A5:2017 - Broken Access Control

Unofficial Content

Insecure direct object reference 

Actions by GeneXus

  • GeneXus ciphers the parameters sent over the URL if the developer sets the Encrypt URL parameters property properly.
  • GAM verifies the authorization over the web objects.

Actions by Developers

  • Web object's parameters must be ciphered.
    • Security Scanner helps to detect this scenario with case codes #100, #105 & #107.
  • Check that every object verifies authorization.
  • Change the parameter cipher key on deploy.

AJAX Requests

Actions by GeneXus

Actions by Developers

  • If GeneXus Evolution 1 is used check the Ajax Request Security property is configured on High.
  • If GeneXus Evolution 2 is used check the Javascript Debug Mode property is configured on No.
    • Security Scanner helps to detect this scenario with case code #106.
  • If a custom User control is used secure the AJAX requests manually.

Improper Temporary Files Generation and Path Traversal

Actions by GeneXus

Actions by Developers

  • Avoid storing sensitive data on intermediate files. Consider using HTTPResponse Data Type to write and send the data directly instead. If it's unavoidable verify that those files are erased from the server after been sent.
  • Configure the application server with the minimum permission required and avoid exposing by HTTP/HTTPS the Temp media directory and/or other temp directories.
  • Generate the files over an external directory, return them via a GeneXus Procedure? avoiding paths and executing an authorization check before retrieving the file. This GeneXus Procedure? must receive an identifier to associate to the file over a table on the server to avoid returning paths. 
  • Verify the file management over the application.
    • Security Scanner helps to detect this scenario with case codes #111, #112 & #129.

Leaving functions without access control

Actions by GeneXus

  • GeneXus validates data over the client side and validates the data over again on server side.
  • GAM verifies the authorization over the web objects.

Actions by Developers

  • Check every object verifies authorization over the object and over each event.
  • Check the access control over data on client side.