OutSystems based Web Application having Security Vulnerabilities (OS10)
Question

Hi Guys,

Recently there was a security audit for all the IT applications in my firm. They identified around 5 vulnerabilities out of which I am not able to fix below 3 of them. For few of them, I was able to fix by using the Factory Configuration (like enabling Secure Cookies), whereas for the below vulnerabilities, I'm stuck in the middle and don't know how to resolve them. Can someone help me on this please. We are using OutSystems 10 Java Stack and only Web Applications. The Vulnerabilities are as follows:

--------------------------------------------

Body Parameters Accepted in Query

It is possible to gather sensitive information about the web application such as usernames, passwords, machine name and/or sensitive file locations. It is possible topersuade a naive user to supply sensitive information such as user name, password,credit card number, social security number and so on.

Exploit Summary:

  • Make any request in application and capture the request with burp suite.
  • Change the request method to GET and forward the request.
  • The response will be same for both type of requests.

Recommendation:

  • Do not accept body parameters that are sent in the query string.
  • All Confidential information must be transmitted as body parameters using a POST request over encrypted protocols.

Reference: https://www.cgisecurity.com/owasp/html/ch11s04.html

--------------------------------------------

Options method enabled

HTTP OPTIONS method is enabled on this web server. The OPTIONS method providesa list of the methods that are supported by the web server, it represents a request forinformation about the communication options available on the request/responsechain identified by the Request-URI.

Exploit Summary:

  • Open a browser session
  • Go to the application webpage
  • Capture the request on burp suite
  • Change the method to OPTIONS
  • The response we get the list of webDAV allowed in allow response header

Recommendation: Disable OPTIONS webDAV if not used.

Reference: https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006

--------------------------------------------

Host header injection to open redirection

The application relies on host header for redirecting to the application. The web serveruses the value of this header to dispatch the request to the specified website or webapplication. This host header is controllable by the user. On injecting custom domain tothe host header, the application redirects to the specified location.

Exploit Summary:

  • Open the application
  • Intercept the request with burp suite
  • Modify the host header with custom URL such as attacker.com
  • On response, the location header will be set to attacker.com

Recommendation:

  • Do not rely on the header parameter for application navigation
  • Whitelist the trusted domains for host header

Reference: https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_SheetI

--------------------------------------------

Could the experts help me in resolving the above identified vulnerabilities in the OutSystems applications. Thanks in Advance!!

Body Parameters accepted in the Query: Try to use POST method in API and avoid manipulation of change of method from POST to GET during the API development stage itself. So that this vulnerability can be fixed.

Options method enabled: You can google and find out some sample configurations which needs to be added into IIS web.config file. Thus it will be resolved.

Host header Injection to Open Redirection: I didn't actually got a solution to this vulnerability. The workaround is to whitelist trusted domains in your IIS. So this can be avoided.

Hope this helps you @Pankaj Jain!

Regards,

Somesh

mvp_badge
MVP

Hey Somesh,

Have you opened a support ticket with OutSystems for this?

I am not very familiar with the Java stack for OutSystems, but what application server and version are you using?  There might be some option to change base configuration, especially for the OPTIONS webDAV issue.

Hi Somesh,

Have you found any solution to this issue.

Thanks.

Body Parameters accepted in the Query: Try to use POST method in API and avoid manipulation of change of method from POST to GET during the API development stage itself. So that this vulnerability can be fixed.

Options method enabled: You can google and find out some sample configurations which needs to be added into IIS web.config file. Thus it will be resolved.

Host header Injection to Open Redirection: I didn't actually got a solution to this vulnerability. The workaround is to whitelist trusted domains in your IIS. So this can be avoided.

Hope this helps you @Pankaj Jain!

Regards,

Somesh

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.