.tst><svg/onload =alert(document.domain)  > ??? What was this?

.tst><svg/onload =alert(document.domain)  > ??? What was this?

  
Hi,

Did you notice a strange entry in yesterday's OutSystems Community Digest (April, 4th)?
And what was that JavaScript in the subject?
Could it be someone hacking the OutSystems website?

Well, OutSystems is indeed working with ethical hackers to further strengthen the security of our web properties. These "good attacks" can create these posts, that look strange, even when harmless (as it was the case).

If you are still curious or intrigued, let's continue the discussion.

Joao


Don't you guys have a QA environment where you can do this type of stuff?
Hi Joao,

 

Thank you for the question. Let me elaborate.

 

Yes, of course we do have a QA environment.

Even though the applications are exactly the same across QA and Prod, the security configurations are not (e.g. QA is not exposed to the internet). Our end goal is to get maximum security of the production environment, and hence it makes sense to do ethical hacking there.

By definition and contract, ethical hacking is non-destructive and should not affect the experience of other users. We have been doing this for a while, and this was the first time that these experiments had a visible impact to other users, even if minor. The post was immediately deleted, but not quickly enough to fool the Community Digest ;-).

Thanks for the reply. I was being evil :)

Glad to know you're investing some time fixing security issues. The platform is getting a lot of attention and there's always people with bad intentions looking by.