Security questions about the Marketo forms we embedded on our WP website | Community
Skip to main content
Eve_Yu
Eve_Yu
New Participant
November 21, 2023
Solved

Security questions about the Marketo forms we embedded on our WP website

  • November 21, 2023
  • 2 replies
  • 1934 views

We just scanned our WP website to check the security issues, and we found two issues related to Marketo forms. Do you have any solutions to resolve them? 

  1. Script Src Integrity Check: app-ab24.marketo.com/js/forms2/js/forms2.min.js can't generate SRI Hash, so, we can't pass this check.  FYI, the description of this check: The remote host may be vulnerable to payment entry data exfiltration due to javascript included from potentially untrusted and unverified third parties script src.
  2. CGI Generic Cross-Site Request Forgery Detection: it is also related to Marketo forms, the problem shows that on the pages we used Marketo forms. CGIs are not protected by a random token. 

Any solutions?  

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by SanfordWhiteman
  1. Script Src Integrity Check: app-ab24.marketo.com/js/forms2/js/forms2.min.js can't generate SRI Hash, so, we can't pass this check.  FYI, the description of this check: 

There’s no reason you can’t generate an SRI hash for that file. Of course if the file changes (i.e. is updated by Marketo, as naturally happens) your hash will become invalid, which is exactly what should happen.

 

Your choice is either (a) to monitor the file for changes and change the hash immediately or (b) make a copy of the file, upload it to Design Studio, and use that static copy — which of course means you will miss updates.

 

 

2 replies

SanfordWhiteman
SanfordWhiteman
New Participant
November 21, 2023
CGI Generic Cross-Site Request Forgery Detection: it is also related to Marketo forms, the problem shows that on the pages we used Marketo forms. CGIs are not protected by a random token.

There’s no “CGI” (as in cgi-bin) involved here. Sounds like a generic form check.

 

It’s true that Marketo forms don’t use a CSRF token/nonce. This is true of the overwhelming majority of embedded marketing forms from any vendor, though. Such forms are by their nature anonymously submitted and are not considered to pose the danger of, say, an actual web app. (I’m not passing judgment on whether that assessment is correct, but it’s near-universal.) If an attacker wished to submit a Marketo form to your instance, they wouldn’t need to hit the form endpoint directly, they could just embed the form itself!

SanfordWhiteman
SanfordWhitemanAccepted solution
New Participant
November 21, 2023
  1. Script Src Integrity Check: app-ab24.marketo.com/js/forms2/js/forms2.min.js can't generate SRI Hash, so, we can't pass this check.  FYI, the description of this check: 

There’s no reason you can’t generate an SRI hash for that file. Of course if the file changes (i.e. is updated by Marketo, as naturally happens) your hash will become invalid, which is exactly what should happen.

 

Your choice is either (a) to monitor the file for changes and change the hash immediately or (b) make a copy of the file, upload it to Design Studio, and use that static copy — which of course means you will miss updates.

 

 

Terms & ConditionsAccessibility statement

Loading footer...