Official Content

This document describes the Software and data integrity failures of applications and how to prevent them.

This category relates to code and infrastructure that do not protect against integrity violations. It also focuses on making assumptions related to, among other things, software updates, critical data, and continuous integration/development pipelines without verifying integrity.

Read more at: Software and Data Integrity Failures - OWASP Documentation

The following are general prevention scenarios:

  • Code review: Ensuring that there is a review process for code and configuration changes minimizes the possibility of malicious code or configurations being introduced into the development and deployment process.

  • Malicious downloads: It is vital to verify the source from which you are downloading resources from the Internet. In the case of GeneXus and other components (User Controls, extensions), always make sure that the source comes from the official GeneXus channels (Download Center, marketplace, wiki).

  • Trusted dependencies: Following the previous item, it also applies to the libraries and dependencies to be used. In Java/.NET external objects, you should always check that they come from reliable sources and publishers (Maven Central, NuGet).

  • CI/CD security: In case of having continuous integration/deployment pipelines, secrets and access control must be properly configured to ensure code integrity during the compilation and deployment process.

Insecure deserialization

Deserialization Cheat Sheet

Actions by GeneXus

  • GeneXus brings serialization/deserialization secure mechanisms such as FromJson, ToJson, FromXML & ToXML.

  • When the SDT's ToXML or ToJSON functions are used, GeneXus encodes the entries for the corresponding context.

  • When the XML is manually read/written, XMLWriter and XMLReader functions code/decode the entries and values accordingly.

Actions by Developers

  • Sanitize user entries if they are concatenated to an XML and loaded using FromXML function.     

    • Security Scanner helps to detect this scenario with case code #126.

    • The use of System.Security.SecurityElement.Escape from .NET Framework, and org.owasp.esapi.Encoder.encodeForXML from ESAPI or org.apache.commons.text.StringEscapeUtils.encodeXml10 for Java is advised.    

  • If the function WriteRawText of XMLWriter is used, the developer must sanitize user entries.     

    • Security Scanner helps to detect this scenario with case code  #128.

    • The use of System.Security.SecurityElement.Escape from .NET Framework, and org.owasp.esapi.Encoder.encodeForXML from ESAPI or org.apache.commons.text.StringEscapeUtils.encodeXml10 for Java is advised.

    • Use ValidationType property to validate XML format.

      • Security Scanner helps to detect this scenario with case code #113.

  • Sanitize user entries if they are concatenated to a JSON and loaded using FromJSON function.     

    • Security Scanner helps to detect this scenario with case code #127.

    • The use of System.Web.Serialization.JavaScriptSerializer.Serialize from .NET Framework or org.owasp.esapi.Encoder.encodeForJavascript from ESAPI for Java is advised.    

  • Security Scanner - Detections:     

    • Checking use of SDT.FromXml() method (#126), checking use of SDT.FromJson() method (#127), checking use of SDT.FromXmlFile() method (#134), checking use of SDT.FromJsonFile() method (#135).    

Availability

Since GeneXus 18 upgrade 1.

Last update: 9 January 2023 by rp
Last update: February 2024 | © GeneXus. All rights reserved. GeneXus Powered by Globant