Security Scanner extension scans/checks objects within a Knowledge Base looking for potential security issues following the OWASP Top 10 Security Risks.
For Xev1 is available extension version 2.0.0.0 to validate OWASP 2010 Top 10 Security Risks. For Xev2 use the extension version 2.1.0.0 (or higher) to validate with OWASP 2013 Top 10 Security Risks.
For v15 use the extension version 3.5.0.0 (or higher) to validate with OWASP Top 10 2017 Security Risks.
Using the tool is very easy and this document explains how to use it.
Once the extension is installed a new toolbar is added to the IDE:
You can run the extension for all the Knowledge Base objects using the following Window
or apply it to a list of objects using the "Security Scanner" Contextual Menu.
In the first area of the Security Scanner window, you can configure which Knowledge Base elements will be scanned.
- Environment (rules #100 and #105)
- Web Panels
- Transactions
- Procedures
- Attributes
- Domains
Within this area, you configure which rules will be executed when an object is scanned.
Security Scanner analyzes the KB environment and objects to check if its parameters are encrypted, that means if its Encrypt URL parameters property is set to "Session key" or "Site key".
If an <Parameter encryption> issue is found, Security Scanner will show the following message:
error: #100 in WebPanel1 >> Object parameters not encrypted
Security Scanner analyzes attributes, variables and textblocks checking if its Format property (for Web) has been set to "HTML" or "Raw HTML".
If an <HTML format> issue is found, Security Scanner will show a message like this:
error: #101 in WWCountry >> Variable CountryName allows HTML
Security Scanner analyzes Web Panels and Transactions into the KB checking if they call an Authorization program (procedure). This rule does not apply for Master Pages and Web Components.
If an <Authorization> issue is found, Security Scanner will show a message like this:
error: #102 in WebPanel1 >> No authorization call found
When using Xev2, the Integrated Security Level property is checked (GeneXus Access Manager (GAM) usage).
Security Scanner analyzes KB objects by looking for SQL commands.
If an <SQL Command> issue is found, Security Scanner will show a message like this:
error: #103 in Command >> SQL Command found in source
i.e.: SQL UPDATE UserInfo SET UserWelcomeMessage='[!&UserWelcomeMessage!]' WHERE UserId=[!&UserId!]
Security Scanner analyzes KB objects to check for a dynamic command link without parameters.
If a <Link command> issue is found, Security Scanner will show a message like this:
error: #104 in WWCountry >> Parameterless LINK command found
i.e.: Link(&SomeWebPanel)
Security Scanner analyzes KB environment and Web Panels checking if HTTPS protocol has been specified. This means checking if Protocol specification property has been set to “Secure (HTTPS)”
If an <Http protocol> issue is found, Security Scanner will show a message like this:
error: #105 in WebPanel1 >> Http protocol is not Secure
If a <Do not specify> issue is found. Security Scanner will show a message like this:
warning: #105 in WebPanel1 >> Protocol specification property is set to 'Do not specify.' HTTP protocol is not Secure
Security Scanner analyzes KB environment and objects checking if security for ajax calls has been set to High. This means checking if Ajax requests security property has been set to “High”.
If an <Ajax request security> issue is found, Security Scanner will show a message like this:
error: #106 in WebPanel1 >> Ajax request security is not High
Security Scanner analyzes the Javascript debug mode property at generator level; when enabled the following message will be displayed:
error: #106 in Generator >> Javascript Debug Mode is enabled
Security Scanner analyzes KB objects set as Web Components checking if URL Access for them has been enabled. This means checking if URL Access property has been set to “Yes”
If a <WC URL Access> issue is found, Security Scanner will show a message like this:
error: #107 in WebPanel1 >> Web Components with URL Access enabled
Security Scanner analyzes KB objects source section checking for the java or csharp command.
The following message is displayed:
error: #108 in NativeCodeObjectSample >> Native Code usage found in source
Security Scanner analyzes KB objects variables section checking for HttpResponse data type usage.
The following message is displayed:
error: #109 in WebPanelSample >> HttpResponse Data Type usage in variables
#109: Name 'response' Type 'HttpResponse'
Security Scanner analyzes KB objects source section checking for LDAPClient Data Type GetAttribute method usage.
The following message is displayed:
error: #110 in ProcedureSample >> LDAPClient GetAttribute method used in source
Security Scanner analyzes KB objects variables section checking for Directory data type usage.
The following message is displayed:
error: #111 in WebPanelSample >> Directory Data Type usage in variables
#111: Name 'd01' Type 'Directory'
Security Scanner analyzes KB objects variables section checking for File data type usage.
The following message is displayed:
error: #112 in WebPanelSample >> File Data Type usage in variables
#112: Name 'f01' Type 'File'
Security Scanner analyzes KB objects source section checking for XMLReader Data Type ValidationType property usage.
