OutSystems Security: How did the user bypass my form validations?

This article will be divided into 2 parts:

1. First we'll talk about not trusting the front end.
2. The second we will talk about not trusting the front end, even if your client action is validating whether there is text in the variable or not.

You must be wondering "how crazy is this Lucas? You said front end twice, and is there a way to do two validations just on the front end?".

Yes my friend, there is, imagine that your application has a form, be it any mandatory field for the user to enter information.

Note that the first 3 fields have a red asterisk, indicating that the fields are mandatory.

In the studio I configured it as follows:

To recap, on the screen, in my form I selected the mandatory inputs as "true" and in the action of saving the information I kept the IF that validates the form.

As it stands, if the user tries to pass in blank information, this is what happens:

See Lucas, it worked! Yes my friend, it worked.

It was expected that it would work, but you opened this article to see how the user managed to bypass this form verification mechanism.

These steps that we configure are described and in accordance with the OutSystems documentation.

And every project with mandatory forms and fields must be configured this way, but do you remember the title? "Don't trust the front end."

The front-end takes place in the user's browser, which allows the user to make some changes, such as removing "required" tags from the html before clicking submit, or manipulating the field value before submitting, among other tricks.

You might think, so in addition to these settings in the clientaction I will check variable by variable, thus creating a double check.

Now we have:

• Validation on the form
• Validation on save action
• Validation in variables

We shield validations on the client side (front-end), as the user INTERCEPTS THE REQUEST WITH THE SERVER :(

At this moment, the validations we carried out on the client (front-end) are not worth much, as the request was intercepted when it was being sent to the server, and the user can manipulate the data sent.

When finished manipulating the data, the user simply continues with the request and sends the data he wants to the server.

The "serveraction" that persists the data in the entity, does not validate if the parameters are blank, as IT ONLY TRUSTED THE FRONT-END.

That's why it's always important to follow OutSystems' best practices and recommendations. Your application must carry out validations on the client side (front-end) and also on the server side (back-end).

To guarantee the integrity of data receipt, because in this scenario described, the developer was only concerned with the front-end, creating the validations and did not protect the server with the same validations.

Note: Whenever there is a field where the user can enter data, it is important that you carry out the necessary validations on the client side (front-end) and also on the server side (back-end).

So, are your applications protected?

Regards

Lucas Soares

Here are some other articles where I talk about security in OutSystems:

Why did Tech Leaders unknowingly give access to the hacker?

Is it possible to create small games in OutSystems?

OutSystems Security: The hacker discovered all my API endpoints, now what?

Other sources I used to create this topic:

https://hacker.soarescorp.com

https://success.outsystems.com/documentation/11/developing_an_application/design_ui/forms/validate_the_fields_of_a_form/