GeneXus Community Wiki
Image
Search
TBWelcome
Sign up
Login
Settings
Change Password
Logout
Login
Sign in
Text Block
Logout
Managing OWASP Top 10 2017 in GeneXus Applications
Table of contents
Page Id
39915
A1: 2017 - Injection
A2:2017 - Broken Authentication
A3:2017 - Sensitive Data Exposure
A4:2017 - XML External Entities (XXE)
A5:2017 - Broken Access Control
A6:2017 - Security Misconfiguration
A7:2017 - Cross-Site Scripting (XSS)
A8:2017 - Insecure Deserialization
A9:2017 - Using Components with Known Vulnerabilities
A10:2017 - Insufficient Logging and Monitoring
Security Scanner built-in tool
GeneXus Security Scanner extension
GeneXus Security Scanner extension - Advanced Configurations
OWASP Top 10 2017 Security Scanner extension - Reference Table
Page Tools
Add a category
Add a group
Page Info
Also seen in
Other document versions
i
Text Block
Recents:
A8:2017 - Insecure Deserialization
This documentation is valid for:
OWASP Documentation
Actions by GeneXus
GeneXus brings serialization/deserialization secure mechanisms as
FromJSON
,
ToJSON
,
FromXML
&
ToXML
.
When the
SDT
's
ToXML
or
ToJSON
functions are used GeneXus codes the entries.
When the XML is manually readed/writen
XMLWriter
and
XMLReader
functions code/decode the entries and values accordingly.
Actions by Developers
Sanitize user's entries if those are concatenated to an XML and charged using
FromXML
function.
Security Scanner helps to detect this scenario with case code #126
The use of
System.Security.SecurityElement.Escape
from.Net Framework or
org.owasp.esapi.Encoder.encodeForXML
from
ESAPI
for Java is adviced.
If the function
WriteRawText
of
XMLWriter
is used the developer must sanitize user's entires.
Security Scanner helps to detect this scenario with case code #128
The use of
System.Security.SecurityElement.Escape
from.Net Framework or
org.owasp.esapi.Encoder.encodeForXML
from
ESAPI
for Java is adviced.
Use
ValidationType
property to validate XML format.
Security Scanner helps to detect this scenario with case code #113
Sanitize user's entries if those are concatenated to a JSON and charged using
FromJSON
function.
Security Scanner helps to detect this scenario with case code #127.
The use of
System.Web.Serialization.JavaScriptSerializer.Serialize
from .Net Framework or
org.owasp.esapi.Encoder.encodeForJavascript
from
ESAPI
for Java is adviced.
Security Scanner - Detections:
SDT.FromXml() pattern usage (#126), SDT.FromJson() pattern usage (#127), SDT.FromXmlFile() pattern usage (#134), SDT.FromJsonFile() pattern usage (#135).
Page Id
39927
Anchor
Edit
—
Created: 6 July 2018 -
Last update: 4 March 2021
by
sgrampone
Next:
NextNode
Was this page helpful?
Your feedback about this content is important. Let us know what you think.
Sure!
No
Additional feedback?
comment
Thank you for your feedback!
Backlinks
See all
More from sgrampone
See all
Last update: April 2024 | © GeneXus. All rights reserved. GeneXus Powered by Globant
Ask here!