Hi Everyone,

Please tell me if I've posted this at the wrong place and I will fix it ASAP.

Currently I have a team of developers creating applications via Outsystems. Our current network topology requires us to have a Web Application Firewall (WAF) in front of the Outsystems server.

However, we have two problems with this configuration.

1. Every time we try to edit the database through the application, the WAF will flag this as SQL Injection and block the website

2. We created a button so that when we click said button, pictures that has been uploaded get's zipped and gets downloaded. However every time we click the button, the browser shows Uploading and the WAF blocks the side with the error: "Malformed Request"

Does anyone know what we might be doing wrong and how to fix it?

Thanx in advanced.

In (1), you say "edit the database through the application". Are you referring to your web application? Or to Service Studio? If you mean your web application, why would you "edit the database" through the application? As opposed to adding or updating data, which should not trigger any sort of SQL Injection warning.

I'm assuming from the information you've provided that you are running in a self-managed (i.e. on-prem) OutSystems infrastructure...is that correct?

For (2), you may need to provide more information on exactly what you're trying to do, and how you've implemented it, as well as any error messages from the server side. There's really not enough information in what you've posted so far to give you a useful answer.

If you have not already, I would also recommend getting permission to briefly deactivate the WAF so you can verify if both issues are resolved when the WAF is not active.

Hi Andrew,

Thank you for your reply, and apologies for my late reply.


For (1) this is what my dev said, what they are trying to do seems to be changing the configuration to access the database from the Service Center. I'm guessing they are not trying to change the actual DB.


For (2), we have a system where we require users to upload a few photos of themselves with some documents as a means of verification. We are trying to download these photos in the "zip" format. My devs are using the "ZIP" plugin from Outsystems. This is where this gets weird. My dev tells me that the behavior of the zip plugin is

a. Download the photos to the local computer cache

b. ZIP the photos in the local computer by calling a function

c. Upload the said zip file to the server

d. Re-download the files as zip compressed file.

I've told them that this sounds ridiculous but they're saying that this is fault of the plugin. I'm guessing the problem comes when they are tying to upload a file to the server... do you have any idea?


Please tell me if you need any further information and I will try to get them from my dev.


Thank you very much for your help.

I really appreciate it.


Alex

Hi Alexander,

Regarding (1) above,

  • From Service Center, you can define database configurations, but I don't see how changing hostname, credentials or connection screen would be flagged as SQL injection by a WAF;
  • From Service Studio, your developers can create and delete Entities, or add/modify/remove their attributes. Entities are mapped to database tables, and attributes to database table columns, so when you publish a module their new definition will cause the platform server to alter the structure of the tables that were changed. Again this should not be seen as SQL injection by a WAF;
  • Finally, your developers may be trying to execute SQL on the applications they are developing to alter the structure of the database tables. The platform actually blocks this, so I'm not sure how it would reach a situation where the WAF would get involved.
  • If the applications developed in OutSystems are adding/updating/deleting data, that would generate SQL to be executed. It would be possible to perform explicit SQL Injection if you are using the SQL tool, but you need to explicitly activate that option on the input parameters you don't want encoded/sanitised. Do you think this might be the case? Otherwise the platform takes measures to ensure there is no SQL injection.

You need to give us more information on what they are trying to do and what kind of errors are they getting and which system is generating them, otherwise I don't think we can be of much help.

As for (2), there is no Zip "plugin" from OutSystems, but there is an extension that comes with the platform. All extensions run only server-side, so the sequence they are describing doesn't make much sense. We'd need to understand what the button is actually submitting in order to maybe guess what the WAF is doing. Could it be it is removing the file binaries from the upload? 

Hi Jorge,


Thank you very much for your help and comments.

Apologies for my very late reply.

It took me a while to communicate with my Devs.


For (1)

According to them, 

""From Service Center, you can define database configurations, but I don't see how changing hostname, credentials or connection screen would be flagged as SQL injection by a WAF;""

is the only thing that they are trying to do. 

I have a very amateur question if you don't mind, is the Service Center supposed to be accessed from the User side? or is it supposed to be a developmen/maintenance tool? Or is there a parameter or something that needs to be set in the WAF to stop this flagging by the WAF?


For (2)

Seems like what they are using came from Outsystems Forge specifically this URL

forge/component-overview/72/file-compressor-zip

Although that URL stated that it's not compatible with Outsystems 6 and beyond, alas I have no idea which version is currently being used by the Dev. I will update when I get more information from them.


Thank you very much for your kind help.

Really really appreciate it.


Alex

With respect to Service Center, it's a web-based administration tool that is specific to each environment (i.e. dev, test, prod) within an OutSystems infrastructure. It's used by whoever is responsible for managing those environments, and (among other things) is used to create and manage connection strings to external databases used by the applications running in those environments.

Alex,

As is clearly stated by the component you linked to, it comes pre-installed with the platform since 2011 (meaning your developers shouldn't be using it, unless they are developing in the 9-years old OutSystems Agile Platform 5 or earlier) and, regardless, by itself will not have the behaviour you quoted, so more detail is required as to how they are using it.

As for the Database Connection creation/change via ServiceCenter, can you please find out what is the actual problem reported by WAF? (exact message/log would be helpful to better understand where/why the WAF is blocking it)

Hi Andrew,

Thank you very much for your explanation.


Hi Jorge,

I've attached the Attack Log from the WAF with this reply. The WAF that is being used in the environment is from Fortinet. 

Regarding the ZIP problem, I'm also still waiting for further explanation from the Dev so that I can post it here.


Thank you very much for all your helps.

Really sorry that this is a slow moving conversation.


Alex

2nd Page

Hi Alexander, 

It seems the WAF flagged a web request to DatabaseConnections_list.aspx as a potential SQL injection. It seems that this alert has nothing to do with the purpose of the page. The page happens to deal with database connections, but I suppose the alert would still be raised if this page was related to color schemes, for instance.

WAFs are not perfect, and thus have false positives. In other words, not all alerts are real, because the heuristics used by WAFs are not 100% accurate.


So, what happens now?

- You need to work with your WAF vendor to confirm if the alert is accurate or not. If it is accurate, and you can demonstrate that there is in fact a SQL injection vulnerability in the page, please open a ticket with those details in our Support and we will review and fix if appropriate.


Alternatively, and assuming that you deployed the WAF mostly concerned with attacks from the application end-users, you may change network and WAF configuration to make the WAF ignore the traffic to Service Center, and block users outside of the network where your developers work from accessing Service Center.