Hi,

We had a security assessment for an application built by my team. The security vulnerability encountered is unencrypted form data:


The request shows a (partially) used viewstate generated by Outsystems as well as the remaining fields which are still able to be viewed as well as manipulated. It was reported that this behavior has been observed throughout the application and all pages which use a viewstate.

What is the best way to overcome these type of issues?


Thanks in advance.

Hi  Ricardo,

As far as I know, you don't have to worry about that, as the platform itself already handles view state encryption. Unless you are on a version of the platform that still does not do this automatically, because I think only from version 9.1.501.0 the OutSystems Platform encrypts and signs the view of applications by default.


You have already viewed this document and the safety tips:

You also have this component that encrypts a few things:

Cheers,

Nuno Verdasca

Hi Nuno,

Thanks for the feedback. I'm no security guru myself but as you can see the values in red are actual data being sent to the server. I was also under the impression that they would be encrypted. In this case it might not be super critical but imagine if the form was sending bank information.

I will read the links you provided and try to understand how we can secure this data prior to sending it to the server as to avoid any 'middle man' data interceptions.

Hi Ricardo,

Yes, then leave me feedback on whether the documents I showed you solved your problem. Anyway I leave you here a document I read yesterday, which talks about Secure Cookies: How to enable secure session cookies and set application cookies as secure.

Cheers,
Nuno Verdasca



Hi Ricardo,

If you turn on this 2 settings on lifetime will be almost impossible to do the man in the middle attack

You can read on how to do it here. Also you can read about the theory behind it here.

Regards,

Marcelo