A01:2021 - Broken access control

This documentation is valid for:
GeneXus 18 Help

This article focuses on providing guidance in the event of the failure of access control mechanisms. This guidance is based on OWASP (Open Web Application Security Project).

Insecure Direct Object Reference

Insecure Direct Object Reference Prevention Cheat Sheet

Actions by GeneXus

GeneXus ciphers the parameters sent over the URL if the Encrypt URL parameters property is properly set by the developer.
GeneXus Access Manager (GAM) verifies the authorization over the web objects.

Actions by Developers

Web object parameters must be ciphered.
- Security Scanner helps to detect this scenario with case codes #100, #105 & #107.
Check that every object verifies authorization.
Change the default parameter cipher key on deployment.

AJAX requests

AJAX Security Cheat Sheet

Actions by GeneXus

Suggests and Dynamic Combo Box can be invoked by AJAX Requests. GeneXus prevents this if the Ajax requests security property (for GeneXus Evolution 1) or the Javascript Debug Mode (for GeneXus Evolution 2 and above) property is properly set by the developer.

Actions by Developers

If GeneXus Evolution 1 is used, check the Ajax Request Security property is set to High.
If GeneXus Evolution 2 is used, check the Javascript Debug Mode property is set to No.
- Security Scanner helps to detect this scenario with case code #106.
If a custom User Control is used, secure the AJAX requests manually.

Improper temporary files generation and path traversal

Path Traversal

Actions by GeneXus

GeneXus manages temporary files by separating private and public files through the Temp media directory and Blob local storage directory properties.

Actions by Developers

Avoid storing sensitive data in intermediate files. Consider using HttpResponse data type to write and send the data directly instead. If it is unavoidable, then verify that those files are erased from the server after being sent.
Configure the application server with the minimum permission required and avoid exposing the Temp media directory and/or other temp directories by HTTP/HTTPS.
Generate the files over an external directory, and return them via a GeneXus Procedure avoiding paths and executing an authorization check before retrieving the file. This Procedure must receive an identifier to associate with the file over a table on the server to avoid returning paths.
Verify the file management over the application.
- Security Scanner helps to detect this scenario with case codes #104, #109, #111, #112, #129 & #132.

Leaving functions without access control

Actions by GeneXus

GeneXus validates data on the client side and validates the data again on the server side.
GAM verifies the authorization over the web objects.

Actions by Developers

Check every object verifies authorization over the object and over each event.
- Security Scanner helps to detect this scenario with case code #102 over Web Panel objects and Transaction objects.
- Security Scanner helps to detect this scenario with case code #107 over Web Component objects with the URL access property set to False.
Check the access control over data on the client side.

Availability

Since GeneXus 18 upgrade 1.

Page Id

—

Created: 3 March 2022 - Last update: 6 January 2023 by rp

Backlinks