GeneXus Security Scanner Documentation

Unofficial Content

Security Scanner extension scans/check objects within a Knowledge Base looking for potential security issues following the OWASP Top 10 Security Risks.

For Xev1 is available extension version 2.0.0.0 to validate OWASP 2010 Top 10 Security Risks. For Xev2 use the extension version 2.1.0.0 (or higher) to validate with OWASP 2013 Top 10 Security Risks. You can find the documentation for previous versions here.

For v15 use the extension version 3.5.0.0 (or higher) to validate with OWASP Top 10 2017 Security Risks.

Using the tool is very easy and this document explains how to use it. Also, you can check the extension source code here

Once the extension is installed a new toolbar is added to the IDE:

security scanner option

You can run the extension for all the Knowledge Base objects using the following Window

SecurityScannerScreenshot2018_v37

or apply it to a list of objects using the "Security Scanner" Contextual Menu.

SecurityScannerContextualMenu

Scan configuration

In the first area of the Security Scanner window, you can configure which Knowledge Base elements will be scanned.

  • Environment (rules #100 and #105)
  • Web Panels
  • Transactions
  • Procedures
  • Attributes
  • Domains

Rules configuration

Within this area, you configure which rules will be executed when an object is scanned.

Parameter encryption #100

Security Scanner analyzes the KB environment and objects to check if its parameters are encrypted, that means if its Encrypt URL parameters property is set to "Session key" or "Site key".
If an <Parameter encryption> issue is found, Security Scanner will show the following message:

error: #100 in WebPanel1 >> Object parameters not encrypted

HTML format #101

Security Scanner analyzes attributes, variables and textblocks checking if its Format property? has been set to "HTML" or "Raw HTML".
If an <HTML format> issue is found, Security Scanner will show a message like this:

error: #101 in WWCountry >> Variable CountryName allows HTML

Authorization #102

Security Scanner analyzes Web Panels and Transactions into the KB checking if they call an Authorization program (procedure). This rule does not apply for Master Pages and Web Components.
If an <Authorization> issue is found, Security Scanner will show a message like this:

error: #102 in WebPanel1 >> No authorization call found

When using Xev2, the Integrated Security Level property is checked (GeneXus Access Manager usage).

SQL Command #103

Security Scanner analyzes KB objects looking for SQL commands.
If an <SQL Command> issue is found, Security Scanner will show a message like this:

error: #103 in Command >> SQL Command found in source

i.e.: SQL UPDATE UserInfo SET UserWelcomeMessage='[!&UserWelcomeMessage!]' WHERE UserId=[!&UserId!]

Link Command #104

Security Scanner analyzes KB objects to check if there is a dynamic command link without parameters.
If a <Link command> issue is found, Security Scanner will show a message like this:

error: #104 in WWCountry >> Parameterless LINK command found

i.e.: Link(&SomeWebPanel)

Http Protocol #105

Security Scanner analyzes KB environment and Web Panels checking if HTTPS protocol has been specified. This means checking if Protocol specification property has been set to “Secure (HTTPS)
If an <Http protocol> issue is found, Security Scanner will show a message like this:

error: #105 in WebPanel1 >> Http protocol is not Secure

If a <Do not specify> issue is found. Security Scanner will show a message like this:

warning: #105 in WebPanel1 >> Protocol specification property is set to 'Do not specify.' HTTP protocol is not Secure

Ajax Request Security #106 in Xev1

Security Scanner analyzes KB environment and objects checking if security for ajax calls has been set to High. This means checking if Ajax requests security property has been set to “High”.
If an <Ajax request security> issue is found, Security Scanner will show a message like this:

error: #106 in WebPanel1 >> Ajax request security is not High

Javascript Debug Mode #106 in Xev2

Security Scanner analyzes the Javascript debug mode property at generator level; when enabled the following message will be displayed:

error: #106 in Generator >> Javascript Debug Mode is enabled

Web Components URL Access #107

Security Scanner analyzes KB objects set as Web Components checking if URL Access for them has been enabled. This means checking if URL Access property has been set to “Yes
If a <WC URL Access> issue is found, Security Scanner will show a message like this:

error: #107 in WebPanel1 >> Web Components with URL Access enabled

C#, Java, Ruby native code usage #108

Security Scanner analyzes KB objects source section checking for the java or csharp command.
The following message is displayed:

error: #108 in NativeCodeObjectSample >> Native Code usage found in source

HttpResponse data type usage #109

Security Scanner analyzes KB objects variables section checking for HttpResponse data type usage.
The following message is displayed:

error: #109 in WebPanelSample >> HttpResponse Data Type usage in variables
#109: Name 'response' Type 'HttpResponse'

LDAPClient GetAttribute method usage #110

Security Scanner analyzes KB objects source section checking for LDAPClient Data Type GetAttribute method usage.
The following message is displayed:

error: #110 in ProcedureSample >> LDAPClient GetAttribute method used in source

Directory data type usage #111

Security Scanner analyzes KB objects variables section checking for Directory data type usage.
The following message is displayed:

error: #111 in WebPanelSample >> Directory Data Type usage in variables
#111: Name 'd01' Type 'Directory'

File data type usage #112

Security Scanner analyzes KB objects variables section checking for File data type usage.
The following message is displayed:

error: #112 in WebPanelSample >> File Data Type usage in variables
#112: Name 'f01' Type 'File'

XMLReader ValidationType property usage #113

Security Scanner analyzes KB objects source section checking for XMLReader Data Type ValidationType property usage.
The following message is displayed:

error: #113 in ProcedureSample >> XMLReader ValidationType property not used in source

Shell function #114

Security Scanner analyzes KB objects source section checking for Shell Function usage.
The following message is displayed:

error: #114 in ProcedureSample >> Shell function found in source

Random function #115

Security Scanner analyzes KB objects source section checking for Random function usage.
The following message is displayed:

error: #115 in ProcedureSample >> Random function found in source

SetCookie function #116

Security Scanner analyzes KB objects source section checking for SetCookie function usage.
The following message is displayed:

error: #116 in ProcedureSample >> SetCookie function found in source

Whenever possible use the Cookie data type and enable the HttpOnly property.

