Monitor the platform health: _ping.aspx or _status.aspx

When I took the Support Engineer course, we have discussed this two options for the health check of the platform. From what I recall, one is very simple and could be used to check the internet connectivity, the other did at least a connection to the database to check if the database is also working.


Can someone clarify the difference between them?


@Outsystems - any recommendation on each, and when we should?



Don't know what the difference is but we check for years now on _ping.aspx

We also check if the outsystems windows services are running

Hi Carlos.

There the _ping.html and _ping.aspx.

The _ping.html is a static file, so a valid response only tells you that the application server is correctly serving static files (network ok, application deployment ok). You need to be careful with browser caching when testing for this file. Other caveat is that _ping.html includes a hash of the deployed application in its source code. You can check that a new version was deployed by watching changes to this hash.

The _ping.aspx is a dynamic content, and is used to test if the dynamic runtime on the application server is working (ASP.NET/JSF ok). I think it also tests the database connection, but can't confirm right now.

Hi Carlos,

You should use the Ping url. 

The _status.aspx endpoint is used to monitor end user status (visits/sessions) and not platform health.

best regards,

Hélio

Hi Helio,

Do we have any documentation regarding the above because _status.aspx and ping.aspx caught as Cacheable HTTPS responses in security scan.

In order to provide the justification, do we have any documentation for the above?

 we are using Outsystems 10.0.902.0 platform

Regards,

Manish jawla

Hi,


None of those pages contain sensitive information so there is no related security concern with them.


Also giving some extra information about any of the pages, they are purposely undocumented as they are meant for internal purposes only.
Any solution that takes advantage of them may break in platform upgrades following the existing disclaimer on download pages:

"OutSystems does not give support to any undesirable behavior you may experience due to the use or manipulation of undocumented components of the OutSystems platform, such as, internal JavaScript, RuntimePlatform library, database system meta-model, components in installation directories, etc."


Regards,
João Rosado

Hi Joao,

I completely agree with you that we should not change any undocumented components of Outystems platform but when you execute the security scan for vulnerability issues those pages will caught up because they consists of Cacheable Https response i.e my concern and It's hard to convince people without any documentation/evidence.

At-least at platform level we should have some sort of documentation stating that these things are not vulnerable.

 

Regards,

Manish Jawla

Hello Manish, 


Even I am facing the same issue as yours. Did anyone managed to get a documented prof that marks this is non vulnerable or is there a configuration to get rid of this file. 


Thanks 

Atul 

Atul, as João Rosado said:

None of those pages contain sensitive information so there is no related security concern with them.


There's no configuration to get rid of the file.

Hi Leonardo, 


Ok. Can I have a documention which states that this is not at all vulnerable so I can put forward to my client. 


Thanks and Regards 

Atul Patel 

Atul, this is the content of the _ping.aspx:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<html>
<head>
<title>ping</title>
</head>
<body>

<p>OutSystems Platform Server is running</p>
</body>
</html>


Being a cacheable response means that the browser may store a copy of this page for an indeterminate amount of time, and an attacker could read such copy from the browser cache. As you can see by the content, there's no relevant information that an attacker would gain from reading that file.