Security Scanner extension user manual

Unofficial Content

Security Scanner extension scans/check objects within a Knowledge Base looking for potential security issues following the OWASP Top 10 Security Risks.

For Xev1 is available extension version 2.0.0.0 to validate OWASP 2010 Top 10 Security Risks. For Xev2 use the extension version 2.1.0.0 (or higher) to validate with OWASP 2013 Top 10 Security Risks.

Using the tool is very easy and this document explains how to use it. In addition, you can check the extension source code here

Once the extension is installed a new toolbar is added to the IDE:

security scanner option

You can run the extension for all the Knowledge Base objects using the following Window

GXScan

or apply it to a list of objects using the "Security Scanner" contextual Menu.

SecurityScannerContextualMenu

Scan configuration

In the first area of the Security Scanner window you can configure which Knowledge Base elements will be scanned.

  • Environment (rules #100 and #105)
  • Web Panels
  • Transactions
  • Procedures
  • Attributes
  • Domains

Rules configuration

Within this area you configure which rules will be executed when an object is scanned.

Parameter encryption #100

Security Scanner analyzes the KB environment and objects in order to check if its parameters are encrypted, that means if its Encrypt URL parameters property is set to "Session key" or "Site key".
If an <Parameter encryption> issue is found, Security Scanner will show the following message:

error: #100 in WebPanel1 >> Object parameters not encrypted

HTML format #101

Security Scanner analyzes attributes, variables and textblocks checking if its Format property? has been set to "HTML" or "Raw HTML".
If an <HTML format> issue is found, Security Scanner will show a message like this:

error: #101 in WWCountry >> Variable CountryName allows HTML

Authorization #102

Security Scanner analyzes Web Panels and Transactions into the KB checking if they call an Authorization program (procedure). This rule does not apply for: Master Pages and Web Components.
If an <Authorization> issue is found, Security Scanner will show a message like this:

error: #102 in WebPanel1 >> No authorization call found

When using Xev2, the Integrated Security Level property is checked (GeneXus Access Manager usage).

SQL Command #103

Security Scanner analyzes KB objects looking for SQL commands.
If an <SQL Command> issue is found, Security Scanner will show a message like this:

error: #103 in Command >> SQL Command found in source

i.e.: SQL UPDATE UserInfo SET UserWelcomeMessage='[!&UserWelcomeMessage!]' WHERE UserId=[!&UserId!]

Link Command #104

Security Scanner analyzes KB objects in order to check if there is a dynamic command link without parameters.
If an <Link command> issue is found, Security Scanner will show a message like this:

error: #104 in WWCountry >> Parameterless LINK commnad found

i.e.: Link(&SomeWebPanel)

Http Protocol #105

Security Scanner analyzes KB environment and Web Panels checking if HTTPS protocol has been specified. This means checking if Protocol specification propertyhas been set to “Secure (HTTPS)
If an <Http protocol> issue is found, Security Scanner will show a message like this:

error: #105 in WebPanel1 >> Http protocol is not Secure

Ajax Request Security #106 in Xev1

Security Scanner analyzes KB environment and objects checking if security for ajax calls has been set to High. This means checking if Ajax requests security property has been set to “High”.
If an <Ajax request security> issue is found, Security Scanner will show a message like this:

error: #106 in WebPanel1 >> Ajax request security is not High

Javascript Debug Mode #106 in Xev2

Security Scanner analyzes the Javascript debug mode property at generator level; when enabled the following message will be displayed:

error: #106 in Generator >> Javascript Debug Mode is enabled

Web Components URL Access #107

Security Scanner analyzes KB objects set as Web Components checking if URL Access for them has been enabled. This means checking if URL Access property has been set to “Yes
If an <WC URL Access> issue is found, Security Scanner will show a message like this:

error: #107 in WebPanel1 >> Web Components with URL Access enabled

C#, Java, Ruby native code usage #108

Security Scanner analyzes KB objects source section checking for the java or csharp command.
The following message is displayed:

error: #108 in NativeCodeObjectSample >> Native Code usage found in source

HttpResponse data type usage #109

Security Scanner analyzes KB objects variables section checking for HttpResponse data type usage.
The following message is displayed:

error: #109 in WebPanelSample >> HttpResponse Data Type usage in variables
#109: Name 'response' Type 'HttpResponse'

