OutSystems Security: Feedback App is extremely vulnerable.
For those of you who don't want to read the entire article and still want to stay safe, I have a question: Is the Feedback App active in your OutSystems application?
If your answer is "YES", then disable it right now and your application will be safe; Now if you want to understand why I disabled the feedback app in OutSystems applications, read the article until the end.
PS: If you are a technical leader or technical manager, you cannot ignore this report.
Start date: August 7, 2024
When you activate the default feedback option in the OutSystems environment and enable this tool to be used in your applications, you will soon notice this small round icon in the corner of the screens, which when clicked allows application users to write feedback about the application, often used to report bugs and other issues.
However, it is possible to send much more than just a feedback text, and we will see this later.
When the user writes feedback, a set of information is sent to the application's back office, such as: the user, the message, the location on the screen where the feedback is attached, the mouse position, the screen dimensions, and others.
This information helps the employee who will analyze the ticket to understand and visualize what the user reported.
But it is precisely these attributes that are extremely vulnerable and can be manipulated to inject arbitrary code by malicious users or hackers during a more specific attack.
And without knowing this, the employee will open the ticket to analyze it and compromise the environment; look at the image below. If it weren't for the texts, would you be able to identify that these tickets have malicious payloads?
You know that hacking is illegal, right? So don't be a pig-head and use your knowledge to harm businesses or people. This article is for you, the technical leader, to analyze the situation and make the decision to keep the functionality active in your OutSystems applications.
Hacking is illegal, you can go to jail!
Ok, Lucas, you're messing around and you didn't show exactly how vulnerable we are when using the feedback app...
In the following items, we will only talk about hacking and "SIMPLE" demonstrations of payloads and exploitation of the vulnerability.
Remember at the beginning of the article that I said "when the user writes feedback, a set of parameters are sent..."? So let's start with these parameters:
This image above shows the parameters that are sent when the user clicks on "send feedback", and why do I consider the "feedback app extremely vulnerable"?! It's because almost all of these fields are manipulable; which greatly increases the attack surface.
In this image above, we are injecting a simple alert showing the employee's cookies, and when the employee opens this ticket in the back office, the code is executed:
OK, you might be thinking "But Lucas, just showing the cookie isn't a vulnerability." Yes, I agree, but a hacker wouldn't just show the cookie. This "alert" code is just for us to have a visual proof of concept that it's possible to inject JavaScript code, for example. If it's possible to inject an alert in JavaScript, it's possible to inject all other JavaScript code and functions.
PS: Don't forget that JS works for both the front-end and back-end, so you can imagine that a hacker would create a much more aggressive payload in a real attack.
Another example of an attack is for a hacker to redirect these cookies to an external server, thus recording the employee's information on a server controlled by the hacker.
But we can go even further and inject a code that will replace the original content of the page, so when the employee opens the ticket he will see whatever the hacker wants:
";var h1 = document.createElement("div");h1.style.zIndex="9999";h1.style.background="red";h1.style.height="100vh";h1.style.width="100vw";h1.style.position="fixed";h1.style.top="0";h1.style.fontSize:28pt;h1.textContent="You have been hacked!";document.body.appendChild(h1);"
Since we are talking about being able to inject javascript codes, there are countless possibilities of javascript codes that can be incorporated, leaving a huge door to attack, since the vulnerable parameters are more than 1, that is, we can concatenate several codes introduced in several parameters.
mouseX=1026&mouseY=404&geomW=1667&geomH=849&nodeType=1&nodeId=__feedback_element__&nodePosTop=171.5&nodePosRight=1051&nodePosBottom=677.5&nodePosLeft=616&nodeXPath=%22%3b%61%6c%65%72%74%28%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65%29%3b%22&
In this code example above we are using only one parameter to inject code, but the others also allow us to do the same.
领英推荐
Now you must be thinking... "Ok Lucas, but isn't this executed at the iframe level, and by default doesn't the iframe block some malicious attack actions?" And the answer is "yes", BUT....
Since we have several vulnerable parameters, some of them are executed at the iframe level and others executed in the main content, so if the attack doesn't get privileges because they are executed at the iframe level, just use one of the parameters that render at the main content level;
Resume
The "feedback app" is a wonderful tool for collecting user feedback on our OutSystems applications, but it is extremely vulnerable to attacks with more than 5 vulnerable parameters in the request, 5 parameters is a lot.
Since the goal of the security article is to report security breaches so that we can protect our applications and customers, I used basic examples just to show the concept of being able to inject arbitrary code through the "app feedback" application.
Solution
Before writing the article, I had already notified OutSystems, who are working on the solution, but in the meantime, I recommend disabling the feedback function of the applications and waiting for the component to be updated.
Drama
Imagine that you have one or several online applications and with the feedback tool active, how exposed are you?! All it takes is for the hacker to discover just one of the applications and the attack begins to be elaborated and targeted, with enormous damaging potential.
Conclusion
If you have read the article up to this point, it means that you like to stay safe and informed. If you could write in the comments:
Did you already know about this vulnerability?
Now that you know, have you disabled or kept the feedback tool active in your applications?
If the previous answer is "yes", could you share the reason?
Do you want to talk with me? Visit Soares Corp, I am one of the mentors at OutSystems and I would love to talk to you about security, help with your questions and exchange experiences.
Hug,
Lucas Soares
Here are some other articles where I talk about security in OutSystems:
Other sources I used to create this topic:
#outsystems #soarescorp #lucassoares #vulnerability #xss #htmli #corsmissconfiguration #ethicalhacking #ethical #hacking #security #securityresearch
OutSystems MVP & Hacker | Autodidact. ??
7 个月What is your opinion?