OutSystems version details leakage in generated JavaScript
Application Type
Traditional Web

We had our OutSystems application scanned by vulnerability assessment team and we got one vulnerability reported where the OutSystems platform version is being displayed in the generated JavaScript out of the comments section. Their remark is to remove the platform specific details as any attacker can use platform specific open vulnerabilities to exploit the application. Since the JavaScript is generated automatically and we don't have control over the content in the JavaScript, is there any alternate way to fix/remove this? Our development team believes that the information in comments section is not necessary as we are already aware of the platform version being used and it is an extra information (which needs to be restricted according to the security team).

This javascript was available in /_osjs.js page under the url of the web application.

Rank: #2

Hi Somesh,

I'll ask OutSystems to take a look. Personally, I think this is a bogus vulnerability. If there's an actual vulnerability in the script, an attacker could also easily scan for that vulnerability instead of the version string.

Rank: #258

While I agree it is not a vulnerability on itself, giving out information like that serves no purpose. As Somesh said, the developers already know what version the server has. It only adds extra clutter, sent over the wire each time. All that js is minimized, just to remove some spaces. Then don't bother putting that comment there either.

That information is only useful for someone who's going to abuse it. And it's a general security best practice not to expose version info of any system of software.