Skip to main content

 

 

 

 

Template:OutSystems/Documentation_KB/Breadcrumb_New_Layout

 

 

Template:OutSystems/OSLanguageSwitcher

 

 

 

OutSystems

Protecting OutSystems apps from code injection / Cross Site Scripting attacks

Code Injection

Code injection is all about sending untrusted data into a code interpreter. The most common scenarios are SQL Injection and XML Injection.

The following example from the OWASP documentation illustrates how an SQL injection attack can be used to fetch all accounts from a database:

Example of SQL Injection Attack

Cross Site Scripting

Cross Site Scripting (XSS) occurs when there is an attempt of sending untrusted data into the web browser (renderer). It is one of the most common web application vulnerabilities. The following example from the OWASP documentation illustrates how an XSS attack can be used to hijack a user session and impersonate that user:

Example of XSS Attack

Use case Actions
Escape string literals provided by the end-user and used in expressions Use the EncodeHtml() built-in function to replace special characters in a string so that you can use it in HTML literals.

Use the EncodeJavascript() built-in function to replace special characters in a string so that you can use it in JavaScript literals.
Escape HTML content provided by the end-user Use the SanitizeHtml() function from the Sanitization API to ensure that the value entered by the end-user does not contain any malicious content.
Expand inline parameters in advanced queries Follow the guidelines in Building dynamic SQL statements the right way.
Manually build URLs in redirects with dynamic URLs Use the EncodeURL() function to replace all non-alphanumeric characters in a string so that you can safely use it in URL parameter values.
Whitelist allowed external sites Apply a Content Security Policy as a way to prevent and mitigate the impact of XSS attacks.

Service Studio will issue design-time warnings about the patterns that can lead to code injection attacks.