How to fix VAPT finding for "GET /EPA_Taskbox/API_GetActivityCount.aspx?UserId=12345"
Application Type
Traditional Web
Service Studio Version
11.14.11 (Build 59394)

We received a VAPT finding which has the below details:

Comprehensive Technical Findings: Unauthenticated Access to Application Resources

Overview: Endpoints in the application may be accessed without the need to have prior authentication with the application. This may result in unauthorized access to the affected endpoints.

Details: 

The finding was discovered on the following URL:

● GET /EPA_Taskbox/API_GetActivityCount.aspx?UserId=25852

Recommendation: Implement token-based session authentication which may be used to limit access to resources on the application to only authorized users.


Issue: I can't seem to find where the API is. I tried searching for some forums related to this one but it seems it's on the built-in side of OutSystems (correct me if i'm wrong). Any suggestions on this VAPT finding would be helpful. 

Dear Kim,
Greetings of the day

Can you please let us know the following ?
-You are getting this errors / warnings where ? In Service Center or somewhere else ?
- How is this impacting your applications ? Means is it giving error at end user ?

- Are your able to authenticate users before checking their tasks ? Means checking their role ?

You can get more details about this from below link. This might be helpful to you related to API findings.
https://success.outsystems.com/Documentation/11/Reference/OutSystems_APIs/EPA_Taskbox_API


Let us know if this helps.

Regards,
Palak Patel

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.