page input parameter security

page input parameter security

  

i have many pages with input parameters and they are visible in the browser url, is there any security concern? can someone hack it? SQL injection for example, since it is used in the aggregate? other?

any option to hide it, session variable, any other option

 

Hi Linguo,

I also don't have much experience with outsystems but you can use session variable if you doe's want to show this variables into url. But if you use more session variable then it will increase server memory.

Input variables are same like query string in asp.net. As I know their is no security problem with input variables.

While using input variables you just need to make sure that you are not passing sensitive data like password, user id, etc.

The variables passed around are mostly transaction ids

In response to an earlier suggestion: don't use session variables. That might work in "normal" circumstances, but users don't behave like you wan't them to. They'll open multiple tabs, opening the same page multiple times and that would cause problems when you rely on session variables.

security-concerns is your own.

you have to validate the parameters if you don't trust them.

by default, those parameters are "safe" for normal aggregates, but if you use adv. sql, you have to take care of it yourself.


Otherwise you have to use encryption, 

This forge-component helps you with it. https://www.outsystems.com/forge/component/632/urlencryption/

It will be encrypted by IIS and as a developer you don't have to worry about it in your code.



Hello Linguo You,

We should always avoid using a lot of information in the URL. IsEdit input parameter in pages without any validation is an example of a common mistake by a lot of developers. A lot of times, that information should be determined by some status or conditions in the database.

One thing that we always have to make sure in more complexe applications, is to validate in the server side if the user, with the right role, can have access to that specific data. 

SQL Injection for aggregates are secured and you can also use the built-in functions from service studio easily.

Thank you for bringing this topic. It's an important one in my opinion.


Hi Linguo,

One alternative that you have is to use an HTTP POST instead of a GET. This way, the information is not sent in the URL, where it can be tampered with. To do that, simply change the "Method" of your link from "Navigate" to "Submit".

Here is the full guide to understanding this topic: https://medium.com/@jmjames/hiding-ids-in-outsystems-urls-7eea5b5c9ed7


J.Ja

Aurelio Santos wrote:

Hi Linguo,

One alternative that you have is to use an HTTP POST instead of a GET. This way, the information is not sent in the URL, where it can be tampered with. To do that, simply change the "Method" of your link from "Navigate" to "Submit".

This is not secure at all. It can still be tampered with through your browser's developer tools or any little application that can POST HTTP.

J.Ja

Justin James wrote:

Aurelio Santos wrote:

Hi Linguo,

One alternative that you have is to use an HTTP POST instead of a GET. This way, the information is not sent in the URL, where it can be tampered with. To do that, simply change the "Method" of your link from "Navigate" to "Submit".

This is not secure at all. It can still be tampered with through your browser's developer tools or any little application that can POST HTTP.

J.Ja

Hi Justin,

Can you provide an example on how to access/tamper with the parameters values that are sent in the body of a post?


Try hitting the F12 button on your browser to bring up Developer Tools, and do whatever you want.

Or just write some code in the language of your choice to make an HTTP POST.

J.Ja