How to fix VAPT finding for "GET /EPA_Taskbox/API_GetActivityCount.aspx?UserId=12345"

Back to Forums

Kim Allan Castillo

How to fix VAPT finding for "GET /EPA_Taskbox/API_GetActivityCount.aspx?UserId=12345"

Question

API

Traditional Web

Application Type

Traditional Web

Service Studio Version

11.14.11 (Build 59394)

We received a VAPT finding which has the below details:

Comprehensive Technical Findings: Unauthenticated Access to Application Resources

Overview: Endpoints in the application may be accessed without the need to have prior authentication with the application. This may result in unauthorized access to the affected endpoints.

Details:

The finding was discovered on the following URL:

● GET /EPA_Taskbox/API_GetActivityCount.aspx?UserId=25852

Recommendation: Implement token-based session authentication which may be used to limit access to resources on the application to only authorized users.

Issue: I can't seem to find where the API is. I tried searching for some forums related to this one but it seems it's on the built-in side of OutSystems (correct me if i'm wrong). Any suggestions on this VAPT finding would be helpful.

29 Mar

Palak Patel

Dear Kim,
Greetings of the day

Can you please let us know the following ?
-You are getting this errors / warnings where ? In Service Center or somewhere else ?
- How is this impacting your applications ? Means is it giving error at end user ?

- Are your able to authenticate users before checking their tasks ? Means checking their role ?

You can get more details about this from below link. This might be helpful to you related to API findings.
https://success.outsystems.com/Documentation/11/Reference/OutSystems_APIs/EPA_Taskbox_API

Let us know if this helps.

Regards,
Palak Patel

05 Apr

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.

See the full guidelines