OutSystems Security: How did a demo user gain access to the backoffice?
Imagine the following situation, someone accessed the backoffice application and made harmful changes to the settings; Then, support started receiving several calls from customers and users reporting problems and incorrect data in their accounts.
Just from this introduction, do you already know what happened?
Well, if you develop client applications using the same user provider (users) and only the “registered” role, this could happen to you.
This is a “session misconfiguration or A01 — Broken Access Control”. This wrong configuration allows a demo user or not, authenticated in your application, to be able to access any other application on your site that shares the session (role).
Hacking is illegal, you can go to jail!One question, do you have these applications in your environment?
If the answer is yes, it is possible that a hacker could use them to bypass your application’s authentication, if the developer has built an application using only the “Registered” role.
This happens because these two template modules have a login screen, which in turn allows authentication using a demo user:
So now imagine that the hacker is trying to access an application but does not have a user to authenticate, which naturally means that he cannot exit the login screen, even if he knows the name of the screens in your application.
Hacking is illegal, you can go to jail!However, when logging in with the demo user “Continue as Andrea McKenzie”, he will be authenticated, and now just go back to the target application and view the content of what was previously blocked.
Remember, exploiting this vulnerability is only possible because the developer, when building the application, did not create any specific role, maintaining the default role, which is automatically shared with all registered users.
But Lucas, so how can you protect yourself from this?
When building your application in OutSystems, create specific roles to access the pages, don’t just use the “registered” role.
This way, even if the hacker uses a demo user, he will not be able to access the target application pages, as the authenticated user will not have the necessary rules to access.
The OutSystems Scan tool — Will help you find this and other security “flaws” in your OutSystems applications.
Hacking is illegal, you can go to jail!In the coming weeks I will include this and other scanning and exploit features in the OutSystems Scan security tool, which you can download here.
OutSystems Scan
Don’t play with the security of your application, this vulnerability is TOP 1 on the OWASP list.
Do you want to talk with me? Visit Soares Corp, I am one of the mentors at OutSystems and I would love to talk to you about security, help with your questions and exchange experiences.
Hug,
Lucas Soares
Here are some other articles where I talk about security in OutSystems:
OutSystems Security: The vulnerable text editor that empowers hackers, do you use it?
Top 5 dicas de segurança em OutSystems
OutSystems Security: Protect your forms right now!
OutSystems Security: How did the user bypass my form validations?
Other sources I used to create this topic:
