Preview In Devices XXS Vulnerabilities (test server)

Preview In Devices XXS Vulnerabilities (test server)

  

hi all,

our client scan for Vulnerabilities issue per page and found out on test that 

http://test-sampleurl.com.ph/PreviewInDevices/Preview.aspx

is vulnerable in like..

Cross-site Scripting (XSS)

Unencrypted communications

what should i do to prevent PreviewInDevices vulnerability issue before/after deploying in live server

btw i PreviewInDevices was outsystems built in page.

I think PreviewInDevices is not built for use in Production.

It's just for development and debugging.

Harlin Setiadarma wrote:

I think PreviewInDevices is not built for use in Production.

It's just for development and debugging.


hi harlin.

i recently tried to rename the url used preview in devices from test to our live server. and its accessible

from

https://test-sampleurl.com/PreviewInDevices/?DeviceName=Smartphone&URL=/samplehome/Home.aspx?

to

https://live-sampleurl.com/PreviewInDevices/?DeviceName=Smartphone&URL=/samplehome/Home.aspx?

i can access the preview in device using the production url 

so it was deployed in production server and i assume, if our client scan in production. more likely there  will be an vulnerability issue again.


is the preview in devices can be deleted in production?

Hi Sherwin,


Is your Production environment "Running Mode" set to "Production"? You can check this configuration in Service Center-> Administration-> Environment Configuration.


If the running mode is set to Production and yet preview in devices is available, it is because the site property "AvailableInProductionMode" is set as "True" in PreviewInDevices eSpace. Change its value to false if you want to make it unavailable.


IG  

Ivo Gonçalves wrote:

Hi Sherwin,


Is your Production environment "Running Mode" set to "Production"? You can check this configuration in Service Center-> Administration-> Environment Configuration.


If the running mode is set to Production and yet preview in devices is available, it is because the site property "AvailableInProductionMode" is set as "True" in PreviewInDevices eSpace. Change its value to false if you want to make it unavailable.


IG  

hi sir ivo,


we've check on production but didnt find any 'AvailableInProductionMode' site property


Hi Sherwin,


I've looked at the change log and the "PreviewInDevices" is disabled by default in production environments starting with version 10.0.408.0. As far as I can understand you still running an older version (10.0.405.0). 

https://success.outsystems.com/Support/Release_Notes/Platform_Server/Platform_Server_10.0.408.0 


If you want to leverage this new improvement you need to update your platform server. My recommendation is that you reach OutSystems support to get an official answer. 


IG