Hi,
I have a block that has a URL input parameter, which is used directly inside a link of that block, as shown in the screenshot below:
This current implementation raises the following warning in Service Studio:
"Open Redirect: Redirecting to a URL coming from a screen input parameter makes your application vulnerable to open redirect attacks."
I am aware of the severity of this issue in the case of Screens (where inputs to that screen can be manipulated directly from the URL), which is not the case for Blocks.
It is possible to manipulate the inputs of the block from Dev Tools (overriding their values from the respective script), but as far as I know, this is not something that needs to be accounted for from a security standpoint.
P.S: I cannot use the ReplaceURLDomain() server action in my case (as per the following article: Open Redirect Warning - Outsystems) as the link's domain is not static, but rather dynamic.
What is the severity of this warning in the case of Blocks? Can I simply ignore it in this case? I could not find any relevant information on this topic.
Any help is highly appreciated, thanks in advance :)
Best regards,
Abed
Hi Abed,
You wrote "It is possible to manipulate the inputs of the block from Dev Tools (overriding their values from the respective script), but as far as I know, this is not something that needs to be accounted for from a security standpoint."
I do think it is a potential security risk, that you need to evaluate and decide upon to leave as is, or to implement measure to have a more secure solution.
Client-side manipulation through browser Dev Tools is a significant security concern. Developers cannot trust any client-side inputs or code because they can be modified by malicious users. fundamental security principle is "Never trust the client." Server-side validation, authorization checks, and proper sanitization are critical even if you perform client-side validations.
You could try and do what Siya suggested, you can also leave the code as is, you can still publish, it is just a warning. The warning is there so you can make a conscious decision on what to do.
Regards,
Daniel
In my opinion, this is only a problem if you are directly passing the screen input parameter (which is a URL) to the block input. Instead of doing that, you could raise an event. The event handler can do the redirection since the parent already has the URL to redirect to. This is safer and avoids problems.
Hi Daniël and Siya,
After reading through your replies and giving it further consideration, I decided to go with another approach that doesn't require the URLs to be passed as inputs to that block, but are instead fetched directly from the server.
Thanks for your replies, hoping to see you at the ONE conference next week!
Best,
Hello @Abed Al Banna . Thank you sharing the update. See you next week @ ONE