Question

Server Response showing Data Fields

0

Hi Mendix Community, Recently, we had a security audit on our existing application servers. This has to do with the HTTP Request from the client system to the Mendix Server(Mendix Server Console). Once the request is submitted, the response string shows all the fields and values of the request object. Can we change some security settings/ changes in mendix to avoid the data to be visible in the response action. Please find the request and response contents: ---------------------------------------------------------------------------------------------------------------------- Request ---------------------------------------------------------------------------------------------------------------------- POST /xas/ HTTP/1.1 Host: citiclosing.digitalrisk.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://citiclosing.digitalrisk.com/index3.html X-Mx-ReqToken: 219e4602d6092e0 X-Csrf-Token: 28d28097-9685-4315-a3e2-6009122052b6 Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 162 Cookie: AlteonP=AC27BJsBEKx3feQBvRfYTg$$; AlteonP=AO23RJsBEKyH+aBmhKqUAg$$; XASSESSIONID=6d2027a8-a679-4883-89a9-0db00bfcceb3; xasid=0.43089efc-c188-423c-ac0cdd19e7c55ead; DeviceType=Desktop; Hybrid=false; originURI=/ DNT: 1 Connection: close {"action":"retrieve_by_xpath","params":{"xpath":"//System.User","schema":{},"count" :false,"aggregates":false},"context":[],"profiledata":{"219e4601fd29d40":2196}} ---------------------------------------------------------------------------------------------------------------------- Response ---------------------------------------------------------------------------------------------------------------------- objectType" : Administration.Account, "guid" : 30117822508040195, "attributes" : -{ "LoanFilterFlag" : -{ "value" : false }, "EmailSignature" : -{ "value" : }, "WebServiceUser" : -{ "value" : false, "readonly" : true }, "Review_Type_CM" : -{ "value" : }, "Name" : -{ "value" : varcher }, "Refresh" : -{ "value" : 0 }, "AltContactPhone" : -{ "value" : }, "HRActive" : -{ "value" : true }, "HireDate" : -{ "value" : 1245542400000 }, "QcReviewView" : -{ "value" : false }, "FilterFlag" : -{ "value" : false }, "QCRate" : -{ "value" : 0.2 }, "DoNotUpdateWave" : -{ "value" : false }, "NewPassword" : -{ "value" : }, "homedepartment" : -{ "value" : FNMA PL }, "FirstName" : -{ "value" : Vicki }, "Title" : -{ "value" : Senior Loan Review Analyst }, "NewMessages" : -{ "value" : true }, "OldPassword" : -{ "value" : }, "AltContactEmail" : -{ "value" : }, "ConfirmPassword" : -{ "value" : }, "IsManager" : -{ "value" : false }, "HRInactiveDate" : -{ "value" : }, "Active" : -{ "value" : true }, "FullName" : -{ "value" : Vicki Archer }, "LastLogin" : -{ "value" : , "readonly" : true }, "IsAnonymous" : -{ "value" : false, "readonly" : true }, "LastName" : -{ "value" : Archer }, "EmployeeID" : -{ "value" : 1005 }, "Blocked" : -{ "value" : false }, "Administration.Account_SelectedUserRole" : -{ "value" : }, "Administration.Account_Selection" : -{ "value" : }, "Administration.Account_Entity" : -{ "value" : 35465847065542657 }, "Administration.Account_Manager" : -{ "value" : 30117822508040299 }, "Administration.Account_SelectedTasks" : -{ "value" : }, "System.User_Language" : -{ "value" : }, "Administration.Account_SelectedClient" : -{ "value" : }, "Administration.Underwriter_Lead1" : -{ "value" : }, "Loan.Loan_EligibleAccount" : -{ "value" : }, "Administration.Account_Branch" : -{ "value" : 64739244643451082 }, "Administration.CurrentPipeline_Account" : -{ "value" : 6473924464345089 }, "Administration.Account_Client" : -{ "value" : }, "Administration.Message_Account" : -{ "value" : }, "Administration.Account_DefaultUserRole" : -{ "value" : }, "Administration.Account_StateCertifications" : -{ "value" : }, "Administration.Account_Language" : -{ "value" : }, "Administration.Account_GeneralCapacityConfig" : -{ "value" : }, "Administration.Account_TeamLead" : -{ "value" : }, "QualityControl.Level_Account" : -{ "value" : }, "Administration.Account_SelectionQueue1" : -{ "value" : }, "System.User_TimeZone" : -{ "value" : }, "Administration.PredefinedRole_Account" : -{ "value" : }, "EmployeeData.EmployeeStats_Account" : -{ "value" : }, "System.UserRoles" : -{ "value" : },"Administration.Account_PredefinedRoleSelected" : -{ "value" : }, "Administration.Account_SingleWorkingTask" : -{ "value" : }, "Administration.Account_LicenseSupervisor" : -{ "value" : 30117822508040299 }, "EmployeeData.EmployeeData_Account" : -{ "value" : }, "Administration.Account_LoanType" : -{ "value" : }, "Loan.QueueSelection_Account" : -{ "value" : }, "Administration.Account_DefaultClient" : -{ "value" : }

asked 2018-03-09

Karthik S M

2 answers

Rom van Arendonk · Answer 1 · 2018-03-09

The response does not show all values, but at most those values to which a user has access according to the configured entity access. As long as you configure your entity access correctly (i.e. disable read rights to attributes to which a role should not have access) there is no security issue.

Fabian Recktenwald · Answer 2 · 2018-03-09

As for security in Mendix you always MUST set entity access for all your entities properly.

If a user has read access on a persistent object/attribute he can ALWAYS access these attributes, even if you don't build any pages that show these objects.