Security Vulnerabilities

In the realm of Salesforce, where data integrity and security are paramount, it is imperative to address and fortify against common vulnerabilities. This post serves as an illuminating exploration into prevalent security risks such as SOQL injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF) and others that may compromise the robustness of applications within the Salesforce platform.

SOQL Injection

SOQL injection is a technique that is used to inject values to manipulate the construction and outcome of a dynamic SOQL query.

SOQL injection can potentially occur when user-supplied input is used to construct a dynamic SOQL statement.

The user input can modify the intended SOQL statement and result in unintended or harmful results.

Techniques to Prevent SOQL Injection

• Bind Variables => An input can be enforced to be treated as a variable and not an executable part of the query.
• Typecast Variables => Typecasting is where variables are casted according to their respective data types to intentionally throw exceptions when unexpected data types are encountered.
• Escape Single Quotes => An escape character can be added to all single quotation characters using String.escapeSingleQuotes() to ensure that the strings are not treated as commands.

String exampleString = '\' Hello World\'';
System.debug(exampleString );

String escapedStr = String.escapeSingleQuotes(exampleString );
System.debug(escapedStr);        

Cross-Site Request Forgery

Cross-site request forgery (CSRF) performs an action via a URL that takes advantage of the active session of anauthenticated user.

An attacker includes a URL on their site that performs an action on a second site.

If the user is still authenticated to the second site, the action may be successful, if there is no protection.

Considerations regarding protection from CSRF

• Built-in Protection => Salesforce has default protection built in that validates a token.
• Action Types => Possible action types are create a record, send email, log a call, custom Visualforce, update a record, Lightning component, and flow.
• Avoid State Changes => Developers can ensure built-in protection is used by avoiding state changing operations.

Salesforce implements built-in anti-CSRF tokensin all its standard controllers and methods, but Custom controllers can become vulnerable to CSRF attacks.

Cross-Site Request Forgery Example

Cross-Site Scripting

Cross-site scripting is when malicious content such as JavaScript / VBScript / HTML is inserted into a web page and executed.

The script can take advantage of the user's session and use it to submit transactions, read data, or alter the page using HTML / CSS.

Considerations regarding protection from XSS

• APEX Tags => All standard Visualforce components, which start with <apex> have anti-XSS filters in place.
• Input Filters => Check user input against defined values. Note that labels of <apex:inputField>tags are automatically escaped for security.
• Output Filters => Salesforce has implemented filters that screen out harmful characters in most output methods as one of the anti-XSS defenses.

Controlling Data Access

Apex class executes in system mode and may expose sensitive data to unintended users.

Using the 'with sharing' keyword ensures that the permissions of the currently logged in user are used.

The 'inherited sharing' keyword can be specified on an Apex class to allow the class to run in the sharing mode of the class that called it.

The Apex class that uses the 'inherited sharing' keyword runs as 'with sharing' when used as a Visualforce page controller, Apex REST service, or an entry point to an Apex transaction.

@AuraEnabled Apex classes used by Aura components or Lightning web components that do not specify "with sharing" or "without sharing" will default to "with sharing" to ensure that Lightning components are secure by default.

The WITH SECURITY ENFORCED clause, which enforces field and object level security permissions, can be added to a SOQL statement which will cause the query to throw a System.QueryException if the current user does not have access to a field or object that is referenced in the SOQL statement.

The Security.stripInaccessible Apex method can be used to remove fields from SOQL query results that the current user does not have access to and avoid exceptions when a DML operation is performed.

Enforcing Object and Field Permissions

Object-level and field-level permissions can be enforced through code by explicitly using sObject and field describe result methods.

The following describes some of these methods:

OBJECT-LEVEL

• isAccessible()- returns true if current user can accesst the object.
• isCreateable()- returns true if current user can create records of the object.
• isUpdateable()- returns true if current user can update records of the object.
• isDeletable() - returns true if current user can delete records of the object.

FIELD-LEVEL

• isAccessible()- returns true if current user can access the field of a record.
• isCreateable()- returns true if current user can set the value of the field for an existing record.
• isUpdateable()- returns true if current user can update the value of the field for an existing record.

Secure Retrieval and Display of Third-Party Content

Visualforce provides methods to safely display third-party content on the page.

• Image Content => When a Visualforce page loads a third-party image outside the org's server, it can initiate a malicious authentication request meant to steal Salesforce usernames and passwords.
• IMAGEPROXYURL Function => The IMAGEPROXYURL function can be used to securely retrieve images and protect users from unauthorized requests.
• Using IMAGEPROXYURL => The IMAGEPROXYURL function can be included on the 'src' attribute of a <img> tag or the 'value' attribute of an <apex:image> object.
• HTML Content => HTML static resources can be isolated on a separatedomain using iframes to protect Visualforce content from untrusted sources.
• $IFRAMERESOURCE => A static HTML file can be referenced on a separate domain by using $IFrameResource.<resource_name> as a merge field, where 'resource_name' is the name of the uploaded static resource.

Visualforce pages can be displayed on trusted external domains using iframes by allowing it in Session Settings in Setup.

System/User Mode Operations

Salesforce allows explicitly specifying the running context when performing a SOQL query.

SOQL USER MODE

To explicitly perform a SOQL query in the context of the current user, the WITH USER_MODE clause is used. The field-level security settings, object permissions, and sharing rules are applied. For example:

List<Account> accs = [SELECT Id FROM Account WITH USER_MODE];        

SOQL SYSTEM MODE

To explicitly perform a SOQL query in system context, the WITH SYSTEM_MODE clause is used. In this case, the field-level security settings and object permissions are ignored, and the sharing keyword defined on the Apex class determines whether sharing rules are applied. For example:

List<Account> allAccounts = [SELECT Id FROM Account WITH SYSTEM_MODE];        

Salesforce also allows explicitly specifying the running context when performing a DML operation.

STATIC DML USER MODE

To explicitly execute a static DML statement in user mode, the “as user” keywords can be added to the statement. For example:

Account myAccount = new Account(Name='ACME');
insert as user myAccount;        

STATIC DML SYSTEM MODE

To explicitly execute a static DML statement in system mode, the “as system” keywords can be added to the statement. For example:

List<Account> allAccounts = [SELECT Id FROM Account WITH SYSTEM_MODE];
update as system allAccounts;