Friday, August 14, 2015

Cross-site scripting vulnerability uncovered in Salesforce cloud

Researchers at cloud application security vendor Elastica have published details of a Cross-Site Scripting (XSS) vulnerability within a Salesforce subdomain providing the potential for attackers to use a trusted Salesforce application as a platform for end-user credential gathering attacks. Disclosed in early July, Salesforce finally patched the vulnerability on Monday just two days before Elastica went public with the disclosure. Admittedly, XSS vulnerabilities are not the most exciting of attack vectors, but that doesn't mean they are not dangerous. Nor does it mean that organisations shouldn't know better when it comes to detecting them. Heck, the Salesforce developer pages themselves even have a section dedicated to preventing XSS attacks which states "Most applications that display dynamic Web pages without properly validating the data are likely to be vulnerable. Attacks against the website are especially easy if input from one user is intended to be displayed to another user. Some obvious possibilities include bulletin board or user comment-style websites, news, or email archives." Oh the irony. XSS is becoming both more frequent and more dangerous as an attack vector year on year. Frequent because XSS vulnerabilities are pretty easy to spot (oh the irony again) and dangerous as they are also easy to exploit, and exploit with similar outcomes to SQL injection attacks for example. The bad guys would rather take the easiest route on offer, and for many that appears to be XSS right now.