This article describes some injection flaws that applications may have. Below you can find a guide on how to prevent them.
Read more at:
OWASP Injection Documentation
OWASP Injection Prevention Cheat Sheet
SQL Injection Prevention Cheat Sheet
XML Security Cheat Sheet
-
When the SDT's ToXML function is used, GeneXus encodes the entries for XML.
-
When the XML is manually read/written, XMLWriter and XMLReader functions encode/decode the entries and values accordingly.
-
Sanitize user entries if they are concatenated to an XML and loaded using FromXML function.
-
Security Scanner helps to detect this scenario with case code #126.
-
The use of System.Security.SecurityElement.Escape from .NET Framework, and org.owasp.esapi.Encoder.encodeForXML from ESAPI or org.apache.commons.text.StringEscapeUtils.encodeXml10 for Java is advised.
-
If the WriteRawText function of XMLWriter is used, the developer must sanitize user entries.
-
Security Scanner helps to detect this scenario with case code #128.
-
The use of System.Security.SecurityElement.Escape from .NET Framework, and org.owasp.esapi.Encoder.encodeForXML from ESAPI or org.apache.commons.text.StringEscapeUtils.encodeXml10 for Java is advised.
-
Use ValidationType property to validate XML format.
AJAX Security Cheat Sheet
Actions by GeneXus
Actions by Developers
LDAP Injection Prevention Cheat Sheet
Actions by GeneXus
-
GeneXus sanitizes the characters used on User and Password fields when it gets the attributes from LDAPClient data type.
-
The attributes of the LDAPClient Data Type function are structured, preventing injections and complex queries.
Actions by Developers
OS Command Injection Defense Cheat Sheet
Actions by GeneXus
Actions by Developers
-
If the Shell function is used, user entries must be sanitized by using regular expressions or strict data type usage different from string-based types. Wrapping parameters between ' " ' and/or coding special characters improves the defense; however, treating some specific characters may end up missing others and how to do this varies from interpreter to interpreter (e.g., CMD, Powershell, bash). Be cautious if using the latter approach.
-
Configuring minimum privileges for the application server is also recommended.
Testing for IMAP SMTP Injection
Actions by GeneXus
Actions by Developers
Code Injection
Actions by GeneXus
Actions by Developers
-
Validate Blob's and BlobFile’s extensions by whitelisting.
-
Use dynamic class loading only if necessary. Also, the inputs must be validated before the execution.
Log Injection
Actions by GeneXus
-
GeneXus allows developers to modify the log through an external object. See Log external object. Valid for GeneXus 16 or higher.
-
GeneXus allows generating application activity logs that have user input information; see JDBC Log, Log file property, Log level property, Log output property.
-
Another way to add log information to the application activity logs is using the Msg command. This function also adds information to the stdout log file on Java applications running on Tomcat.
Actions by Developers
-
It is recommended to avoid the use of unsanitized user inputs when the Msg function or the Log external object are used. The latter is preferred for logging.
-
The developers must not alter the application flow using log information as input at runtime.
-
The developer must configure the log file, size, and backups on the server when it is used and take monitoring actions accordingly.
Cross Site Scripting (XSS)
Actions by GeneXus
-
GeneXus validates attribute and variable types and length.
-
It gives the developer the possibility to specify regular expressions to validate custom entries.
-
GeneXus encodes every data entry on Web Pages generated considering its context (JavaScript, JSON, etc).
Actions by Developers
-
Validate enriched text (like HTML) format entries. Whitelisting is advised.
-
If a User control or custom HTML code is used, the developer must sanitize the user's entries properly.
-
Security Scanner helps to detect this scenario with case codes #101, #109, #117, #118, #121 & #124.
-
The use of the OWASP XSS Prevention Cheat Sheet is advised.
-
Set the Content Security Policy for browsers properly.
-
Set Session cookies for HTTP-Only.
-
Security Scanner - Detections:
Since GeneXus 18 upgrade 1.