have developed a Force.com application. This is completely on Force.com with no integration with other applications. We are using vf pages, java script and Jquery for developing a different UI. When we run the checkmarx scanner we did not have any errors but during security review SFDC team responded to us with few FLS errors.

Our team has fixed this but does anybody know how to identify these errors by using a specific scanner or otherwise so that we can check if there are any more FLS errors.

Thanks. Looking forward to your reply.

Can anyone provide me an error free report of Secure Code scanner report and web scanner report at mohammedatifuddin3@gmail.com

HI,

The requirement is authentication between webservice and salesforce. 

I have created webservice in .net which is import and export data in excel sheet.

i have built one page which has list of salesforce user in .net, it will display in salesforce(for that i used web tab).

if administrator select one of user from the list and save it.it will save userId,Username and new generated security token in sql server and update that security token in according user record in salesforce. 

when salesforce user request the webservice it will check with username and token.whether this user has permission or not and preceed further.

I am getting this issue, when i request webservice from salesforce.

Insecure Storage of Sensitive Data Vulnerability

If your application copies and stores sensitive data that originated at salesforce.com, you should take extra precaution. Salesforce.com takes threats to data that originated at their site very seriously, and a data breach or loss could jeopardize your relationship with salesforce.com if you are a partner.

If you must store passwords (including non-Salesforce passwords), note that storing them in plaintext or hashed (such as with the MD5 function) makes your application vulnerable to mass user exploitation if an attacker can get access (even just read-only access) to your database (such as through stealing a backup tape or SQL injection). Although a successful SQL injection or data exposure attack is a huge problem in itself, if the attacker can recover passwords from the data, they cantransparently compromise user accounts on a mass scale.

My question is,

if i convert username and token before saving into the sql server, it will solve my problem..?

i would like to inform that, i am using lead data in webservice..

This data also i want to convert it into the mdf before import or export in excel sheet..?

Please help me, to solved this issue.

Thanks & Regards,

Nilesh Badrakiya

Does salesforce support the use of AES instead of RC4 https encrpyion for the web front ends? How easy is it to switch?

Submitted code to checkmarx including the XMLDom.cls, and XmlDomTest.cls from the source:

http://code.google.com/p/visualforce-components/source/browse/trunk/XmlDom/src/unpackaged/classes/

Problem: Test Method with no Asserts.

Hi all,

I'm wondering how the ESAPI, SFDCAccessController could be used to enforce object level security. For an example, Is there a way to get a list of accessible objects to a paticular user (According to that users' profile).  

Thanks in advance.

We are looking to amend our current sharing to be more restrictive. Within certain teams, we want to change so that the only Accounts that users can see in full are the ones they own themselves.

However, it doesn't make sense to simply hide all other Accounts from them. Instead, it would make sense for them to be able to see Accounts they don't own, but not in their entirety.

For example, on a Account record I don't own, I would be able to see the Account Owner and Account Name, but nothing else - that way I know who to contact internally about it.

How could this be achieved?

In preparation for the Force.com AppExchange Security Review (see e.g. Requirements Checklist) I have been trying to write unit tests for my application's CRUD security and FLS logic.

The two tests below demonstrate the problem that I have got stuck on. System.runAs can have an impact on the describe call result as isUpdateable is false in the first test class and true in the second. But the first obtained describe data remains cached both within a test method and across the whole test class.

I'm looking for suggestions on how to write CRUD security and FLS tests given this unexpected behavior.

Thanks, Keith

@isTest
private class DescribeFalseTest {

    @isTest
    static void testOne() {
    
        // Observed bizarre behavior: if first call is false rest will be false
        System.runAs(readOnlyUser()) {
            System.assertEquals(false, Account.SObjectType.getDescribe().isUpdateable());
        }

        System.assertEquals(false, Account.SObjectType.getDescribe().isUpdateable());
    }

    @isTest
    static void testTwo() {

        System.assertEquals(false, Account.SObjectType.getDescribe().isUpdateable());
        
        System.runAs(readOnlyUser()) {
            System.assertEquals(false, Account.SObjectType.getDescribe().isUpdateable());
        }
    }
    
    private static User readOnlyUser() {

        Profile p = [select Id, Name from Profile where Name = 'Read Only'];
        User u = new User(
            UserName = 'test-user@test-company.com',
            FirstName = 'Test-First-Name',
            LastName = 'Test-Last-Name',
            Alias = 'test',
            Email = 'test-user@test-company.com',
            EmailEncodingKey = 'UTF-8',
            LanguageLocaleKey = 'en_US',
            LocalesIdKey = 'en_US',
            TimezonesIdKey = 'America/Los_Angeles',
            ProfileId = p.Id
            );
        insert u;
        return u;
    }
}

@isTest
private class DescribeTrueTest {

    @isTest
    static void testOne() {
    
        // Observed bizarre behavior: if first call is true rest will be true
        System.assertEquals(true, Account.SObjectType.getDescribe().isUpdateable());
        
        System.runAs(readOnlyUser()) {
            System.assertEquals(true, Account.SObjectType.getDescribe().isUpdateable());
        }
    }

    @isTest
    static void testTwo() {

        System.runAs(readOnlyUser()) {
            System.assertEquals(true, Account.SObjectType.getDescribe().isUpdateable());
        }

        System.assertEquals(true, Account.SObjectType.getDescribe().isUpdateable());
    }
    
    private static User readOnlyUser() {

        Profile p = [select Id, Name from Profile where Name = 'Read Only'];
        User u = new User(
            UserName = 'test-user@test-company.com',
            FirstName = 'Test-First-Name',
            LastName = 'Test-Last-Name',
            Alias = 'test',
            Email = 'test-user@test-company.com',
            EmailEncodingKey = 'UTF-8',
            LanguageLocaleKey = 'en_US',
            LocalesIdKey = 'en_US',
            TimezonesIdKey = 'America/Los_Angeles',
            ProfileId = p.Id
            );
        insert u;
        return u;
    }
}