PDIH – Salesforce XSS No big deal- Really?

Last week Adobe, Microsoft and Oracle all tripped over their proverbial patches. But the real news was the Salesforce.com cross-site scripting flaw that was revealed. Don’t worry… Salesforce patched the flaw two days before the security vendor released the information to the public.

The real problem as compared to other cross site scripting flaws is “it existed in a real Salesforce subdomain ‘admin.salesforce.com’ the chances are pretty high that any end user on the receiving end of a phishing email from that URL would not identify it as malicious, nor would  it have been detected by anti-phishing filters as being bogus.”

What does this mean to you and me?

In a regular environment that we own, we can do penetration testing, even basic scanning for vulnerabilities is allowed because we give ourselves permission to do it.

What about your contract for salesforce?

You do not have the right to do a penetration test. In fact your contract expressly forbids it.

What are you supposed to do?

This announces  the arrival of software as a service Full disclosure tracking. Organizations that sell us software as a service are not subject to the same requirements as locally installed, on premise software vendors. We’ve outsourced the risk and have no visibility into the process and we must rely on the vendor and their incident response process to inform us of the vulnerability. It becomes our responsibility the pay attention to the news: I guess it’s our job to create Google alerts for every piece of software as a service that we have a contract on.

If you like to talk about this more come join us Wednesday evening at 6 PM Central. Don’t forget this counts as one CPE?


Want to read more?


… with Freedom Responsibility and Security for All.

Dean Bushmiller


CISSP orientation is in 2 weeks. https://store.expandingsecurity.com/product?catalog=CISSP-lol

RISK orientation is in 2 weeks. https://store.expandingsecurity.com/product?catalog=WOL-OG-RISK-101-M39

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.