+ Start a Discussion
Shephali SwarnkarShephali Swarnkar 

Got CRUD and XSS Security failure for Managed package

Hi All,

        I got little idea of CRUD/FLS Enforcement Vulnerability find the following approach to overcome it.

eg:
<!-- This would normally bypass automatic FLS enforcement for accessibility-->
<apex:outputText value="{!contactName}" 
             rendered="{!$ObjectType.Contact.fields.Name.Accessible}" />
 
public with sharing class LeadDeleteExtension {
    private Lead l;
    public LeadDeleteExtension(ApexPages.StandardController ctr) {
      l = [SELECT Id FROM Lead WHERE Id=:ctr.getRecord().Id];
    }
    
    public PageReference deleteLead() {
      // Check if the user has delete access on the Lead object
      if (!Lead.sObjectType.getDescribe().isDeletable()){
        ApexPages.addMessage(new ApexPages.Message(ApexPages.Severity.FATAL,
                                                    'Insufficient access')); 
        return null;
      }
      
      delete l;
      return null;
    }

}
Question :
     1. Do I need To write such code each field of every object Ihave used in my App or is there any other way so that I can rectify it in                 one go.
     2. I am unable to identify what is XSS(crossite scripting) security failure and how to solve such issues in App
.
 
ProlayProlay
Shephali SwarnkarShephali Swarnkar
Thank you Prolay For your quick response.
Shephali SwarnkarShephali Swarnkar

Hi Prolay,    
                   I have got Reflected XSS Vulnerabilities for my App.Mentioned lines in report are:

Reproduction steps:
1.Login to the native application
2.Navigate to the respective tab
3.Select user from drop down list,Intercept the request
4.Apply attack value in mention parameter name.

                           I am unable to find out that where and what needs to be changed.
Note : In the above mentioned page we used to select the user from drop down list and get the details of task assigned to that user.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Upto My understanding i may got this XSS issue because i have used following apex code to get the details of user tasklist:

<apex:pageBlock title="Details" id="block1">
    <apex:detail subject="{!$CurrentPage.parameters.UserInput}" relatedList="false"/>
 </apex:pageBlock>
 

But at the same time when i browse this link https://developer.salesforce.com/page/Secure_Coding_Cross_Site_Scripting#Apex_and_Visualforce_Applications

i found 
<apex:outputText>
  {!$CurrentPage.parameters.userInput} <!-- safe (auto HTML Encoded) -->
</apex:outputText>


Question : If this is not vulnerable to XSS then why did i got this reflected XSS for my App.

Need Help to find out exact vulnerable code and soluttion for that.

Thanks