+ Start a Discussion
Vladimir MedvedevVladimir Medvedev 

XSS (Cross-Site Scripting)

Hello everyone,
Who faced a XSS (Cross-Site Scripting)?
How can emulate attack XSS in the application?
Or XSS applies only to external web pages?
Richard TuttleRichard Tuttle
XSS isn't unique to external web pages.  There is a definite risk with custom built apps internally used.  An easy example is a persistent XSS attack where your users are opening a VisualForce page or component that uses a sobject field in javascript without scrubbing it:
 
<script>
 var poorCode = '{!Case.poor_code__c}';
</script>

If I were able to manipulate that data field in any other place as another user I can create a persistent XSS attack for the next person to open the affected Page/Component by inserting some javascript that breaks out of the containment.  Basic example data in the field that breaks behavior:
 
';alert('whoops

Depending on how clever I get with the amount of text space I have on that field, I could side-load more javascript from a remote host that executes and steals your session Id.  Now I have access to your user's session (there are other controls that can prevent that in Session settings, particularly the session lock settings).

The simple fix to the example is to wrap your variables in VF/components with JSENCODE to scrub (escape) the variable when using it in javascript:
 
<script>
 var saferCode = '{!JSENCODE(Case.poor_code__c)}';
</script>

For a rundown of the different attack vectors I recommend reading up on OWASP (owasp.org) as a resource for developing secure code.  There are various tools for testing like x5s (a plugin to Fiddler HTTP proxy) and static analysis tools like Checkmarx.  The latter is provided free by Salesforce for scanning Salesforce orgs with under 750k lines of code.  For orgs exceeding that you can purchase licenses with Checkmarx directly.  There are a few other tools, but I haven't tried them so I can't speak to them.  If you do your own testing be sure to follow the penetration testing guidelines here (not as bad for XSS only tools, but more thorough penetration testing tools you for sure should follow this process):  https://help.salesforce.com/apex/HTViewSolution?id=000206497&language=en_US

http://security.force.com/security/tools/forcecom/scanner
Shephali SwarnkarShephali Swarnkar
Hi Richard,
    
                   I have got Reflected XSS Vulnerabilities for my App. 

Reproduction steps:
1.Login to the native application
2.Navigate to the respective tab
3.Select user from drop down list,Intercept the request
4.Apply attack value in mention parameter name.
                           I am unable to find out that where and what needs to be changed.

Note : In the above mentioned page we used to select the user from drop down list and get the details of task assigned to that user.

                 
Have any idea that how to mitigate this XSS issue.

Thnaks