Official Content

This article describes some injection flaws that applications may have. Below you can find a guide on how to prevent them.

Read more at: 

OWASP Injection Documentation
OWASP Injection Prevention Cheat Sheet

SQL injection

SQL Injection Prevention Cheat Sheet

Actions by GeneXus

Actions by Developers

XML injection

XML Security Cheat Sheet

Actions by GeneXus

  • When the SDT's ToXML function is used, GeneXus encodes the entries for XML.

  • When the XML is manually read/written, XMLWriter and XMLReader functions encode/decode the entries and values accordingly.

Actions by Developers

  • Sanitize user entries if they are concatenated to an XML and loaded using FromXML function.     

    • Security Scanner helps to detect this scenario with case code #126.

    • The use of System.Security.SecurityElement.Escape from .NET Framework, and org.owasp.esapi.Encoder.encodeForXML from ESAPI or org.apache.commons.text.StringEscapeUtils.encodeXml10 for Java is advised.

  • If the WriteRawText function of XMLWriter is used, the developer must sanitize user entries.

    • Security Scanner helps to detect this scenario with case code #128.

    • The use of System.Security.SecurityElement.Escape from .NET Framework, and org.owasp.esapi.Encoder.encodeForXML from ESAPI or org.apache.commons.text.StringEscapeUtils.encodeXml10 for Java is advised.

    • Use ValidationType property to validate XML format.

      • Security Scanner helps to detect this scenario with case code #113.

JSON injection

AJAX Security Cheat Sheet

Actions by GeneXus

  • When the SDT's ToJson function is used, GeneXus codes the entries.

Actions by Developers

  • Sanitize user entries if they are concatenated to a JSON and loaded using the FromJson function.     

    • Security Scanner helps to detect this scenario with case code #127.

    • The use of System.Web.Serialization.JavaScriptSerializer.Serialize from .NET Framework or org.owasp.esapi.Encoder.encodeForJavascript from ESAPI for Java is advised.    

LDAP injection

LDAP Injection Prevention Cheat Sheet

Actions by GeneXus

  • GeneXus sanitizes the characters used on User and Password fields when it gets the attributes from LDAPClient data type.

  • The attributes of the LDAPClient Data Type function are structured, preventing injections and complex queries.

Actions by Developers

  • The developer does not have to take any actions, but the deployment over a secure channel is advised.

OS injection

OS Command Injection Defense Cheat Sheet

Actions by GeneXus

  • GeneXus does not take any specific actions.

Actions by Developers

  • If the Shell function is used, user entries must be sanitized by using regular expressions or strict data type usage different from string-based types. Wrapping parameters between ' " ' and/or coding special characters improves the defense; however, treating some specific characters may end up missing others and how to do this varies from interpreter to interpreter (e.g., CMD, Powershell, bash). Be cautious if using the latter approach.

    • Security Scanner helps to detect this scenario with case code #114.

  • Configuring minimum privileges for the application server is also recommended.

SMTP injection

Testing for IMAP SMTP Injection

Actions by GeneXus

Actions by Developers

  • The developer doesn't have to take any actions, but adequate server hardening and a periodic log review are recommended.

Code injection

Code Injection

Actions by GeneXus

  • GeneXus validates the inputs for dynamic class loading.

Actions by Developers

  • Validate Blob's and BlobFile’s extensions by whitelisting.     

    • Security Scanner helps to detect the Blob scenario with case code #129.    

  • Use dynamic class loading only if necessary. Also, the inputs must be validated before the execution.     

    • Security Scanner helps to detect this scenario with case code #108.    

Log injection

Log Injection

Actions by GeneXus

  • GeneXus allows developers to modify the log through an external object. See Log external object. Valid for GeneXus 16 or higher.

  • GeneXus allows generating application activity logs that have user input information; see JDBC Log, Log file property, Log level property, Log output property.

  • Another way to add log information to the application activity logs is using the Msg function. This function also adds information to the stdout log file on Java applications running on Tomcat.

Actions by Developers

  • It is recommended to avoid the use of unsanitized user inputs when the Msg function or the Log external object are used. The latter is preferred for logging.

  • The developers must not alter the application flow using log information as input at runtime.

  • The developer must configure the log file, size, and backups on the server when it is used and take monitoring actions accordingly.

Cross-Site Scripting (XSS)

Cross Site Scripting (XSS)

Actions by GeneXus

  • GeneXus validates attribute and variable types and length.

  • It gives the developer the possibility to specify regular expressions to validate custom entries.

  • GeneXus encodes every data entry on Web Pages generated considering its context (JavaScript, JSON, etc).

Actions by Developers

  • Validate enriched text (like HTML) format entries. Whitelisting is advised.

  • If a User control or custom HTML code is used, the developer must sanitize the user's entries properly.     

    • Security Scanner helps to detect this scenario with case codes #101, #109, #117, #118, #121 & #124.    

  • The use of the OWASP XSS Prevention Cheat Sheet is advised.

  • Set the Content Security Policy for browsers properly.

  • Set Session cookies for HTTP-Only.     

    • Security Scanner helps to detect this scenario with case code #124.    

  • Security Scanner - Detections:     

    • Check HTML usage (#101); checking for variables of HttpResponse type (#109); Check HeaderRawHtml Method on source code (#117); Check JScriptSrc Method on source code (#118); Check external objects use (#120); check external user controls use (#121); check use of JSEvent on source code (#130).

Availability

Since GeneXus 18 upgrade 1.

Last update: 6 January 2023 by rp
Last update: February 2024 | © GeneXus. All rights reserved. GeneXus Powered by Globant