How to prevent Directory Traversal attack in Outsystems

Hi,

The pen test security issue was logged for the application I am working on for - Directory Traversal.

How can we fix the Directory Traversal vulnerability in Outsystems? Is there any example for the implementation? Does applying ReplaceURLDomain() to the parameter serves the purpose?


For example :  URL = GetEntryURL("BooksCommunication", "BooksUI", "BooksID", BooksId, "BooksChatKey", BooksChatKey) + "#Chat"


Thanks and Regards,

Ramya S

What's the specific concern here? Is your fear that you are constructing a URL from user input (such as BooksId or BooksChatKey) and they could be using that to manipulate the URL? If so, use URLEncode on those parameters.

J.Ja

Hi Justin,

The outsystems warning message for URL is "Enclose the input parameter with a ReplaceURLDOmain() function from HttpRequestHandler to avoid open redirect vulnerabilities".

Should I include both URLencode and ReplaceUrlDomain() or just URLencode is sufficient?


Thanks and Regards,

Ramya S

Solution

You could do both.

Or, better yet, take the input from the user, run queries to verify that those IDs exist, and then use the results from the queries there. That will guarantee that 1) the input you received is valid and not a hacking attempt 2) you have clean data for your URL.

J.Ja

Solution

Hi Justin,

Thank you for clearing my doubts.

So if my URL is  URL = GetEntryURL("BooksCommunication", "BooksUI", "BooksID", BooksId, "BooksChatKey", BooksChatKey) + "#Chat"

and if I am including

 a) EncodeURL : my code will be URL = GetEntryURL("BooksCommunication", "BooksUI", "BooksID", EncodeURL(BooksId), "BooksChatKey", EncodeURL(BooksChatKey)) + "#Chat"

b) ReplaceURLDomain : my code will be URL = GetEntryURL("BooksCommunication", "BooksUI", "BooksID", ReplaceURLDomain(BooksId), "BooksChatKey", ReplaceURLDomain(BooksChatKey)) + "#Chat"

or 

ReplaceURLDomain(GetEntryURL("BooksCommunication", "BooksUI", "BooksID", BooksId, "BooksChatKey", BooksChatKey) + "#Chat") ?

In other words replaceurlDomain() function is applied on whole URL or only on input parameter?


Thanks and Regards,

Ramya S


Hi Ramya S,

Using EncodeURL only (would be my initial choice): 

GetEntryURL("BooksCommunication", "BooksUI", "BooksID", EncodeURL(BooksId), "BooksChatKey", EncodeURL(BooksChatKey)) + "#Chat"

Using ReplaceURLDomain only (not advisable, as you potentially could still have user-tampered URLs on the inputs part):

ReplaceURLDomain(GetEntryURL("BooksCommunication", "BooksUI", "BooksID", BooksId, "BooksChatKey", BooksChatKey) + "#Chat")

Using both EncodeURL and ReplaceURLDomain (doesn't make much sense to me to use ReplaceURLDomain here as the URL is being generated by the platform function GetEntryURL() that is always relative to your domain):

ReplaceURLDomain(GetEntryURL("BooksCommunication", "BooksUI", "BooksID", EncodeURL(BooksId), "BooksChatKey", EncodeURL(BooksChatKey)) + "#Chat")


But I'd likely just follow Justin's suggestion:

Or, better yet, take the input from the user, run queries to verify that those IDs exist, and then use the results from the queries there. That will guarantee that 1) the input you received is valid and not a hacking attempt 2) you have clean data for your URL.

Checking if the inputs you received are valid before building the URL seems a sound way of guaranteeing that the URL will be valid and avoid the security warnings, as all data used to generate the URL is provided by the platform itself

Hope this helps!