FAQ-000227 - CSRF and DML Security Issues / Security Review and Documentation

Current Status:VALID_RESPONSEErrorUnable to AnswerSuggests Case

Question: How do I properly document a false positive for a Cross-Site Request Forgery (CSRF) vulnerability?

Answer: To properly document a false positive for a Cross-Site Request Forgery (CSRF) vulnerability in Salesforce, follow these steps: 1. **Location**: Clearly identify the code location where the CSRF vulnerability was flagged, such as the Visualforce page, Lightning component, or Apex class. 2. **Explanation**: Provide a detailed explanation of why the flagged code does not pose a security risk. For example, if the operation is triggered only by a user action (like a button click), explain this with supporting details. 3. **Mitigation Details**: Describe any measures already in place to mitigate the vulnerability, such as enabling the `confirmationTokenRequired` field for Visualforce pages or ensuring state changes occur only after user interaction in Lightning components. 4. **Supporting Evidence**: Include screenshots, code snippets, or logs that demonstrate the absence of a security risk. For instance, show how the CSRF token is validated or how user interaction is required for the flagged operation. 5. **False Positive Documentation Template**: Use Salesforce's False Positive Documentation template to organize your response. Ensure the document is clear and concise, addressing each flagged issue systematically. 6. **Submission**: Attach the completed false positive document to your security review submission for consideration. By following these steps, you can effectively demonstrate why the flagged CSRF vulnerability is a false positive.

Enhancing FAQ...

Enhancing FAQ with AI recommendations...

Question: How do I properly document a false positive for a Cross-Site Request Forgery (CSRF) vulnerability?

Recommended Answer Update: To properly document a false positive for a Cross-Site Request Forgery (CSRF) vulnerability in Salesforce, follow these steps: 1. **Location**: Clearly identify the code location where the CSRF vulnerability was flagged, such as the Visualforce page, Lightning component, or Apex class. 2. **Explanation**: Provide a detailed explanation of why the flagged code doesn't pose a security risk. For example, if the operation is triggered only by a user action (like a button click), explain this with supporting details. 3. **Mitigation Details**: Describe any measures already in place to mitigate the vulnerability, such as using viewstate protection for Visualforce pages or ensuring state changes occur only after user interaction in Lightning components. 4. **Supporting Evidence**: Include screenshots, code snippets, or logs that demonstrate the absence of a security risk. For instance, show how the CSRF token is validated or how user interaction is required for the flagged operation. 5. **False Positive Documentation Template**: Use Salesforce's False Positive Documentation template to organize your response. Ensure the document is clear and concise, addressing each flagged issue systematically. 6. **Submission**: Attach the completed false positive document to your security review submission for consideration. By following these steps, you can effectively demonstrate why the flagged CSRF vulnerability is a false positive.

Reasoning: The FAQ content is accurate and well-structured. Only minor improvements were made for clarity and tone: changed 'does not pose' to the more conversational 'doesn't pose' and updated the outdated reference to 'confirmationTokenRequired' field to the more current 'viewstate protection' for Visualforce CSRF mitigation. The structure and all key points remain intact. For security rules selected: - **ApexCSRF**: This rule directly relates to the FAQ's discussion of CSRF vulnerabilities in Apex code. The FAQ specifically mentions documenting false positives for CSRF vulnerabilities that are flagged in 'Apex class' locations, and provides guidance on explaining why flagged Apex code doesn't pose CSRF risks. - **VfCsrf**: This rule is highly relevant as the FAQ explicitly discusses CSRF vulnerabilities in 'Visualforce page' contexts and mentions mitigation measures for Visualforce pages. The FAQ's guidance on documenting false positives for Visualforce CSRF issues directly corresponds to this rule's scope.

Reasoning References

Current FAQ