Official Content

This article describes inappropriate configurations that can impact the security of an application. Below you can find guidance on how to solve them.

Read more at: Security Misconfiguration - OWASP Documentation

Actions by GeneXus

  • GeneXus does not take any actions in the production environment.

Actions by Developers

  • Some GeneXus properties can disable controls. Inspect the property values manually before deploying.

  • Set the Javascript Debug Mode property to No.     

    • Security Scanner helps to detect this scenario with case code #106.    

  • Keep the server software up to date.

  • Avoid installing unnecessary functionalities on the server.

  • Set permissions properly over the application web directories. Check permissions given for the application Temp directories (see Temp media directory and Blob local storage directory properties).

  • Set permissions appropriately for the database user at the minimum needed.

  • Application server and framework hardening are recommended. Some secure deployment configurations can be found in: Configuration for secure deployment using GAM.

  • Change the default cipher keys. Random key generation is advised. 

  • Use different cipher keys for each application.

  • Must not have any development/test credentials over the production environment.

  • Security Scanner - Detections:     

    • Communication: Check Http Protocol (#105), checking for variables of HttpResponse type (#109).    

XML External Entities (XXE)

XML External Entity Prevention Cheat Sheet

Actions by GeneXus

Actions by Developers

Security Scanner helps to detect this scenario with case code #133.    

Availability

Since GeneXus 18 upgrade 1.

Last update: February 2024 | © GeneXus. All rights reserved. GeneXus Powered by Globant