As a subscription customer, you may wish to perform penetration tests or vulnerability scans. This is possible as long as they're limited to your own OutSystems Cloud, hybrid, or self-managed infrastructure. For OutSystems Cloud, the tests are limited to the assets under the responsability of the Customer as described under the OutSystems shared responsability model.
Before you start
To avoid generating false positive findings, make sure you consult the OutSystems Platform Hardening documentation.
To find all the procedure details necessary to perform penetration tests and vulnerability scans in your OutSystems cloud environments, refer to Load and penetration tests on Outsystems Cloud.
Reviewing the results
When reviewing penetration test results, it's important to keep in mind that each penetration test framework reports on findings without a proper context. To detect false positives, these findings must be reviewed. For more information on understanding the findings in their proper context, you can contact OutSystems support here.
The following are some examples of false positive findings. In each one, there's a description of why they're considered as such.
jQuery 1.8.3 flagged as a potentially vulnerable library
OutSystems uses jQuery version 1.8.3 which has the following known vulnerabilities:
Issue - Selector interpreted as HTML. CVE-2012-6708 relates to a potential Cross-Site Scripting vulnerability in jQuery's selector operator ( $ ). While the jQuery version we ship with OutSystems is based on version 1.8.3, it contains some changes made by OutSystems. In particular, as of OutSystems version 9.1.401.0, the fix was backported and the $ operator is no longer vulnerable to this attack.
Issue - Prototype pollution. The jQuery version 1.8.3 is vulnerable to Prototype Pollution, CVE-2019-11358. The extend function can be tricked into modifying the prototype of Object when the attacker controls part of the structure passed to this function. This can let an attacker add or modify an existing property that will then exist on all objects. You can find more information on the vulnerability here. While the jQuery version we ship with OutSystems is based on 1.8.3, it doesn't contain any of the patterns described in the vulnerability description, for which this is considered a false positive.
Issue - Passing HTML from untrusted sources to one of jQuery's DOM manipulation methods. The jQuery versions 1.0.3 to 3.5.0 are vulnerable to the possible execution of untrusted code (CVE-2020-11022 and CVE-2020-11023). While the jQuery version we ship with OutSystems is based on 1.8.3, the Platform Server doesn't generate code that passes HTML from untrusted sources to the JQuery DOM manipulation methods, for which this is considered a false positive.
jQuery-ui-dialog flagged as a potentially vulnerable library
Some penetration testing tools may flag OutSystems as having a vulnerable jQuery-ui-dialog library.
OutSystems uses jQuery-ui-dialog version 1.8.24 which has a vulnerability known to this version - CVE-2010-5312. This vulnerability relates to the title() function, potentially allowing for unescaped content to be inserted in the title and causing a Cross Site Scripting problem.
All uses of the affected function by OutSystems properly encode the input parameter. As such, OutSystems isn't vulnerable despite this vulnerability still being present in jquery-ui-dialog.
As for applications developed by your users which make use of this library, you should ensure that you encode the input to the title() function correctly. Alternatively, you can import your own version of jquery-ui-dialog into a different namespace and use that version instead.
Support from OutSystems
OutSystems support and security teams are ready to discuss the findings of the penetration tests with you under the following conditions:
- We expect that you do a preliminary analysis of the report, and report the issues that are caused by the platform and/or cloud infrastructure to OutSystems support.
- The list of issues reported to OutSystems support should exclude issues that can be fixed by the developers or OutSystems admins by enforcing configurations.
Support's reply may include the following:
- A reasoned identification of false positives.
- A reasoned adjustment of severity based on the specifics of the technical environment.
- An escalation of eventual product defects to
Furthermore, the following tables can help you understand the responsibilities and expectations by deployment model:
OutSystems cloud & hybrid