A1: 2017 - Injection

Unofficial Content

 

SQL Injection

Actions by GeneXus

Actions by Developers

XML Injection

Actions by GeneXus

  • When the SDT's ToXML function is used GeneXus codes the entries.
  • When the XML is manually readed/writen XMLWriter and XMLReader functions code/decode the entries and values accordingly.

Actions by Developers

JSON Injection

Actions by GeneXus

  • When the SDT's ToJSON function is used GeneXus codes the entries.

Actions by Developers

LDAP Injection

Actions by GeneXus

  • GeneXus sanitizes the characters utilized on User and Password fields when it gets the attributes from LDAP Data Type.
  • The attributes of the GetAttribute function are structured preventing injections and complex querys.

Actions by Developers

  • The developer doesn't have to take any actions but the deploy over a secure channel is advised.

OS Injection

Actions by GeneXus

  • GeneXus doesn't take any specific actions.

Actions by Developers

  • If the Shell function is used user's entries must be sanitized by using regular expressions, wrapping parameters between ' " ' and/or codifying special characters.
    • Security Scanner helps to detect this scenario with case code #114.
  • Configuring minimum privileges for the application server is also recommended.

SMTP Injection

Actions by GeneXus

  • GeneXus implements all Data Type needed to send e-mail messages on the SMTP Data Type.

Actions by Developers

  • The developer doesn't have to take any actions but and adequate server hardening and a periodic log review are recommended.

Code Injection

Actions by GeneXus

  • GeneXus validates the inputs for dynamic class loading.

Actions by Developers

  • Validate Blob's extensions by whitelisting.
    • Security Scanner helps to detect this scenario with case code #129.
  • Use dynamic class loading only if needed and the inputs must be validated before the execution.
    • Security Scanner helps to detect this scenario with case code #108.

Log Injection

Actions by GeneXus

  • GeneXus doesn't provide log functionalities.

Actions by Developers

  • If the developer used a DataBase table to save logs or the msg function to add information to Java server's logs user's entries must be sanitized.
  • If a timestamp is used it avoid dates entered by the user.
  • The use of an autonumbered log is recommended.
  • Avoid giving permissions to the server to erase previous log registries.