This article focuses on providing guidance in the event of the failure of access control mechanisms. This guidance is based on OWASP (Open Web Application Security Project).
Insecure Direct Object Reference Prevention Cheat Sheet
-
Web object parameters must be ciphered.
-
Check that every object verifies authorization.
-
Change the default parameter cipher key on deployment.
AJAX Security Cheat Sheet
-
If GeneXus Evolution 1 is used, check the Ajax Request Security property is set to High.
-
If GeneXus Evolution 2 is used, check the Javascript Debug Mode property is set to No.
-
If a custom User Control is used, secure the AJAX requests manually.
Path Traversal
-
Avoid storing sensitive data in intermediate files. Consider using HttpResponse data type to write and send the data directly instead. If it is unavoidable, then verify that those files are erased from the server after being sent.
-
Configure the application server with the minimum permission required and avoid exposing the Temp media directory and/or other temp directories by HTTP/HTTPS.
-
Generate the files over an external directory, and return them via a GeneXus Procedure avoiding paths and executing an authorization check before retrieving the file. This Procedure must receive an identifier to associate with the file over a table on the server to avoid returning paths.
-
Verify the file management over the application.
-
Security Scanner helps to detect this scenario with case codes #104, #109, #111, #112, #129 & #132.
Since
GeneXus 18 upgrade 1.