OutSystems based Web Application having Security Vulnerabilities (OS10)

Hi Guys,

Recently there was a security audit for all the IT applications in my firm. They identified around 5 vulnerabilities out of which I am not able to fix below 3 of them. For few of them, I was able to fix by using the Factory Configuration (like enabling Secure Cookies), whereas for the below vulnerabilities, I'm stuck in the middle and don't know how to resolve them. Can someone help me on this please. We are using OutSystems 10 Java Stack and only Web Applications. The Vulnerabilities are as follows:

--------------------------------------------

Body Parameters Accepted in Query

It is possible to gather sensitive information about the web application such as usernames, passwords, machine name and/or sensitive file locations. It is possible topersuade a naive user to supply sensitive information such as user name, password,credit card number, social security number and so on.

Exploit Summary:

  • Make any request in application and capture the request with burp suite.
  • Change the request method to GET and forward the request.
  • The response will be same for both type of requests.

Recommendation:

  • Do not accept body parameters that are sent in the query string.
  • All Confidential information must be transmitted as body parameters using a POST request over encrypted protocols.

Reference: https://www.cgisecurity.com/owasp/html/ch11s04.html

--------------------------------------------

Options method enabled

HTTP OPTIONS method is enabled on this web server. The OPTIONS method providesa list of the methods that are supported by the web server, it represents a request forinformation about the communication options available on the request/responsechain identified by the Request-URI.

Exploit Summary:

  • Open a browser session
  • Go to the application webpage
  • Capture the request on burp suite
  • Change the method to OPTIONS
  • The response we get the list of webDAV allowed in allow response header

Recommendation: Disable OPTIONS webDAV if not used.

Reference: https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006

--------------------------------------------

Host header injection to open redirection

The application relies on host header for redirecting to the application. The web serveruses the value of this header to dispatch the request to the specified website or webapplication. This host header is controllable by the user. On injecting custom domain tothe host header, the application redirects to the specified location.

Exploit Summary:

  • Open the application
  • Intercept the request with burp suite
  • Modify the host header with custom URL such as attacker.com
  • On response, the location header will be set to attacker.com

Recommendation:

  • Do not rely on the header parameter for application navigation
  • Whitelist the trusted domains for host header

Reference: https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_SheetI

--------------------------------------------

Could the experts help me in resolving the above identified vulnerabilities in the OutSystems applications. Thanks in Advance!!

Hey Somesh,

Have you opened a support ticket with OutSystems for this?

I am not very familiar with the Java stack for OutSystems, but what application server and version are you using?  There might be some option to change base configuration, especially for the OPTIONS webDAV issue.