Trustwave's 2024 Retail Report Series Highlights Alarming E-Commerce Threats and Growing Fraud Against Retailers. Learn More
Get access to immediate incident response assistance.
Get access to immediate incident response assistance.
Trustwave's 2024 Retail Report Series Highlights Alarming E-Commerce Threats and Growing Fraud Against Retailers. Learn More
Apex is an on-demand language that extends the Force.com platform by providing the ability to write applications that run on salesforce.com servers. Unlike other general-purpose languages such as C# or Java which can be used to build many different types of applications, Apex is more limited in scope and focused on building business applications. While building applications or performing a security code review of an Apex application there are some special considerations to know that are specific to Apex and the Force.com platform.
SOQL Injection
query = 'select * from users where username = \'' +username + '\' and password =\'' + password + '\'';
query
= [select * from users where user= :username and password=:password];
<apex:outputText escape="false">
Cross-Site Request Forgery (CSRF)
Finally, Apex applications hosted on the Force.com platform have the Secure flag set for all sensitive cookies by default. Apex applications can also use "Custom Settings" to store sensitive data such as encryption keys and passwords on the server. When configured correctly, this data will only be available programmatically to the Apex code within the package.
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.
Copyright © 2024 Trustwave Holdings, Inc. All rights reserved.