GeneXus Community Wiki
Image
Search
TBWelcome
Sign up
Login
Settings
Change Password
Logout
Login
Sign in
Text Block
Logout
Managing OWASP Top 10 2017 in GeneXus Applications
Table of contents
Page Id
39915
A1: 2017 - Injection
A2:2017 - Broken Authentication
A3:2017 - Sensitive Data Exposure
A4:2017 - XML External Entities (XXE)
A5:2017 - Broken Access Control
A6:2017 - Security Misconfiguration
A7:2017 - Cross-Site Scripting (XSS)
A8:2017 - Insecure Deserialization
A9:2017 - Using Components with Known Vulnerabilities
A10:2017 - Insufficient Logging and Monitoring
Security Scanner built-in tool
GeneXus Security Scanner extension
GeneXus Security Scanner extension - Advanced Configurations
OWASP Top 10 2017 Security Scanner extension - Reference Table
Page Tools
Add a category
Add a group
Page Info
Also seen in
Other document versions
i
Text Block
Recents:
A3:2017 - Sensitive Data Exposure
This documentation is valid for:
OWASP Documentation
Actions by GeneXus
GeneXus doesn't cipher sensitive data.
Actions by Developers
If a shared secret is needed it must be hashed before being saved on a file or Data Base.
Save a modified (salted) hash to sensitive data.
Use a secure hash function. The use of SHA2 256 or 512 is recommended.
Cipher the data on the application layer.
Cipher the cipher key. For this matter, the GeneXus Site Key could be used. The use of AES with 128 or 256-bit keys is recommended.
Avoid storing sensitive data on logs. If it's unavoidable the sensitive data must be masked.
Avoid storing sensitive data on intermediate files. Consider using
HTTPResponse
Data Type to write and send the data directly instead. If it's unavoidable verify that those files are erased from the server after been sent.
Configure the application server with the minimum permission required and avoid exposing by HTTP/HTTPS the
Temp media directory
and/or other temp directories.
Use secure channels.
Use HTTPS strict even for static content.
Security Scanner helps to detect this scenario with case code #105.
Use LDAPS instead of LDAP.
Use TLS or WS-Security for server-to-server communication or other shared resources.
Use valid certificates.
Avoid weak cipher algorithms.
Avoid sending sensitive data over to the browser if it isn't needed. Avoid hidden content with sensitive data on forms. Select on the server side the information needed.
Security Scanner - Detections:
Shared secrets: IsPassword property (#119).
Intermediate files: LINK Command (#104), HttpResponse data type usage (#109), Directory data type usage (#111), File data type usage (#112), PathToUrl usage (#132).
Intermediate and browser cache
Actions by GeneXus
GeneXus adds HTTP Headers for all web pages and automatically generated static contents that indicate what can or can't be cached.
Actions by Developers
If the
HTTPResponse Data Type
is used to create a custom web page the developer must specify if the response is public, if it can be cached and for how long.
Security Scanner helps to detect this scenario with case code #109.
Page Id
39919
Anchor
Edit
—
Created: 5 July 2018 -
Last update: 4 March 2021
by
sgrampone
Next:
NextNode
Was this page helpful?
Your feedback about this content is important. Let us know what you think.
Sure!
No
Additional feedback?
comment
Thank you for your feedback!
Backlinks
See all
More from sgrampone
See all
Last update: April 2024 | © GeneXus. All rights reserved. GeneXus Powered by Globant
Ask here!