Official Content
  • This documentation is valid for:

SQL Injection

Actions by GeneXus

Actions by Developers

XML Injection

Actions by GeneXus

  • When the SDT's ToXML function is used GeneXus codes the entries.
  • When the XML is manually readed/writen XMLWriter and XMLReader functions code/decode the entries and values accordingly.

Actions by Developers

JSON Injection

Actions by GeneXus

  • When the SDT's ToJSON function is used GeneXus codes the entries.

Actions by Developers

LDAP Injection

Actions by GeneXus

  • GeneXus sanitizes the characters utilized on User and Password fields when it gets the attributes from LDAP Data Type.
  • The attributes of the GetAttribute function are structured preventing injections and complex queries.

Actions by Developers

  • The developer doesn't have to take any actions but the deploy over a secure channel is advised.

OS Injection

Actions by GeneXus

  • GeneXus doesn't take any specific actions.

Actions by Developers

  • If the Shell function is used user's entries must be sanitized by using regular expressions, wrapping parameters between ' " ' and/or codifying special characters.
    • Security Scanner helps to detect this scenario with case code #114.
  • Configuring minimum privileges for the application server is also recommended.

SMTP Injection

Actions by GeneXus

  • GeneXus implements all Data Types needed to send e-mail messages on the SMTP Data Type.

Actions by Developers

  • The developer doesn't have to take any actions but and adequate server hardening and a periodic log review are recommended.

Code Injection

Actions by GeneXus

  • GeneXus validates the inputs for dynamic class loading.

Actions by Developers

  • Validate Blob's extensions by whitelisting.
    • Security Scanner helps to detect this scenario with case code #129.
  • Use dynamic class loading only if needed and the inputs must be validated before the execution.
    • Security Scanner helps to detect this scenario with case code #108.

Log Injection

Actions by GeneXus

  • GeneXus allows developers to modify the log through an external object. See Log external object. Valid for GeneXus 16 or upper.
  • GeneXus allows generating application activity logs that have user input information  see JDBC LogLog file propertyLog level propertyLog output property
  • Another way to add log information to the application activity logs is using the Msg command. This function also adds information to the stdout log file on Java applications running on Tomcat.

Actions by Developers

  • It is recommended to avoid the use of unsanitized user inputs when the Msg command or the Log external object are used.
  • The developers must not alter the application flow using log information as input in runtime.
  • The developer must configure the log file, size, and backups on the server when it is used and take monitoring actions accordingly.
Last update: April 2024 | © GeneXus. All rights reserved. GeneXus Powered by Globant