page input parameter security

i have many pages with input parameters and they are visible in the browser url, is there any security concern? can someone hack it? SQL injection for example, since it is used in the aggregate? other?

any option to hide it, session variable, any other option

 

Hi Linguo,

I also don't have much experience with outsystems but you can use session variable if you doe's want to show this variables into url. But if you use more session variable then it will increase server memory.

Input variables are same like query string in asp.net. As I know their is no security problem with input variables.

While using input variables you just need to make sure that you are not passing sensitive data like password, user id, etc.

The variables passed around are mostly transaction ids

In response to an earlier suggestion: don't use session variables. That might work in "normal" circumstances, but users don't behave like you wan't them to. They'll open multiple tabs, opening the same page multiple times and that would cause problems when you rely on session variables.

security-concerns is your own.

you have to validate the parameters if you don't trust them.

by default, those parameters are "safe" for normal aggregates, but if you use adv. sql, you have to take care of it yourself.


Otherwise you have to use encryption, 

This forge-component helps you with it. https://www.outsystems.com/forge/component/632/urlencryption/

It will be encrypted by IIS and as a developer you don't have to worry about it in your code.



Hello Linguo You,

We should always avoid using a lot of information in the URL. IsEdit input parameter in pages without any validation is an example of a common mistake by a lot of developers. A lot of times, that information should be determined by some status or conditions in the database.

One thing that we always have to make sure in more complexe applications, is to validate in the server side if the user, with the right role, can have access to that specific data. 

SQL Injection for aggregates are secured and you can also use the built-in functions from service studio easily.

Thank you for bringing this topic. It's an important one in my opinion.


Hi Linguo,

One alternative that you have is to use an HTTP POST instead of a GET. This way, the information is not sent in the URL, where it can be tampered with. To do that, simply change the "Method" of your link from "Navigate" to "Submit".

Here is the full guide to understanding this topic: https://medium.com/@jmjames/hiding-ids-in-outsystems-urls-7eea5b5c9ed7


J.Ja

Aurelio Santos wrote:

Hi Linguo,

One alternative that you have is to use an HTTP POST instead of a GET. This way, the information is not sent in the URL, where it can be tampered with. To do that, simply change the "Method" of your link from "Navigate" to "Submit".

This is not secure at all. It can still be tampered with through your browser's developer tools or any little application that can POST HTTP.

J.Ja

Justin James wrote:

Aurelio Santos wrote:

Hi Linguo,

One alternative that you have is to use an HTTP POST instead of a GET. This way, the information is not sent in the URL, where it can be tampered with. To do that, simply change the "Method" of your link from "Navigate" to "Submit".

This is not secure at all. It can still be tampered with through your browser's developer tools or any little application that can POST HTTP.

J.Ja

Hi Justin,

Can you provide an example on how to access/tamper with the parameters values that are sent in the body of a post?


Try hitting the F12 button on your browser to bring up Developer Tools, and do whatever you want.

Or just write some code in the language of your choice to make an HTTP POST.

J.Ja

Use a token as an extra parameter to the query string that is validated in the preparation of the page

1) Build a function that receives the inputs and return a token based in the hash of the concat of the inputs and a private key

2) Pass the token as an extra input

3) Build a function that receives the inputs and the token of step 1 and repeat the step 1) to generate a second token

4) The 2 tokens must be equal to make it a valid request


Worked for me

Linguo You wrote:

i have many pages with input parameters and they are visible in the browser url, is there any security concern? can someone hack it? SQL injection for example, since it is used in the aggregate? other?

any option to hide it, session variable, any other option

 

Hi,

You can encrypt and decrypt the parameters use the following steps:


1. Add BinaryData dependency in the application module:


2. In the receiving page, create an Input Parameter. This will hold the obfuscated string.


3. In the preparation of the receiving page, You need to decode this information. First you should create a structure of the data that you expect:



4. The data that is sent in query string is a Base64 encoded string, so the flow would be to convert Base64ToBinary -> BinaryDataToText -> JSONdecode -> HelloWorld local variable. Here is what the preparation looks like:

5. Now on the request side, I need to wrap all the information into a single query string.



6. To do that, the button would call a screen action, that would collect all the information and run JSONserialize -> TextToBinaryData -> BinaryToBase64:


7. User is then redirected to the page with QueryStringPayload as the parameter.


The above method won't hide the string but will encrypt it so user who uses the application can't change the input parameters or tamper with them.


I hope you will achieve this if any question do reply.


Regards,

Manthan Shah.