OutSystems Security: Have you heard of “OutSystems Drive”?

Lucas Soares

Published in

ITNEXT

7 min readApr 23, 2024

Do you know Google Drive? What about iCloud Drive? Or OneDrive?

But I’m sure you didn’t know about OutSystems Drive!

Before we begin, it is important to inform that the study of this vulnerability was reported to the component developer, to OutSystems’ internal development team at the beginning of (including in my last email, I contributed by informing how the correction should be made) and finally reported again on 4/4/2024 in a detailed report with POC for OutSystems’ private hacking program (which ended the report by stating that it is not a vulnerability).

If you want a more immersive read, I recommend playing the soundtrack: https://youtu.be/_tUBCmGBO3A?feature=shared&t=4572

After all, an attacker being able to store por.n!#$!&# or any other file in your application’s database without you knowing, without needing authentication, and still having a URL to share, is it a vulnerability or just informational?

Hacking is illegal, you can go to jail!

I know, the title is to draw your attention, after all the vulnerability was in CKEditor and NOT IN OUTSYSTEMS, but with +4,600 downloads this indicates that many projects may be vulnerable at this moment.

Now let’s talk about Hacking…

Imagine that you are working normally and notice that the environment has started to become extremely slow; So the infrastructure team accesses LifeTime to try to understand what happened and when they open LifeTime:

100GB USED of 100GB available!!!

That’s right, something is consuming all the space you have available in the database; Somehow someone discovered that it is possible to store any file in the database through a highly exposed API, without authentication, without validation, without any layer of security.

Yes, you are suffering a severe attack that can generate instability or total unavailability of the environment due to the high consumption of data being received with each passing minute.

But Lucas, I have this version (1.0.10) of the component installed in my production environment, what risks am I taking?

In the next paragraphs, we will understand at least 3 possible attack vectors using the unprotected upload API.

Unauthorized uploading of any file extension.

What would be your reaction to learning that someone without authentication can store anything in your environment, from malware to porn#$@#!%#, without any type of authorization or permission from you, making it impossible to track them.

Social engineering through a trusted url.

After storing the malware, the attacker receives a very reliable link (ex: https://yourdomain.com/file=1234567), with this url it can be used to send emails to employees of the target company, where an employee trusting the domain clicks on the link and downloads a virus onto the computer that is connected to the company’s network, compromising it internally.

THE MOST SEVERE OF ALL, CAUSE INSTABILITY OR TOTAL UNAVAILABILITY OF THE ENVIRONMENT.

In the previous items we saw that the API does not validate authentication, does not validate file extensions and also does not validate brute force attacks.

With this, the attacker can create an automation to send small binary packages every X amount of time, as in the example below:

This automation above is a severe attack POC, where it is sending 10 binary packets each with a size between 127MB in an interval of 1 minute.

This will result in 1GB every minute that passes, until the target environment begins to show signs of instability:

At this moment, applications begin to slow down, error messages begin to be displayed to the user who is browsing, until at some point the environment becomes completely unavailable:

Summary

As a security researcher (ethical hacker) and passionate about OutSystems, I think it is important to write this article so that you technical leader or OS developer can become aware of the exposure of this API and be able to guide your client or project in the best way, even if the security report security has been closed as “informational”, I consider it a vulnerability with severe consequences for projects in production environments that are exposed to this API.

Security Report Submission Scope

03/04/2024 — Discovery of vulnerability

03/06/2024 — First message sent to the component developer.

03/19/2024 — First message sent to the OutSystems internal development team.

03/27/2024 — E-mail with a suggestion to correct the vulnerability sent to OutSystems’ internal development team (no response until 04/22).

04/04/2024 — Submission of security report to OutSystems private hacking program.

04/15/2024 — First response / Triage (report not considered vulnerability, just a simple file upload api)

04/16/2024 — Submission of a POC with a more severe attack vector (same as described in this article).

04/18/2024 — Report closed by H1 as informational only and not vulnerability.

04/21/2024 — Writing of this article, for OS professionals to become aware of the exposure and decide whether it is informative or a vulnerability.

04/22/2024 — Contact from the OutSystems internal development team informed of the correction and update of the component.

Lucas, how do I know if my environment is exposed to this vulnerability?

Basically there are 2 ways, scanning the application using the OutSystems Scan tool available on GitHub by clicking here.

Or checking if the component is version 1.0.10 of Forge, which is vulnerable.

Why is this a vulnerability and not informative?

OWASP Web Application Security Risks

The OWASP® Foundation works to improve the security of software through its community-led open source software projects, hundreds of chapters worldwide, tens of thousands of members, and by hosting local and global conferences.

A01 — Broken Access Control

The api endpoint allows access without authentication, or permission to the upload system.

A03 — Injection

The API allows you to upload any file extension without any type of restriction on the target environment.

A07 — Identification and Authentication Failures

There is no authentication and no layer of security against brute force attacks, which makes it possible to automate sending and cause denial services in the target environment.

How to protect your environment from this exposure?

OutSystems’ internal development team informed (today 22/04) that they are already publishing the corrected version on Forge, but if you want to do the security layer yourself, I recommend:

If the text editor is only used on private screens (where the user needs to be authenticated), then change the API to only allow requests from authenticated users.
Add a few more fields to the file tables, such as user ip, id, logs and any audit information you deem necessary, as this will help identify the attacker in the previous scenario.
Add a brute force mechanism based on the request IP, preventing a user from automating the process and sending multiple files at short intervals.
The api was designed to receive image files from CKEditor, so add file extension validation by MIME Type to the upload flow (not by the .jpeg extension, as this is easy to circumvent).

Do you want to talk with me? Visit Soares Corp, I am one of the mentors at OutSystems and I would love to talk to you about security, help with your questions and exchange experiences, as together we build safer applications and a more prepared community.