GeneXus Community Wiki
Image
Search
TBWelcome
Sign up
Login
Settings
Change Password
Logout
Login
Sign in
Text Block
Logout
Managing OWASP Top 10 2017 in GeneXus Applications
Table of contents
Page Id
39915
A1: 2017 - Injection
A2:2017 - Broken Authentication
A3:2017 - Sensitive Data Exposure
A4:2017 - XML External Entities (XXE)
A5:2017 - Broken Access Control
A6:2017 - Security Misconfiguration
A7:2017 - Cross-Site Scripting (XSS)
A8:2017 - Insecure Deserialization
A9:2017 - Using Components with Known Vulnerabilities
A10:2017 - Insufficient Logging and Monitoring
Security Scanner built-in tool
GeneXus Security Scanner extension
GeneXus Security Scanner extension - Advanced Configurations
OWASP Top 10 2017 Security Scanner extension - Reference Table
Page Tools
Add a category
Add a group
Page Info
Also seen in
Other document versions
i
Text Block
Recents:
A5:2017 - Broken Access Control
This documentation is valid for:
OWASP Documentation
Insecure direct object reference
OWASP Documentation
Actions by GeneXus
GeneXus ciphers the parameters sent over the URL if the developer sets the
Encrypt URL parameters
property properly.
GeneXus Access Manager (GAM)
verifies the authorization over the web objects.
Actions by Developers
Web object's parameters must be ciphered.
Security Scanner helps to detect this scenario with case codes #100, #105 & #107.
Check that every object verifies authorization.
Change the parameter cipher key on deploy.
AJAX Requests
OWASP Documentation
Actions by GeneXus
Suggests
and
Dynamic Combo Box
can be invoked by AJAX Requests. GeneXus prevents this if the developer sets the
Ajax Request Security
property (for GeneXus Evolution 1) or the
JavaScript Debug Mode
(for GeneXus Evolution 2 and above) property properly.
Actions by Developers
If GeneXus Evolution 1 is used, check the
Ajax Request Security
property is configured on High.
If GeneXus Evolution 2 is used, check the
Javascript Debug Mode
property is configured on No.
Security Scanner helps to detect this scenario with case code #106.
If a custom
User control
is used, secure the AJAX requests manually.
Improper Temporary Files Generation and Path Traversal
OWASP Documentation
Actions by GeneXus
GeneXus manages Temporary files, separating private and public files using the
Temp media directory
and
Blob Local Storage Directory
properties.
Actions by Developers
Avoid storing sensitive data on intermediate files. Consider using
HTTPResponse
Data Type to write and send the data directly instead. If it's unavoidable, verify that those files are erased from the server after being sent.
Configure the application server with the minimum permission required and avoid exposing by HTTP/HTTPS the
Temp media directory
and/or other temp directories.
Generate the files over an external directory, return them via a
GeneXus Procedure
avoiding paths and executing an authorization check before retrieving the file. This GeneXus Procedure must receive an identifier to associate to the file over a table on the server to avoid returning paths.
Verify the file management over the application.
Security Scanner helps to detect this scenario with case codes #104, #109, #111, #112, #129 & #132.
Leaving functions without access control
Actions by GeneXus
GeneXus validates data over the client side and validates the data over again on server side.
GAM verifies the authorization over the web objects.
Actions by Developers
Check every object verifies authorization over the object and over each event.
Security Scanner helps to detect this scenario with case code #102 over
Web Panels objects
and
Transaction objects
.
Security Scanner helps to detect this scenario with case code #107 over
Web Components
with
URL Access
property configured on False.
Check the access control over data on client side.
Page Id
39920
Anchor
Edit
—
Created: 5 July 2018 -
Last update: 10 October 2023
by
lsilvestre
Next:
NextNode
Was this page helpful?
Your feedback about this content is important. Let us know what you think.
Sure!
No
Additional feedback?
comment
Thank you for your feedback!
Backlinks
See all
More from lsilvestre
See all
Last update: April 2024 | © GeneXus. All rights reserved. GeneXus Powered by Globant
Ask here!