GeneXus Community Wiki
Image
Search
TBWelcome
Sign up
Login
Settings
Change Password
Logout
Login
Sign in
Text Block
Logout
Managing OWASP Top 10 2017 in GeneXus Applications
Table of contents
Page Id
39915
A1: 2017 - Injection
A2:2017 - Broken Authentication
A3:2017 - Sensitive Data Exposure
A4:2017 - XML External Entities (XXE)
A5:2017 - Broken Access Control
A6:2017 - Security Misconfiguration
A7:2017 - Cross-Site Scripting (XSS)
A8:2017 - Insecure Deserialization
A9:2017 - Using Components with Known Vulnerabilities
A10:2017 - Insufficient Logging and Monitoring
Security Scanner built-in tool
GeneXus Security Scanner extension
GeneXus Security Scanner extension - Advanced Configurations
OWASP Top 10 2017 Security Scanner extension - Reference Table
Page Tools
Add a category
Add a group
Page Info
Also seen in
Other document versions
i
Text Block
Recents:
A2:2017 - Broken Authentication
This documentation is valid for:
OWASP Documentation
Authentication
OWASP Documentation
Actions by GeneXus
GeneXus provides a security module called
GeneXus Access Manager (GAM)
. This module implements different
Authentication Scenarios
and
Authentication Types
.
Actions by Developers
Use GAM or implement a security module.
Password Strength Controls
OWASP Documentation
Actions by GeneXus
GAM provides the developer with the tools to implement an adequate password control policy.
See the documentation here
.
Actions by Developers
Configure GAM or the external security module to implement the selected password control properly.
Password Recovery Mechanism
OWASP Documentation
Actions by GeneXus
GAM provides the developer with an implementation for the.
Password Recovery Mechanism
Actions by Developers
Adapt the GAM reference implementation to the company's security policy or configure properly the security module chosen. The use of the
OWASP guidelines
is recommended.
Authentication and error messages
OWASP Documentation
Actions by GeneXus
GAM provides the developer with an implementation for the
Password Recovery Mechanism
and
Login
.
Actions by Developers
The error messages must be generic, avoiding providing an attacker with any user's information.
Session Management
OWASP Documentation
Actions by GeneXus
GeneXus uses the session management mechanisms provided by the base language. Also, provides cipher mechanisms to
encrypt URL parameters
for the objects exposed and implements cipher mechanisms for the
AJAX querys and responses
.
The session with the AJAX authentication key expires on a configurable time lapse.
Actions by Developers
Verify that all objects accessible by HTTP/HTTPS receive ciphered parameters.
Security Scanner helps to detect this scenario with case codes #100, #105 & #107.
If GeneXus Evolution 1 is used, check the
Ajax Request Security
property is configured on High.
If GeneXus Evolution 2 is used, check the
Javascript Debug Mode
property is configured on No.
Security Scanner helps to detect this scenario with case code #106.
Configure properly the
On session Timeout
property.
Implement some re-authentication mechanism to use before sensitive operations.
Avoid the default names of the
cookies
utilized for session identifiers.
Security Scanner helps to detect this scenario with case code #116.
Avoid short session identifiers.
Use
cookies
that have configured the properties Secure, HTTP-Only, Domain and Path.
Security Scanner helps to detect this scenario with case code #116.
Destroy
the web session within the logout process.
Set the expiration time for the web session on the application server.
Page Id
39918
Anchor
Edit
—
Created: 5 July 2018 -
Last update: 10 August 2023
by
vdeambrosi
Next:
NextNode
Was this page helpful?
Your feedback about this content is important. Let us know what you think.
Sure!
No
Additional feedback?
comment
Thank you for your feedback!
Backlinks
See all
More from vdeambrosi
See all
Last update: February 2024 | © GeneXus. All rights reserved. GeneXus Powered by Globant
Ask here!