The following message is displayed:
error: #113 in ProcedureSample >> XMLReader ValidationType property not used in source
Security Scanner analyzes KB objects source section checking for Shell function usage.
The following message is displayed:
error: #114 in ProcedureSample >> Shell function found in source
Security Scanner analyzes KB objects source section checking for Random function usage.
The following message is displayed:
error: #115 in ProcedureSample >> Random function found in source
Security Scanner analyzes KB objects source section checking for SetCookie function usage.
The following message is displayed:
error: #116 in ProcedureSample >> SetCookie function found in source
Whenever possible use the Cookie data type and enable the HttpOnly property.
Security Scanner analyzes WebPanels and Transactions source section checking for Form.HeaderRawHTML property usage.
The following message is displayed:
error: #117 in WebPanelSample >> Form.HeaderRawHTML property found in source
Security Scanner analyzes WebPanels and Transactions source section checking for Form.JScriptSrc property usage.
The following message is displayed:
error: #118 in WebPanelSample >> Form.JScriptSrc property found in source
Security Scanner analyzes WebPanels and Transactions source section checking for IsPassword property usage.
The following message is displayed:
error: #119 in WebPanelSample >> IsPassword Property enabled in WebForm
error: #119 in WebPanelSample >> IsPassword property found in source
error: #119 in WebPanelSample >> IsPassword property found in rules
Security Scanner analyzes KB objects source section checking for External Object usage.
The following message is displayed:
error: #120 in ProcedureSample >> External Object usage in variables
#120: Name 'myMD5' Type 'md5'
For Xev2; GAM and GXflow External Objects are excluded.
Security Scanner analyzes WebPanels and Transactions WebForm section for User Control usage.
The following message is displayed:
error: #121 in WebPanelSample >> UserControl detected in WebForm
#121: Name 'HistoryManager' Type 'HistoryManager'
Security Scanner analyzes KB objects variables section checking for Cookie data type usage.
The following message is displayed:
error: #124 in ObjectSample >> Cookie Data Type usage in variables
Whenever possible enable the HttpOnly property.
Security Scanner analyzes KB objects source section checking for the XMLWriter WriteRawText method usage.
The following message is displayed:
error: #125 in ProcedureSample >> XMLWriter WriteRawText method used in source
Security Scanner analyzes KB objects source section checking for the FromXml method - SDT usage.
The following message is displayed:
error: #126 in WebPanel1 >> SDT.FromXml() pattern detected in source
Security Scanner analyzes KB objects source section checking for the FromJson method usage.
The following message is displayed:
error: #127 in WebPanel1 >> SDT.FromJson() pattern detected in source
Security Scanner analyzes KB objects source section checking for the XMLReader Data Type's ReadRawXML method usage.
The following message is displayed:
error: #128 in WebPanel1 >> XMLReader ReadRawXML method used in source
Security Scanner analyzes KB objects variables section checking for Blob data type usage.
The following message is displayed:
error: #129 in WebPanel1 >> Blob usage detected in object WebPanel1
Security Scanner analyzes KB objects source section checking for the JSEvent method usage.
The following message is displayed:
error: #130 in WebPanel1 >> JSEvent usage found in source
Security Scanner analyzes KB objects source section checking for the SoapHeaderRaw nonstandard function usage.
The following message is displayed:
error: #131 in WebPanel1 >> soapHeaderRaw usage found in source
Security Scanner analyzes KB objects source section checking for the PathToURL function usage.
The following message is displayed:
error: #132 in WebPanel1 >> pathToUrl usage found in source
Security Scanner analyzes KB objects source section checking for the XMLReader Data Type ReadExternalEntities Property usage.
The following message is displayed:
error: #133 >> XMLReader ReadExternalEntities property is used in source
Security Scanner analyzes KB objects source section checking for the FromXmlFile method usage.
The following message is displayed:
error: #134 in WebPanel1 >> SDT.FromXmlFile() pattern detected in source
Security Scanner analyzes KB objects source section checking for the FromJsonFile method usage.
The following message is displayed:
error: #135 in WebPanel1 >> SDT.FromJsonFile() pattern detected in source
The Extension output will only display information when any of the selected objects matches the rules applied.
Use the “Do not show errors when using Environment value” check option to avoid warning messages when scanning an object with a possible problem caused by taking a property value from the Environment (applies for rules #100 and #105)
For example: if the Encrypt Parameter Environment property is set as No, a warning message will be displayed for the environment:
error: #100 in WebPanel1 >> Object parameters not encrypted
And for those objects (web panels and transactions) which have Encrypt Parameters = Use environment value:
- If “Do not show errors …” checkbox is checked nothing is displayed.
- If “Do not show errors …” checkbox is not checked error: #100 in WebPanel1 >> Object parameters not encrypted (using Environment value) is displayed.
Calculates the checksum of the object so later on it can verify if something in the object changed or not.
Checks the checksums and indicate if the object changed or not from the last scan.
Generates an Excel file with the Extension output execution.