OWASP Top 10 2013 for Outsystems 9

OWASP Top 10 2013 for Outsystems 9

Based on this forum post, I created an initial overview of the OWASP Top 10 (2013) of security risks and solutions in Outsystems 9.

Let's start a discussion on the suggested solutions and see if we can create a complete and correct overview.

OWASP Top 10 (2013): https://www.owasp.org/index.php/Top_10_2013-Top_10

A1: Injection

Parameters in  SQL Elements which have Expand Inline set to 'Yes' must be escaped in the application.
From the manual: When using this technique you should take special measures to prevent malicious SQL statements to run on your database (SQL injection). To avoid such scenarios you should use the 'EncodeSql' built-in function on the arguments that will be expanded inline on the query.

A2: Broken Authentication and Session Management

Credentials are always protected, session ID is not exposed in the URL, sessions timeout, users can logout at any time, etc. All is built-in in the platform and nothing needs to be done.

A3: Cross-Site Scripting (XSS)

Working with un-escaped expressions without encoding distrusted variables (e.g. user input) compromises the end-user security by allowing JavaScript injection as well as cross-scripting. To avoid these risks, you need to encode the un-escaped values using 'EncodeJavascript' or 'EncodeHtml'.

A4: Insecure Direct Object References

Access control must be managed at the application level. Capabilities to do this are built-in the Outsystems Platform through Roles. You can apply roles to web screen.

A5: Security Misconfiguration

There are notifications of Outsystems software upgrades and checklists to update them to ensure no misconfiguration on application level.
The webserver configuration needs to be checked separately for any misconfiguration on server level.

A6: Sensitive Data Exposure

Support for SSL is built-in the Outsystems Platform and should be turned on for every environment.
Cryptography must be managed at the application level for all sensitive data.
The headers mentioned in this url, can be used to protect sensitive data provided by/sent to the browser in place.

A7: Missing Function Level Access Control

Access control must be managed at the application level. Capabilities to do this are built-in the Outsystems Platform through Roles. You can apply Role to Web Screens.
Disable the Registered access on all Web Screens and explicitly grant access for specific roles

A8: Cross-Site Request Forgery (CSRF)

This is managed by the OS Platform by enabling the ViewState by default.

A9: Using Known Vulnerable Components

This is partly managed by the OS Platform. When a different version of jQuery is used in a component than the default of the platform, the platform will show a warning related to the out-of-date version in the component. For other 3rd party components the developer should create a list with the version used and regularly check the 3rd party for updates / security vulnerabilities.
When adding the components to the platform, try adding with a wrapper that only exposes the necessary functionality and not all functionality by default.

A10: Unvalidated Redirects and Forwards

When redirects are needed, they must be managed at the application level by the developer.

Prevent using user parameters in the url redirect and if necessary try to use mapped values (using static lookups) to validate the user input. The authorization is handled by the platform.

Thanks to Joao Santos I've an update to A8: Cross-Site Request Forgery (CSRF):
  • Use CryptoAPI.GenerateAESKey (with at least 128 bits) to create a token on session start, and assign it to a session variable;
  • Add an hidden field to a common web block with the value of the session variable;
  • Validate the hidden field against the session variable in OnBeginWebRequest. To avoid having different logic for the first session page (and make the code slightly more efficient), I run the validation only for POST requests.
FYI, based on an internal brownbag about securing your applications ( largely inspired by OWASP TOP 10 ), the following content was produced, which also teaches how to address OWASP Top 10 vulnerabilities. Check it out !