98% of all Salesforce development takes place outside of AppExchange packages. That code is rarely reviewed, much less reviewed for security issues like XSS (Cross Site Scripting). Even great Salesforce developers rarely need to know about XSS issues that may be introduced by the architecture of their Visualforce pages. Heck, even amazing product development groups like CodeScience did not have to worry about these issues until relatively recent history (C.E. 2013).
So what is XSS and why in the world do I have to worry about it in my Visualforce code?
Salesforce provides a great overview of XSS and preventing it with their toolset here. To save you a 5 minute read, I’ll just say that XSS is the ability to inject scripts into another site’s code. In Visualforce, the main vulnerability is around the tags that developers use to collect information from the user. As the article mentioned, these tags are usually escaped so that most use cases are accounted for and handled. Frequently though, developers create advanced UI’s using javascript and css that may bypass the built in protections. In those scenarios, XSS is a very likely vulnerability and should be prevented. Like most problems though, prevention begins with understanding your problem. To do that, I’ll introduce a new player in the Salesforce security world, “ZAP”.
Detecting XSS issues before Security Review
ZAP is the new BURP. Both are endpoint and web application vulnerability scanners that the Salesforce security team uses and recommends for detecting issues in web applications. ZAP is a recent replacement for BURP. You can read more and even download the tool here. ZAP has a relatively straightforward install and configuration experience. Because of that it is easy to setup and use immediately to scan the wonderful Visualforce pages that you have written. More advanced development groups may even want to incorporate the scan into their automated commit and QA processes. However, one of the first results of doing this scan, is that you can now find some great new issues to resolve in your Visualforce code.
Fixing issues with Visualforce and Apex
After using ZAP to discover your Visualforce issues, the next question is usually, “how should the issues be resolved?” The simple answer is “input validation” and “output encoding.” Input validation is the strategy of checking or controlling user supplied values to verify that they are “valid” for the field. Output encoding describes the technique of properly parsing any dynamic values to make sure that they don’t provide an avenue for scripting to make it into your page. As mentioned above, this is one place where malicious code injection should be prevented. In addition to the techniques outlined in the article above, another good strategy for handling input validation and output encoding is a security library or framework that provides these features. CodeScience has a private framework that we’ve developed for use in our projects, however, the Salesforce security also provides a framework for this. It is available here .
Go forth and scan
Now it is time to execute. A couple of quick tips… scan specific pages, not the entire Salesforce.com application. Also, don’t forget to use the Salesforce.com source scanner (checkmarx) to scan your code directly first. So grab the ZAP scanner from the link above, fire it up, and scan some pages. You may be surprised by what you find.
