OutSystems Security: Do you have files in the service studio resources folder?
With just one technical debt, the developer unintentionally publicly exposed sensitive data on the internet when deploying the application into production.
Many times in large projects, we come across the famous Excel spreadsheets that contain data that needs to be imported or even made available for download.
So far, so good, there's no problem with that, but when we decide to use the "resources" folder with the "deploy action" property active, we could be letting anyone who knows the url of the file download it.
But Lucas, how will anyone know this URL, the resource folder is only accessible by Service Estudio, so for someone to know what is there, that person would first have to have access to the client environment... WRONG!
Some developers have the false feeling that certain things can only be seen through the IDE (Service Studio), such as test screens, default values in variables and others.
And with this false security they end up placing files containing sensitive data in the application's Resource folder; and I've seen several uses, such as leaving a documentation PDF file there to later use as a link, they also store excel files that were used to update data and others.
But enough talk, let's talk about how this technical debt allowed an attacker to access these files and consequently authenticate the application.
Time to talk about Hack... That's bullshit, this time we're going to talk about OSINT.
Hacking is illegal, you can go to jail!
OSINT in short is a set of methods to collect public (or private) information from your target, during a real attack, the Footprinting stage is one of the first phases and aims to collect as much information as possible about the target.
And this is where the OS-Scan tool comes in.
With this tool it is possible to collect some information from OutSystems applications by running just 1 command line; and one of the searches that this tool does in the application structure is to look at the application's resource folder looking for potentially interesting files.
But of course, we are talking about the developer's technical debt and not a vulnerability, as OutSystems' own best practice documentation (in this link) already teaches that this would be an error.
So if your application is storing files in the resource incorrectly, a hacker could have access to these files.
Notice in the "yellow" highlight that when analyzing this OutSystems application the tool already identifies possible interesting files stored incorrectly in the resource folder.
In the example above, the attacker simply had to open, for example, a link containing the file "Users_Legacy.xlsx" to possibly obtain data from some users.
领英推荐
Lucas, so should I stop using the resources folder?
No, of course not, OutSystems is designed to minimize security impacts as much as possible, so by default when you upload a file to resources, that file has the deploy property disabled, preventing public viewing of the file.
However, if the developer changes the property to "Deploy to target directory", then this file becomes public for anyone to see.
The OS-Scan (or OSINT OutSystems Scan) tool was designed by me for OutSystems professionals who want to do a quick and superficial analysis of their applications for technical debt.
With the aim of OutSystems developers, we design safer applications for our customers.
So the final question is: Did you know that it was so easy for someone to discover the resource's public files, just having the link to your application?
Do you want to talk with me? Visit Soares Corp, I am one of the mentors at OutSystems and I would love to talk to you about security, help with your questions and exchange experiences.
Hug,
Lucas Soares
Here are some other articles where I talk about security in OutSystems:
Other sources I used to create this topic: