Monday, 14 March 2011

Salesforce applications with security: SOQL Injection


I am again here to share something with you that may be you know, but still I would like to rate myself :).
So please be ready for my one more boring(don't think so) topic "Salesforce applications with security: SOQL Injection".

This time SOQL injection. So SOQL is a type of vaccine for human body, injects when you really feels weak(Sorry :), No more joke).

 It's  a code injection technique that exploits a Security vulnerability.
Let me be more specific, Suppose you have a search form and instead of typing a valid search parameter, User types something invalid text  and that can make your SOQL query invalid and expose the unexpected result.
This situation occurs when user input is not filtered for escape characters.
 let's have a pictorial look :

It's a SQL example , but describe the SOQL injection as well in a good manner.
So here you can see that. In the User id field once user puts a invalid parameter and goes to the controller and form a query that  results in a invalid login.

The worst scenario could be if resultant data from a query supposed to be deleted.
 let's have one more quick example for this :

I have a case where I want to delete the Account based on name entered in the input name field on page.
Implementation can be like this :

List<Account> listAccount = Database.query('Select id from Account where Name = \'' + nameField + '\' ');

delete listAccount;

It works great with a valid value.
 Now it can be worst if value of nameField is provided like :

nameField = \' OR Id != null OR Type != \'

So once the action will be performed, this will be bind-up with the query and resultant query will be like this :

List<Account> listAccount = Database.query('Select id from Account where Name = \'\'\' OR ID != null OR Type != \'\' ');

delete  listAccount;

So hopefully , you can see the monster  here. It will delete the entire database for account records.

Salesforce provides escape functions to get rid from SOQL injection.
Solution can be one of the followings:
  1. Try to use STATIC queries as much as possible. STATIC query has inbuilt escaping.
  2. If dynamic query is needed , then all the search parameters should use escapeSingleQuotes()
    List<Account> listAccount = Database.query('Select id from Account where Name = \'' + String.escapeSingleQuotes(nameField) + '\' ');
String.escapeSingleQuotes method adds the escape character (\) to all single quotation marks in a string that is passed in from a user. The method ensures that all single quotation marks are treated as enclosing strings, instead of database commands. 

I hope, this post helps you to get a basic understanding of SOQL injection.

Now I am going to finish this, as If I didn't you guys will gone sleep.
So topic ends, party time ....................

Will be back very soon with something new :).


Tuesday, 1 March 2011

Salesforce applications with security : Stored XSS

Continuing to my previous post , this time I would to share the knowledge on Stored XSS part.
So Stored XSS is cross site scripting where a attacker can inject his code on to the server pages permanently and these scripts run whenever some action made on the page.

In other words :
"Stored attacks are those where the injected code is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information."

Let's have an example:

function crossXSS()
var xssExample = '{!Account.Name}' ;
<apex:commandLink value="Click me" onClick="crossXSS();" />

Now suppose
Account Name is :  testName';1';document.location=''%2Bdocument.cookie;var%20foo=';

So this account name will always be on the page in script block and whenever the commandLink will be clicked "crossXSS" will be called and will be in the following manner:
var xssExample = 'testName';1';document.location=''%2Bdocument.cookie;var%20foo=';

So again you can see here all the cookies will be sent to the site.

What I suggested in previous blog , repeating all those things again :).

To prevent from this , salesforce provides some encoding function for the those are available on Visualforce page like :etc.

So the code explained above can be  updated as :
var xssExample = '{!JSENCODE(Account.Name})' ;

So the value fetching from the request parameter will be encoded now.
JSENCODE : To encode the properties in javascript.
HTMLENCODE: To encode the properties in javascript.
JSINHTNLENCODE: If calling a javascript method from HTML component and passing the properties.
URLENCODE:  If building a URL on page.

Please feel free to ask the questions/doubts. Suggestions are appreciated.