OutSystems Scan — See if your OS app is vulnerable.

Published in

ITNEXT

6 min readApr 28, 2024

How I created the first public tool for security analysis in OutSystems applications.

Do you know the security articles on OutSystems that I write to help professionals and companies develop safer OS projects?

So… Part of the written content is based on the results of this tool, OutSystems Scan; a simple tool that scans reactive and mobile applications for technical debt or known vulnerabilities.

But stay with me, I’ll tell you how you can also check the security of your application using OutSystems Scan.

Hacking is illegal, you can go to jail!

The beginning, Ethical Hacking vs 10 years of OutSystems

When I started to direct my security studies towards my knowledge in OutSystems, I encountered a great difficulty, because if you look or search in the OS communities, people don’t talk much about security or ethical hacking, so the materials or answers were almost non-existent.

So, I started creating small codes in #python to perform certain analyzes in environments where I had permission to explore security; and each code had a unique function, for example:

A code checked whether there were test screens in production.
Another code checked the installed modules (references).
One checked whether client or local variables had exposed default values.

Etc, etc….

Stop messing around Lucas, talk about the tool!

Calm down, you need to give context, after all, with 10 years of experience in OutSystems, most of the OutSystems consultants I talked to about security didn’t know intermediate things, didn’t understand how to exploit a security hole in OS apps and so on.

So I thought “hey, if most consultants don’t talk about security, this means that they could be UNKNOWINGLY leaving a lot of technical debt in projects that will consequently become exposed vulnerabilities, such as the CKEditor project, Froala, API Documentation , IDORs and others that you can read in the articles I publish about security.

The birth of a new security tool to exploit OutSystems applications.

OK, now you get to the cool part, right?

Hacking is illegal, you can go to jail!

Tired of running several snippets of Python code I created separately to look for technical debts or vulnerabilities, I had the idea of bringing all this code together in one place.

But I still had a problem, I needed a name to call the tool in the console.

Here comes OutSystems Exploit (yes, that was the name, but I later changed it to OS-Scan).

From now on you could feel like a “hacker”, open a traditional code tool, run it on a black terminal and get some information from the application.

I understand, but what does this tool do?

The OutSystems Scan tool was originally created by me to facilitate searches for technical debts or vulnerabilities automatically, being used by an OutSystems professional who wants to design safer applications for their clients.

So, of course I’m going to say to only run in environments where you have permission to run tests, after all, don’t be a pig spirit who only thinks about causing harm.

Generally, hackers develop their own tools, payloads and exploits, as they have the knowledge to create something that makes their work easier and gets straight to the point.

So I was excited, because now with the tool in the pilot phase, I could make it public so that any professional passionate about OutSystems could use OS-Scan to analyze reactive and mobile projects in search of technical debts or vulnerabilities, to that they would correct it.

What can you do with OutSystems Scan?

1- Search for basic information about the application.

2- Check if there are mobile devices using the application.

3- Return all screens that exist in the application.

And of course, if you find test screens, it will highlight so you can analyze it in more detail.

4- Search for all references (dependencies) in use of the application.

5- Explore (known) vulnerabilities in some components that the project is using.

The functionality of sending payloads and exploiting vulnerabilities in components was recently added, as it was necessary to wait for OutSystems to correct the components so that, ethically, if you find a vulnerable component in your application, you can update it on Forge.

6- Search for misconfigured files in the projects’ resource folder.

Well, if you leave a technical debt in the resources folder exposed, we will find out lol.

7- Returns all application client variables.

8- If any customer variable has a sensitive default value filled in, boom!

Where to download OutSystems Scan?

You can download it at the url: https://github.com/5O4R3S/OutSystems-Scan/ or https://soarescorp.com/

What system does it run on?

Windows / Mac / Linux / Android / Etc…

It is a tool made in Python, so any system that has Python 3 installed will be able to run smoothly.

What application frameworks does it support?

Reactive and Mobile (not all)

What is the purpose of the tool?

OutSystems professionals without much technical knowledge in security are able to run automated tests on their applications or applications allowed by customers, in search of technical debts or vulnerabilities, be aware that you will not run the tool in everyone’s environment (especially because you are not anonymous ).

Laziness

I don’t commit to updating the tool every day, as this is a personal and side project, so in my free time I improve and include new analyzes that I discover throughout the security reports I send to OutSystems, but if you If you want, it’s a public tool, you can contribute :)

The security of our data and applications is a serious matter, and just like me, there are several people who are also ethical hackers and help companies improve their products, so when you find a flaw or vulnerability, be honest and report it to the product owner , help us create an OutSystems community that is safer every day.

Do you want to talk with me? Visit Soares Corp, I am one of the mentors at OutSystems and I would love to talk to you about security, help with your questions and exchange experiences.