Form.HeaderRawHTML property #117

Security Scanner analyzes WebPanels and Transactions source section checking for Form.HeaderRawHTML property usage.
The following message is displayed:

error: #117 in WebPanelSample >> Form.HeaderRawHTML property found in source

Form.JScriptSrc property #118

Security Scanner analyzes WebPanels and Transactions source section checking for Form.JScriptSrc property usage.
The following message is displayed:

error: #118 in WebPanelSample >> Form.JScriptSrc property found in source

IsPassword property #119

Security Scanner analyzes WebPanels and Transactions source section checking for IsPassword property usage.
The following message is displayed:

error: #119 in WebPanelSample >> IsPassword Property enabled in WebForm
error: #119 in WebPanelSample >> IsPassword property found in source 
error: #119 in WebPanelSample >> IsPassword property found in rules

External Object usage #120

Security Scanner analyzes KB objects source section checking for External object usage.
The following message is displayed:

error: #120 in ProcedureSample >> External Object usage in variables
#120: Name 'myMD5' Type 'md5'

For Xev2; GAM and GXflow External Objects are excluded.

User Control usage #121

Security Scanner analyzes WebPanels and Transactions WebForm section for User Controls usage.
The following message is displayed:

error: #121 in WebPanelSample >> UserControl detected in WebForm
#121: Name 'HistoryManager' Type 'HistoryManager'

Cookie data type usage #124

Security Scanner analyzes KB objects variables section checking for Cookie data type usage.
The following message is displayed:

error: #124 in ObjectSample >> Cookie Data Type usage in variables

Whenever possible enable the HttpOnly property.

XmlWriter WriteRawText method usage #125

Security Scanner analyzes KB objects source section checking for the XMLWriter WriteRawText Method usage.
The following message is displayed:

error: #125 in ProcedureSample >> XMLWriter WriteRawText method used in source

SDT.FromXml() pattern usage (#126)

Security Scanner analyzes KB objects source section checking for the FromXml Method usage.
The following message is displayed:

error: #126 in WebPanel1 >> SDT.FromXml() pattern detected in source

SDT.FromJson() pattern usage (#127)

Security Scanner analyzes KB objects source section checking for the FromJson Method usage.
The following message is displayed:

error: #127 in WebPanel1 >> SDT.FromJson() pattern detected in source

XMLReader ReadRawXML method usage (#128)

Security Scanner analyzes KB objects source section checking for the XMLReader Data Type's ReadRawXML Method usage.
The following message is displayed:

error: #128 in WebPanel1 >> XMLReader ReadRawXML method used in source

Blob usage (#129)

Security Scanner analyzes KB objects variables section checking for Blob data type usage.
The following message is displayed:

error: #129 in WebPanel1 >> Blob usage detected in object WebPanel1

JSEvent usage (#130)

Security Scanner analyzes KB objects source section checking for the JSEvent Method usage.
The following message is displayed:

error: #130 in WebPanel1 >> JSEvent usage found in source

SoapHeaderRaw (#131)

Security Scanner analyzes KB objects source section checking for the SoapHeaderRaw nonstandard function usage.
The following message is displayed:

error: #131 in WebPanel1 >> soapHeaderRaw usage found in source

PathToURL usage (#132)

Security Scanner analyzes KB objects source section checking for the PathToURL function usage.
The following message is displayed:

error: #132 in WebPanel1 >> pathToUrl usage found in source

XMLReader ReadExternalEntities (#133)

Security Scanner analyzes KB objects source section checking for the XMLReader Data Type ReadExternalEntities Property usage.
The following message is displayed:

error: #133 >> XMLReader ReadExternalEntities property is used in source

SDT.FromXmlFile() pattern usage (#134)

Security Scanner analyzes KB objects source section checking for the FromXmlFile method usage.
The following message is displayed:

error: #134 in WebPanel1 >> SDT.FromXmlFile() pattern detected in source

SDT.FromJsonFile() pattern usage (#135)

Security Scanner analyzes KB objects source section checking for the FromJsonFile method usage.
The following message is displayed:

error: #135 in WebPanel1 >> SDT.FromJsonFile() pattern detected in source

Output Configuration

Only output objects with warning messages

The Extension output will only display information when any of the selected objects matches the rules applied.

Do not show errors when using Environment value

Use the “Do not show errors when using Environment value” check option to avoid warning messages when scanning an object with a possible problem caused by taking a property value from the Environment (applies for rules #100 and #105)

For example: if the Encrypt Parameter Environment property is set as No, a warning message will be displayed for the environment:

error: #100 in WebPanel1 >> Object parameters not encrypted

And for those objects (web panels and transactions) which have Encrypt Parameters = Use environment value:

  • If “Do not show errors …” checkbox is checked nothing is displayed.
  • If “Do not show errors …” checkbox is not checked error: #100 in WebPanel1 >> Object parameters not encrypted (using Environment value) is displayed.

Output checksum information

Calculates the checksum of the object so later on it can verify if something in the object changed or not.

Output last scan information

Checks the checksums and indicates if the object changed or not from the last scan.

Excel file

Generates an Excel file with the Extension output execution.