Skip to Content (Press Enter)
UserImage.jpg
Ramya Somashekaraiah
190Views
5Comments
Solved
How to prevent Directory Traversal attack in Outsystems
Question

Hi,

The pen test security issue was logged for the application I am working on for - Directory Traversal.

How can we fix the Directory Traversal vulnerability in Outsystems? Is there any example for the implementation? Does applying ReplaceURLDomain() to the parameter serves the purpose?


For example :  URL = GetEntryURL("BooksCommunication", "BooksUI", "BooksID", BooksId, "BooksChatKey", BooksChatKey) + "#Chat"


Thanks and Regards,

Ramya S

0
0
19 May 2020
Copy Link
2019-11-12 17-31-26
Justin James
 
MVP
Solution

You could do both.

Or, better yet, take the input from the user, run queries to verify that those IDs exist, and then use the results from the queries there. That will guarantee that 1) the input you received is valid and not a hacking attempt 2) you have clean data for your URL.

J.Ja

See solution in context
0
0
20 May 2020
Copy Link
2019-09-24 18-41-25
Jorge Martins
 
MVP

Hi Ramya S,

Using EncodeURL only (would be my initial choice): 

GetEntryURL("BooksCommunication", "BooksUI", "BooksID", EncodeURL(BooksId), "BooksChatKey", EncodeURL(BooksChatKey)) + "#Chat"

Using ReplaceURLDomain only (not advisable, as you potentially could still have user-tampered URLs on the inputs part):

ReplaceURLDomain(GetEntryURL("BooksCommunication", "BooksUI", "BooksID", BooksId, "BooksChatKey", BooksChatKey) + "#Chat")

Using both EncodeURL and ReplaceURLDomain (doesn't make much sense to me to use ReplaceURLDomain here as the URL is being generated by the platform function GetEntryURL() that is always relative to your domain):

ReplaceURLDomain(GetEntryURL("BooksCommunication", "BooksUI", "BooksID", EncodeURL(BooksId), "BooksChatKey", EncodeURL(BooksChatKey)) + "#Chat")


But I'd likely just follow Justin's suggestion:

Or, better yet, take the input from the user, run queries to verify that those IDs exist, and then use the results from the queries there. That will guarantee that 1) the input you received is valid and not a hacking attempt 2) you have clean data for your URL.

Checking if the inputs you received are valid before building the URL seems a sound way of guaranteeing that the URL will be valid and avoid the security warnings, as all data used to generate the URL is provided by the platform itself

Hope this helps!

1
0
21 May 2020
Copy Link
2019-11-12 17-31-26
Justin James
 
MVP

What's the specific concern here? Is your fear that you are constructing a URL from user input (such as BooksId or BooksChatKey) and they could be using that to manipulate the URL? If so, use URLEncode on those parameters.

J.Ja

0
0
19 May 2020
Copy Link
UserImage.jpg
Ramya Somashekaraiah

Hi Justin,

The outsystems warning message for URL is "Enclose the input parameter with a ReplaceURLDOmain() function from HttpRequestHandler to avoid open redirect vulnerabilities".

Should I include both URLencode and ReplaceUrlDomain() or just URLencode is sufficient?


Thanks and Regards,

Ramya S

0
0
20 May 2020
Copy Link
2019-11-12 17-31-26
Justin James
 
MVP
Solution

You could do both.

Or, better yet, take the input from the user, run queries to verify that those IDs exist, and then use the results from the queries there. That will guarantee that 1) the input you received is valid and not a hacking attempt 2) you have clean data for your URL.

J.Ja

0
0
20 May 2020
Copy Link
2019-09-24 18-41-25
Jorge Martins
 
MVP

Hi Ramya S,

Using EncodeURL only (would be my initial choice): 

GetEntryURL("BooksCommunication", "BooksUI", "BooksID", EncodeURL(BooksId), "BooksChatKey", EncodeURL(BooksChatKey)) + "#Chat"

Using ReplaceURLDomain only (not advisable, as you potentially could still have user-tampered URLs on the inputs part):

ReplaceURLDomain(GetEntryURL("BooksCommunication", "BooksUI", "BooksID", BooksId, "BooksChatKey", BooksChatKey) + "#Chat")

Using both EncodeURL and ReplaceURLDomain (doesn't make much sense to me to use ReplaceURLDomain here as the URL is being generated by the platform function GetEntryURL() that is always relative to your domain):

ReplaceURLDomain(GetEntryURL("BooksCommunication", "BooksUI", "BooksID", EncodeURL(BooksId), "BooksChatKey", EncodeURL(BooksChatKey)) + "#Chat")


But I'd likely just follow Justin's suggestion:

Or, better yet, take the input from the user, run queries to verify that those IDs exist, and then use the results from the queries there. That will guarantee that 1) the input you received is valid and not a hacking attempt 2) you have clean data for your URL.

Checking if the inputs you received are valid before building the URL seems a sound way of guaranteeing that the URL will be valid and avoid the security warnings, as all data used to generate the URL is provided by the platform itself

Hope this helps!

1
0
21 May 2020
Copy Link
UserImage.jpg
Ramya Somashekaraiah

Hi Justin,

Thank you for clearing my doubts.

So if my URL is  URL = GetEntryURL("BooksCommunication", "BooksUI", "BooksID", BooksId, "BooksChatKey", BooksChatKey) + "#Chat"

and if I am including

 a) EncodeURL : my code will be URL = GetEntryURL("BooksCommunication", "BooksUI", "BooksID", EncodeURL(BooksId), "BooksChatKey", EncodeURL(BooksChatKey)) + "#Chat"

b) ReplaceURLDomain : my code will be URL = GetEntryURL("BooksCommunication", "BooksUI", "BooksID", ReplaceURLDomain(BooksId), "BooksChatKey", ReplaceURLDomain(BooksChatKey)) + "#Chat"

or 

ReplaceURLDomain(GetEntryURL("BooksCommunication", "BooksUI", "BooksID", BooksId, "BooksChatKey", BooksChatKey) + "#Chat") ?

In other words replaceurlDomain() function is applied on whole URL or only on input parameter?


Thanks and Regards,

Ramya S


0
0
21 May 2020
Copy Link
Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.