Skip to main content

 

 

 

Template:OutSystems/Documentation_KB/Breadcrumb_New_Layout
Getting Help
Security
Penetration testing
Security

 

Template:OutSystems/OSLanguageSwitcher
Language:
English|日本語

 

 

 

 

 
OutSystems

Penetration testing

  1. Last updated
  2. Save as PDF

Overview

As a subscription customer, you may wish to perform penetration tests or vulnerability scans. This is possible as long as they're limited to your own OutSystems cloud, hybrid, or self-managed infrastructure.

Before you start

To avoid generating false positive findings, make sure you consult the OutSystems Platform Hardening documentation.

To find all the procedure details necessary to perform penetration tests and vulnerability scans in your OutSystems cloud environments, refer to Load and penetration tests on Outsystems cloud.

Reviewing the results

When reviewing penetration test results, it's important to keep in mind that each penetration test framework reports on findings without a proper context. To detect false positives, these findings must be reviewed. For more information on understanding the findings in their proper context, you can contact OutSystems support here.

False positives

The following are some examples of false positive findings. In each one, there's a description of why they're considered as such.

jQuery 1.8.3 flagged as a potentially vulnerable library

OutSystems uses jQuery version 1.8.3 which has the following known vulnerabilities:

  • Issue - Selector interpreted as HTML. Vulnerability #11290 relates to a potential Cross-Site Scripting vulnerability in jQuery's selector operator ( $ ). While the jQuery version we ship with OutSystems is based on version 1.8.3, it contains some changes made by OutSystems. In particular, as of OutSystems version 9.1.401.0, the fix was backported and the $ operator is no longer vulnerable to this attack.

  • Issue - Prototype pollution. The jQuery version 1.8.3 is vulnerable to Prototype Pollution. The extend function can be tricked into modifying the prototype of Object when the attacker controls part of the structure passed to this function. This can let an attacker add or modify an existing property that will then exist on all objects. You can find more information on the vulnerability here. While the jQuery version we ship with OutSystems is based on 1.8.3, it doesn't contain any of the patterns described in the vulnerability description, for which this is considered a false positive.

  • Issue - Passing HTML from untrusted sources to one of jQuery's DOM manipulation methods. The jQuery versions 1.0.3 to 3.5.0 are vulnerable to the possible execution of untrusted code (CVE-2020-11022 and CVE-2020-11023). While the jQuery version we ship with OutSystems is based on 1.8.3, the Platform Server doesn't generate code that passes HTML from untrusted sources to the JQuery DOM manipulation methods, for which this is considered a false positive.

jQuery-ui-dialog flagged as a potentially vulnerable library

Some penetration testing tools may flag OutSystems as having a vulnerable jQuery-ui-dialog library.

OutSystems uses jQuery-ui-dialog version 1.8.24 which has a vulnerability known to this version - CVE-2010-5312. This vulnerability relates to the title() function, potentially allowing for unescaped content to be inserted in the title and causing a Cross Site Scripting problem.

All uses of the affected function by OutSystems properly encode the input parameter. As such, OutSystems isn't vulnerable despite this vulnerability still being present in jquery-ui-dialog.

As for applications developed by your users which make use of this library, you should ensure that you encode the input to the title() function correctly. Alternatively, you can import your own version of jquery-ui-dialog into a different namespace and use that version instead.

Support from OutSystems

OutSystems support and security teams are ready to discuss the findings of the penetration tests with you under the following conditions:

  • We expect that you do a preliminary analysis of the report, and report the issues that are caused by the platform and/or cloud infrastructure to OutSystems support.
  • The list of issues reported to OutSystems support should exclude issues that can be fixed by the developers or OutSystems admins by enforcing configurations.

Support's reply may include the following:

  • A reasoned identification of false positives.
  • A reasoned adjustment of severity based on the specifics of the technical environment.
  • An escalation of eventual product defects to R&D.

Furthermore, the following tables can help you understand the responsibilities and expectations by deployment model:

OutSystems cloud & hybrid

Responsibilities Expectations
Customer
  • Deploy and manage OutSystems on self managed servers
  • Execute the penetration tests
  • The customer has knowledge of how to configure and manage OutSystems and underlying technologies
  • The customer has knowledge of the tool(s) used to perform penetration tests
  • The customer is responsible for executing the tests, collecting the results, reviewing the results, performing the necessary correction and re-checking
OutSystems
  • Maintain and manage OutSystems cloud
  • Help customers set up the hybrid infrastructure
  • Provide support to customers on issues related to the product and deployment
  • Has expert knowledge on OutSystems cloud
  • Has expert knowledge on OutSystems
  • Is able to help customers with OutSystems related issues (support terms)
  • Is able to reply to Customer questions

Self-managed

Responsibilities Expectations
Customer
  • Deploy and manage OutSystems on self managed servers
  • Execute the penetration tests
  • The customer has knowledge of how to configure and manage OutSystems and underlying technologies
  • The customer has knowledge of the tool(s) used to perform penetration tests
  • The customer is responsible for executing the tests, collecting the results, reviewing the results, performing the necessary correction and re-checking
OutSystems
  • Provide support to customers on issues related to the product
  • Has expert knowledge on OutSystems
  • Is able to help Customers with OutSystems related issues (support terms)
  • Is able to reply to customer questions
  1. Back to top
  • Was this article helpful?

Recommended articles

  1. There are no recommended articles.
  1. Article type
    Topic
    Owner
    TechComm
  2. Tags
    This page has no tags.