• John Commute Tracker Dev
  • NEWBIE
  • 5 Points
  • Member since 2014

  • Chatter
    Feed
  • 0
    Best Answers
  • 1
    Likes Received
  • 0
    Likes Given
  • 2
    Questions
  • 4
    Replies
Hi All,
I am trying to include survey force application with our existing app and creating a manage package. After submitting the code for Force.com Security review I have received below error messages:

Frame Spoofing
==============
If a user supplied value is used to construct a frame within the page, it can lead to an attacker controlling what is rendered into the page.  By modifying the URL value to a malicious site, an attacker can successfully launch a phishing scam to attempt to steal user credentials.  Given the base domain is from an application they trust, they are more likely to believe the request as legitimate and provide the details requested.

Demonstrative Examples:
======================
In the example below, the developer is taking input from the user from the querystring and using that to load into an iframe on the page:

<apex:iframe src="{!$CurrentPage.parameters.iframesrc}"></apex:iframe>

With input provided from an attacker, the iframe will be rendered into the page with the host of the attackers choosing, such as the link below.

<iframe src="http://www.badguy.com/stealcreds.php" >

Potential Mitigations  
=====================
Frame spoofing can be mitigated by strongly validating the user input provided to your application.  In the case where

user input is needed to construct the parameters used in a frame, the developer should control the domain loaded

through a constant or white list if possible.  The example below shows a very simplistic method

<apex:iframe src="http://domainofchoice.com/page?{!$CurrentPage.parameters.iframesrc}"></apex:iframe>

===================================================================================================================
Issue in Classes

42. get //viewsharesurveycomponentcontroller.cls      
...
48. String urlPrefix = setupUrlPrefix(surveySite);

163. private String setupUrlPrefix(String site) //viewsharesurveycomponentcontroller.cls       
...

167. return site+'/';

42. get //viewsharesurveycomponentcontroller.cls

48. String urlPrefix = setupUrlPrefix(surveySite);
...

50. String urlToSave= domain+'/'+urlPrefix+'TakeSurvey?';
...
55. return urlToSave;
41. <apex:iframe src="!surveyURLBase + surveyURL}" scrolling="True" /> //viewsharesurveycomponent.component

63. public viewShareSurveyComponentController() //viewsharesurveycomponentcontroller.cls      
...
66. urlType.add(new SelectOption('Email Link w/ Contact Merge',System.Label.LABS_SF_Email_Link_w_Contact_Merge));
41. <apex:iframe src="!surveyURLBase + surveyURL}" scrolling="True" /> //viewsharesurveycomponent.component      
42. get //viewsharesurveycomponentcontroller.cls      
...
48. String urlPrefix = setupUrlPrefix(surveySite);
163. private String setupUrlPrefix(String site) //viewsharesurveycomponentcontroller.cls      
167. return site+'/';
...
42. get //viewsharesurveycomponentcontroller.cls
...
48. String urlPrefix = setupUrlPrefix(surveySite);      
...
50. String urlToSave= domain+'/'+urlPrefix+'TakeSurvey?';
...
55. return urlToSave;

41. <apex:iframe src="!surveyURLBase + surveyURL}" scrolling="True" /> //viewsharesurveycomponent.component

Any Idea ??
Hi All,

I am using survey force application by Salesforce labs. Inside SurveySitesUtil class, below  code is returning false however, when I run the same code from Developer console its returning true. Also I am seeing code running from class is not pulling all the objects including 'Site". 

Schema.getGlobalDescribe().keySet().contains('site')

Looking forward for assistance on this issue.

Thanks.
Hi All,
I am trying to include survey force application with our existing app and creating a manage package. After submitting the code for Force.com Security review I have received below error messages:

Frame Spoofing
==============
If a user supplied value is used to construct a frame within the page, it can lead to an attacker controlling what is rendered into the page.  By modifying the URL value to a malicious site, an attacker can successfully launch a phishing scam to attempt to steal user credentials.  Given the base domain is from an application they trust, they are more likely to believe the request as legitimate and provide the details requested.

Demonstrative Examples:
======================
In the example below, the developer is taking input from the user from the querystring and using that to load into an iframe on the page:

<apex:iframe src="{!$CurrentPage.parameters.iframesrc}"></apex:iframe>

With input provided from an attacker, the iframe will be rendered into the page with the host of the attackers choosing, such as the link below.

<iframe src="http://www.badguy.com/stealcreds.php" >

Potential Mitigations  
=====================
Frame spoofing can be mitigated by strongly validating the user input provided to your application.  In the case where

user input is needed to construct the parameters used in a frame, the developer should control the domain loaded

through a constant or white list if possible.  The example below shows a very simplistic method

<apex:iframe src="http://domainofchoice.com/page?{!$CurrentPage.parameters.iframesrc}"></apex:iframe>

===================================================================================================================
Issue in Classes

42. get //viewsharesurveycomponentcontroller.cls      
...
48. String urlPrefix = setupUrlPrefix(surveySite);

163. private String setupUrlPrefix(String site) //viewsharesurveycomponentcontroller.cls       
...

