GeneXus Community Wiki
Image
Search
TBWelcome
Sign up
Login
Settings
Change Password
Logout
Login
Sign in
Text Block
Logout
Managing OWASP Top 10 2017 in GeneXus Applications
Table of contents
Page Id
39915
A1: 2017 - Injection
A2:2017 - Broken Authentication
A3:2017 - Sensitive Data Exposure
A4:2017 - XML External Entities (XXE)
A5:2017 - Broken Access Control
A6:2017 - Security Misconfiguration
A7:2017 - Cross-Site Scripting (XSS)
A8:2017 - Insecure Deserialization
A9:2017 - Using Components with Known Vulnerabilities
A10:2017 - Insufficient Logging and Monitoring
Security Scanner built-in tool
GeneXus Security Scanner extension
GeneXus Security Scanner extension - Advanced Configurations
OWASP Top 10 2017 Security Scanner extension - Reference Table
Page Tools
Add a category
Add a group
Page Info
Also seen in
Other document versions
i
Text Block
Recents:
A1: 2017 - Injection
This documentation is valid for:
OWASP Documentation
Injection Prevention Cheat Sheet OWASP
SQL Injection
OWASP Documentation
Actions by GeneXus
Generates
parameterized SQL queries
Actions by Developers
Avoid the use of
SQL Command
.
Security Scanner helps to detect this scenario with case code #103
Use an
External Object
with a
Stored Procedure
instead
of the
SQL Command
.
Use
DBRet
to generate
Data View object
for adding tables to the model.
If the use of the
SQL Command
is unavoidable the use of
OWAP ESAPI
is recommended to
sanitize
end user's entries.
In case of using
External Object
the developer will need to review the source code manually.
Security Scanner helps to detect this scenario with case code #120
XML Injection
OWASP Documentation
Actions by GeneXus
When the
SDT
's
ToXML
function is used GeneXus codes the entries.
When the XML is manually readed/writen
XMLWriter
and
XMLReader
functions code/decode the entries and values accordingly.
Actions by Developers
Sanitize user's entries if those are concatenated to an XML and charged using
FromXML
function.
Security Scanner helps to detect this scenario with case code #126
The use of
System.Security.SecurityElement.Escape
from.Net Framework or
org.owasp.esapi.Encoder.encodeForXML
from
ESAPI
for Java is adviced.
If the function
WriteRawText
of
XMLWriter
is used the developer must sanitize user's entires.
Security Scanner helps to detect this scenario with case code #128
The use of
System.Security.SecurityElement.Escape
from.Net Framework or
org.owasp.esapi.Encoder.encodeForXML
from
ESAPI
for Java is adviced.
Use
ValidationType
property to validate XML format.
Security Scanner helps to detect this scenario with case code #113
JSON Injection
OWASP Documentation
Actions by GeneXus
When the
SDT
's
ToJSON
function is used GeneXus codes the entries.
Actions by Developers
Sanitize user's entries if those are concatenated to a JSON and charged using
FromJSON
function.
Security Scanner helps to detect this scenario with case code #127.
The use of
System.Web.Serialization.JavaScriptSerializer.Serialize
from .Net Framework or
org.owasp.esapi.Encoder.encodeForJavascript
from
ESAPI
for Java is adviced.
LDAP Injection
OWASP Documentation
Actions by GeneXus
GeneXus sanitizes the characters utilized on User and Password fields when it gets the attributes from
LDAP
Data Type.
The attributes of the
GetAttribute
function are structured preventing injections and complex queries.
Actions by Developers
The developer doesn't have to take any actions but the deploy over a secure channel is advised.
OS Injection
OWASP Documentation
Actions by GeneXus
GeneXus doesn't take any specific actions.
Actions by Developers
If the
Shell
function is used user's entries must be sanitized by using regular expressions, wrapping parameters between ' " ' and/or codifying special characters.
Security Scanner helps to detect this scenario with case code #114.
Configuring minimum privileges for the application server is also recommended.
SMTP Injection
OWASP Documentation
Actions by GeneXus
GeneXus implements all Data Types needed to send e-mail messages on the
SMTP
Data Type.
Actions by Developers
The developer doesn't have to take any actions but and adequate server hardening and a periodic log review are recommended.
Code Injection
OWASP Documentation
Actions by GeneXus
GeneXus validates the inputs for dynamic class loading.
Actions by Developers
Validate Blob's extensions by whitelisting.
Security Scanner helps to detect this scenario with case code #129.
Use dynamic class loading only if needed and the inputs must be validated before the execution.
Security Scanner helps to detect this scenario with case code #108.
Log Injection
OWASP Documentation
Actions by GeneXus
GeneXus allows developers to modify the log through an external object. See
Log external object
. Valid for GeneXus 16 or upper.
GeneXus allows generating application activity logs that have user input information see
JDBC Log
,
Log file property
,
Log level property
,
Log output property
Another way to add log information to the application activity logs is using the
Msg command
. This function also adds information to the stdout log file on Java applications running on Tomcat.
Actions by Developers
It is recommended to avoid the use of unsanitized user inputs when the
Msg command
or the
Log external object
are used.
The developers must not alter the application flow using log information as input in runtime.
The developer must configure the log file, size, and backups on the server when it is used and take monitoring actions accordingly.
Page Id
39917
Anchor
Edit
—
Created: 5 July 2018 -
Last update: 4 March 2021
by
manuelrod
Next:
NextNode
Was this page helpful?
Your feedback about this content is important. Let us know what you think.
Sure!
No
Additional feedback?
comment
Thank you for your feedback!
Backlinks
See all
More from manuelrod
See all
Last update: April 2024 | © GeneXus. All rights reserved. GeneXus Powered by Globant
Ask here!