LDAPClient GetAttribute method usage #110

Security Scanner analyzes KB objects source section checking for LDAPClient Data Type GetAttribute method usage.
The following message is displayed:

error: #110 in ProcedureSample >> LDAPClient GetAttribute method used in source

Directory data type usage #111

Security Scanner analyzes KB objects variables section checking for Directory data type usage.
The following message is displayed:

error: #111 in WebPanelSample >> Directory Data Type usage in variables
#111: Name 'd01' Type 'Directory'

File data type usage #112

Security Scanner analyzes KB objects variables section checking for File data type usage.
The following message is displayed:

error: #112 in WebPanelSample >> File Data Type usage in variables
#112: Name 'f01' Type 'File'

XMLReader ValidationType property usage #113

Security Scanner analyzes KB objects source section checking for XMLReader Data Type ValidationType property usage.
The following message is displayed:

error: #113 in ProcedureSample >> XMLReader ValidationType property not used in source

Shell function #114

Security Scanner analyzes KB objects source section checking for Shell Function usage.
The following message is displayed:

error: #114 in ProcedureSample >> Shell function found in source

Random function #115

Security Scanner analyzes KB objects source section checking for Random function usage.
The following message is displayed:

error: #115 in ProcedureSample >> Random function found in source

SetCookie function #116

Security Scanner analyzes KB objects source section checking for SetCookie function usage.
The following message is displayed:

error: #116 in ProcedureSample >> SetCookie function found in source

Whenever possible use the Cookie data type and enable the HttpOnly property.

Form.HeaderRawHTML property #117

Security Scanner analyzes WebPanels and Transactions source section checking for Form.HeaderRawHTML property usage.
The following message is displayed:

error: #117 in WebPanelSample >> Form.HeaderRawHTML property found in source

Form.JScriptSrc property #118

Security Scanner analyzes WebPanels and Transactions source section checking for Form.JScriptSrc property usage.
The following message is displayed:

error: #118 in WebPanelSample >> Form.JScriptSrc property found in source

IsPassword property #119

Security Scanner analyzes WebPanels and Transactions source section checking for IsPassword property usage.
The following message is displayed:

error: #119 in WebPanelSample >> IsPassword Property enabled in WebForm
error: #119 in WebPanelSample >> IsPassword property found in source 
error: #119 in WebPanelSample >> IsPassword property found in rules

External Object usage #120

Security Scanner analyzes KB objects source section checking for External object usage.
The following message is displayed:

error: #120 in ProcedureSample >> External Object usage in variables
#120: Name 'myMD5' Type 'md5'

For Xev2; GAM and GXflow External Objects are excluded.

User Control usage #121

Security Scanner analyzes WebPanels and Transactions WebForm section for User Controls usage.
The following message is displayed:

error: #121 in WebPanelSample >> UserControl detected in WebForm
#121: Name 'HistoryManager' Type 'HistoryManager'

SDT.ToXml() pattern usage #122

Security Scanner analyzes KB objects source section checking for the SDT.ToXml() pattern usage.
The following message is displayed:

error: #122 in ProcedureSample >> SDT.ToXml() pattern detected in source

SDT.ToJson() pattern usage #123

Security Scanner analyzes KB objects source section checking for the SDT.ToJson() pattern usage.
The following message is displayed:

error: #123 in ProcedureSample >> SDT.ToJson() pattern detected in source

Cookie data type usage #124

Security Scanner analyzes KB objects variables section checking for Cookie data type usage.
The following message is displayed:

error: #124 in ObjectSample >> Cookie Data Type usage in variables

Whenever possible enable the HttpOnly property.

XmlWriter WriteRawText method usage #125

Security Scanner analyzes KB objects source section checking for the XMLWriter WriteRawText Method usage.
The following message is displayed:

error: #125 in ProcedureSample >> XMLWriter WriteRawText method used in source

Output Configuration

Only output objects with warning messages

The Extension output will only display information when any of the selected objects matches the rules applied.

Do not show errors when using Environment value

Use the “Do not show errors when using Environment value” check option to avoid warning messages when scanning an object with a possible problem caused by taking a property value from the Environment (applies for rules #100 and #105)

For example: if the Encrypt Parameter Environment property is set as No, a warning message will be displayed for the environment:

error: #100 in WebPanel1 >> Object parameters not encrypted

And for those objects (web panels and transactions) which have Encrypt Parameters = Use environment value:

  • If “Do not show errors …” checkbox is checked nothing is displayed.
  • If “Do not show errors …” checkbox is not checked error: #100 in WebPanel1 >> Object parameters not encrypted (using Environment value) is displayed.

Excel file

Generates an Excel file with the Extension output execution.