167. return site+'/';

42. get //viewsharesurveycomponentcontroller.cls

48. String urlPrefix = setupUrlPrefix(surveySite);
...

50. String urlToSave= domain+'/'+urlPrefix+'TakeSurvey?';
...
55. return urlToSave;
41. <apex:iframe src="!surveyURLBase + surveyURL}" scrolling="True" /> //viewsharesurveycomponent.component

63. public viewShareSurveyComponentController() //viewsharesurveycomponentcontroller.cls      
...
66. urlType.add(new SelectOption('Email Link w/ Contact Merge',System.Label.LABS_SF_Email_Link_w_Contact_Merge));
41. <apex:iframe src="!surveyURLBase + surveyURL}" scrolling="True" /> //viewsharesurveycomponent.component      
42. get //viewsharesurveycomponentcontroller.cls      
...
48. String urlPrefix = setupUrlPrefix(surveySite);
163. private String setupUrlPrefix(String site) //viewsharesurveycomponentcontroller.cls      
167. return site+'/';
...
42. get //viewsharesurveycomponentcontroller.cls
...
48. String urlPrefix = setupUrlPrefix(surveySite);      
...
50. String urlToSave= domain+'/'+urlPrefix+'TakeSurvey?';
...
55. return urlToSave;

41. <apex:iframe src="!surveyURLBase + surveyURL}" scrolling="True" /> //viewsharesurveycomponent.component

Any Idea ??
Hi All,
I am trying to include survey force application with our existing app and creating a manage package. After submitting the code for Force.com Security review I have received below error messages:

Frame Spoofing
==============
If a user supplied value is used to construct a frame within the page, it can lead to an attacker controlling what is rendered into the page.  By modifying the URL value to a malicious site, an attacker can successfully launch a phishing scam to attempt to steal user credentials.  Given the base domain is from an application they trust, they are more likely to believe the request as legitimate and provide the details requested.

Demonstrative Examples:
======================
In the example below, the developer is taking input from the user from the querystring and using that to load into an iframe on the page:

<apex:iframe src="{!$CurrentPage.parameters.iframesrc}"></apex:iframe>

With input provided from an attacker, the iframe will be rendered into the page with the host of the attackers choosing, such as the link below.

<iframe src="http://www.badguy.com/stealcreds.php" >

Potential Mitigations  
=====================
Frame spoofing can be mitigated by strongly validating the user input provided to your application.  In the case where

user input is needed to construct the parameters used in a frame, the developer should control the domain loaded

through a constant or white list if possible.  The example below shows a very simplistic method

<apex:iframe src="http://domainofchoice.com/page?{!$CurrentPage.parameters.iframesrc}"></apex:iframe>

===================================================================================================================
Issue in Classes

42. get //viewsharesurveycomponentcontroller.cls      
...
48. String urlPrefix = setupUrlPrefix(surveySite);

163. private String setupUrlPrefix(String site) //viewsharesurveycomponentcontroller.cls       
...

167. return site+'/';

42. get //viewsharesurveycomponentcontroller.cls

48. String urlPrefix = setupUrlPrefix(surveySite);
...

50. String urlToSave= domain+'/'+urlPrefix+'TakeSurvey?';
...
55. return urlToSave;
41. <apex:iframe src="!surveyURLBase + surveyURL}" scrolling="True" /> //viewsharesurveycomponent.component

63. public viewShareSurveyComponentController() //viewsharesurveycomponentcontroller.cls      
...
66. urlType.add(new SelectOption('Email Link w/ Contact Merge',System.Label.LABS_SF_Email_Link_w_Contact_Merge));
41. <apex:iframe src="!surveyURLBase + surveyURL}" scrolling="True" /> //viewsharesurveycomponent.component      
42. get //viewsharesurveycomponentcontroller.cls      
...
48. String urlPrefix = setupUrlPrefix(surveySite);
163. private String setupUrlPrefix(String site) //viewsharesurveycomponentcontroller.cls      
167. return site+'/';
...
42. get //viewsharesurveycomponentcontroller.cls
...
48. String urlPrefix = setupUrlPrefix(surveySite);      
...
50. String urlToSave= domain+'/'+urlPrefix+'TakeSurvey?';
...
55. return urlToSave;

41. <apex:iframe src="!surveyURLBase + surveyURL}" scrolling="True" /> //viewsharesurveycomponent.component

Any Idea ??
Hi All,

I am using survey force application by Salesforce labs. Inside SurveySitesUtil class, below  code is returning false however, when I run the same code from Developer console its returning true. Also I am seeing code running from class is not pulling all the objects including 'Site". 

Schema.getGlobalDescribe().keySet().contains('site')

Looking forward for assistance on this issue.

Thanks.