CRM Help

    Security Enhancements in Zoho CRM API Framework

    A heads up to Zoho CRM API users.

    Zoho CRM will be making a few security enhancements to its API framework on April 8, 2017. This enhancement requires API users to encode some characters of a parameter value. The detailed list of characters are mentioned further below. These characters, when used as parameter values, will no longer be deemed safe after this update.

    Therefore, we strongly recommend that you examine your API calls and encode any unsafe characters before APRIL 8, 2017. Failure to do so may result in the breakage of existing API calls.

    Why encoding is required

    When you use the unsafe characters in your API calls, you face the risk of being vulnerable to security issues. Here is a brief description of the vulnerability you are exposed to when you use unsafe characters:

    The code that parses the HTTP request line permits invalid characters. This could be exploited, in conjunction with a proxy that may also permit the invalid characters but with a different interpretation, in order to inject data into the HTTP response. By manipulating the HTTP response, an attacker could poison a web-cache, perform an XSS attack, and/or obtain sensitive information from requests other than their own.

    Due to this reason, we are making these security enhancements next month. Hence, you are encouraged to encode unsafe characters in your API calls before April 8, 2017.

    Characters to be encoded

    Following is a list of safe and unsafe characters. The unsafe ones need to be encoded.

    Safe characters that do not need encoding:

    • Alphanumerics: [0-9 a-z A-Z]
    • Specialcharacters: $ -_ . + ! * ' ( ) ,
    • Reservedcharacters when used for their reserved purposes(Eg / ? : = &)

    Unsafe characters that need encoding

    • ASCII Control characters:
      ISO-8859-1 (ISO-Latin) character ranges 00-1F hex (0-31 decimal) and 7F (127 decimal.)
    • Non-ASCII characters:
      Entire “top half” of the ISO-Latin set 80-FF hex (128-255 decimal.)
    • Unsafe characters
      Blank/empty space and " < > # % { } | \ ^ ~ [ ] `
    • Reservedcharacters when NOT USED for their reserved or defined purposes.

    For example, consider the following URL:

    Incorrect URL:

    https://crm.zoho.com/crm/private/xml/Leads/searchRecords?authtoken=<authtoken>&criteria=(Last Name:Amelia{Burrows)

    In Amelia{Burrows), as per the list above, { is an unsafe character. If you do not encode this character, this will result in an error after the security enhancement.

    Instead, this has to be encoded as %7B.

    Correct URL:

    The incorrect parameter value has been encoded. So the correct URL is as follows:

    https://crm.zoho.com/crm/private/xml/Leads/searchRecords?authtoken=<authtoken>&criteria=%28Last+Name%3AScott%7BBurrows%29

    Refer to the listabove to recognize the unsafe characters and encode the ones in your URLs appropriately before April 8, 2017.

    How to encode

    The following is the procedure to encode the characters in different languages.

    Language Script
    JAVAURLEncoder.encode("(Last Name:Amelia{Burrows)", "UTF-8");
    RubyURI::encode("(Last Name:Amelia{Burrows)")
    PHPurlencode("(Last Name:Amelia{Burrows)")

    If you have any questions, please send us an email at support@zohocrm.com

    Share this post : FacebookTwitter

    Still can't find what you're looking for?

    Write to us: support@zohocrm.com