Hi Folks,

I am new to the security aspects of Outsystems development. Recently during an audit it was discovered that certain parameters are being passed from one screen to another via URL parameters.

There are a few areas where I can disable URL passing by simply changing method type from Navigate to Submit. But this does not work in the case of pop ups. So I have situations where in the view source I can see pop up as "https:// env details/AppName/abc.aspx?ID=1234" and that can lead to copy and change on the browser . Can you please provide a fail safe way of using that parameter without causing any issues in terms of security.


Thanks


Solution

Anna Marie wrote:

Hi Folks,

I am new to the security aspects of Outsystems development. Recently during an audit it was discovered that certain parameters are being passed from one screen to another via URL parameters.

There are a few areas where I can disable URL passing by simply changing method type from Navigate to Submit. But this does not work in the case of pop ups. So I have situations where in the view source I can see pop up as "https:// env details/AppName/abc.aspx?ID=1234" and that can lead to copy and change on the browser . Can you please provide a fail safe way of using that parameter without causing any issues in terms of security.


Thanks


Hi Anna Marie,

I believe this can be achieved in more than one way.

1. Instead of passing on the parameters directly in the URL you could try setting this in the Session variable before you redirect the pop up to launch the page that you want. This effectively means that its stored and retrieved from the server rather than the URL.


2. A more robust way would be to use crypto APi. There is a forge component for Crypto APIs which you can install. That API has a lot of ways to encrypt and decrypt values . I specifically use AES Encrypt to encrypt the URL parameter being passed and I do an AES Decrypt in the preparation for the pop up launch. If I am not mistaken the encryption and decryption needs a binary API key to be passed. So you might want to user the Binary API which comes default in Outsystems. In simple words you need to do something like this

a. AES_Encrypt(The value u want to encrypt , TextToBinary("some text"))

b. In Preparation of pop up AES_Decrupt(Encrypted value , TextToBinary("some text"))

Some text is the same key which you have to use at encryption and decryption end.


Solution

What exactly in this do you find a security risk? Does it count for all url parameters or just a few. And why do you find it a security risk? 

Is it the primary identifier of a record and do you think people can get into other records by changing the parameter? If so a practical method is by adding a GUID property to the entity and using that GUID as reference. Good luck on finding an other record by guessing. 

An alternative good also be by using a staging table where you combine the username with a record id. Before opening the popup you store the needed identifier in the table and in the preparation phase you retrieve the record identifier from that staging table and display it. 

But there are probably lots of other possibilities to prevent this. I'm looking forward to other suggestions.

Vincent Koning wrote:

What exactly in this do you find a security risk? Does it count for all url parameters or just a few. And why do you find it a security risk? 

Is it the primary identifier of a record and do you think people can get into other records by changing the parameter? If so a practical method is by adding a GUID property to the entity and using that GUID as reference. Good luck on finding an other record by guessing. 

An alternative good also be by using a staging table where you combine the username with a record id. Before opening the popup you store the needed identifier in the table and in the preparation phase you retrieve the record identifier from that staging table and display it. 

But there are probably lots of other possibilities to prevent this. I'm looking forward to other suggestions.


Hi Vincent,

I found that as a security risk because in the view source of the page I can see the Identifier value. I could simply paste the URL string in another tab and keep changing the ID value and see data which is not inherently belonging to me. by simply increasing that value by 1. 

Hi Anna,

Then the preferred method would be to use the GUID example. This comes from the Best Practices from OutSystems of their (now old) Advanced Bootcamp. It's easy to implement, just don't forget to add an index on this field for performance reasons. 

Hi Anna,

Justin James one of the OutSystems MVPs has written a great article Hiding IDs in OutSystems URLs that can help you.

Regrads,

Daniel