In OutSystems 10 we introduced security warnings that can be seen in Service Studio as TrueChange warnings and in the deployment log while publishing an eSpace through Service Center.
These warnings appear when the platform detects insecure application patterns that can introduce vulnerabilities. Most of these vulnerabilities can be avoided or mitigated with OutSystems built-in tools. In this document, we provide you with a direct mapping between the platform warning, the insecure pattern it identifies and solutions for the identified vulnerability.
Warning: "Please enclose input parameters with a ReplaceURLDomain() function from HttpRequestHandler to avoid open redirect vulnerabilities."
Pattern: Having screen input parameters that represent URLs and are used in redirection nodes. If this input is not being validated, it can contain the URL for a malicious website.
Solution: As suggested in the warning message, you can enclose the input parameter with the ReplaceURLDomain() function that will replace any domain in the URL with your own domain, guaranteeing that the URL will point to a location inside your domain (even if that location doesn't exist). If you really need to allow redirections to external domains, you can keep a whitelist of valid domains and develop your own logic to check if a URL belongs to a whitelisted domain.
Warning: "Please ensure your argument is correctly encoded to avoid SQL injection security flaws."
Pattern: Having screen input parameters that are directly used as parameters in Aggregates and/or Advanced Queries, without being encoded or escaped.
Solution: Enclose the input parameters with the EncodeSQL() function, which will escape and/or encode characters in order to avoid SQL injection attacks.
Cross-Site Scripting (XSS)
More information about XSS attacks and the consequences of having this vulnerability.
Information on how the OutSystems platform offers tools to overcome XSS vulnerabilities.