.tst><svg/onload =alert(document.domain) > ??? What was this?

João Santos

Question

Hi,

Did you notice a strange entry in yesterday's OutSystems Community Digest (April, 4th)?
And what was that JavaScript in the subject?
Could it be someone hacking the OutSystems website?

Well, OutSystems is indeed working with ethical hackers to further strengthen the security of our web properties. These "good attacks" can create these posts, that look strange, even when harmless (as it was the case).

If you are still curious or intrigued, let's continue the discussion.

Joao

05 Apr 2016

João Heleno

MVP

Don't you guys have a QA environment where you can do this type of stuff?

05 Apr 2016

João Santos

Hi Joao,

Thank you for the question. Let me elaborate.

Yes, of course we do have a QA environment.

Even though the applications are exactly the same across QA and Prod, the security configurations are not (e.g. QA is not exposed to the internet). Our end goal is to get maximum security of the production environment, and hence it makes sense to do ethical hacking there.

By definition and contract, ethical hacking is non-destructive and should not affect the experience of other users. We have been doing this for a while, and this was the first time that these experiments had a visible impact to other users, even if minor. The post was immediately deleted, but not quickly enough to fool the Community Digest ;-).

06 Apr 2016

João Heleno

MVP

Thanks for the reply. I was being evil :)

Glad to know you're investing some time fixing security issues. The platform is getting a lot of attention and there's always people with bad intentions looking by.

06 Apr 2016

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.

See the full guidelines