Web block can be accessed directly with proxy tool
Application Type
Reactive

If I had not seen it, I would not have believed it. I saw a pen test that directly (via URL) accessed the action of a web block, and change a parameter value in a parameter. This change caused a database error, and the web block disclosed the complete error, with database name, etc. I previously believed that no one could directly access a web block. Web blocks don't appear to have security settings like role checks. How can this be prevented? 

mvp_badge
MVP
Solution

These Technical preview features prevent that, if you cannot use that consider to use Data Ations instead FDfoS, this way you shield much more by processing data server side.

Again don't expect client side processing to be secure. Implement best practices.

mvp_badge
MVP

Hello Joseph,

Anything client side reactive (and mobile) for that matter is not 100% secure and can always be tampered via a proxy tool or the browser developer tools. Most likely the tempering was only possible having already authenticated in the app. What your application is lacking is server side authorization of any action executed on the server based on a client action. 

Please consider learning about OutSystems Reactive Web Security Best practices.

Regards,

Daniel



Thanks, Daniel. I’ll definitely dig into those. The even bigger concern was that the page then exposed the database name, along with table and field names. 

mvp_badge
MVP
Solution

These Technical preview features prevent that, if you cannot use that consider to use Data Ations instead FDfoS, this way you shield much more by processing data server side.

Again don't expect client side processing to be secure. Implement best practices.

A little more detail: The pen testers were authenticated, so this would be a risk for internal hacking, or if someone gained physical access to an authenticated computer. And again, the larger issue was that the error message exposed the database details. I’ll recommend switching on the technical preview and retesting.

Sorry, but what does FDfoS stand for in your post? 

mvp_badge
MVP

 FDfoS = Fetch Data from other Source

mvp_badge
MVP

I assume you have reported to OutSystems the pentest findings especially the one regarding the database details that where exposed.

One further comment about web blocks. Since the direct path to web blocks is exposed to browsers, should we be concerned that you cannot secure web blocks with roles, like ordinary pages?

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.