User data visible by xas JSON

We have recently had a pen test performed by an external company for one of our applications and one of the advisories received were,    More than 411 user emails, SAML requests and responses and SSO configuration was retrieved during the test by altering the XPATH query in the request to the XAS API endpoint.     Does anyone know of security measures that i can put in place to prevent this, or in which area i should be looking to amend the configuration?
2 answers

Hi Talhah,


Security is often overlooked by developers. Everyone should know that access rules should be carefully applied to all entities. Although overview pages may not exist, one can access any record in the database if not restricted correctly, as reveiled by the pentest. In that way, you can still do all the actions the testers did, but only have access to records you are allowed to access.


So, what to do?

  1. Close your app for anonymous users if possible, to limit the exposure of future mistakes. 
  2. Check the access rules for every entity in every module: the union of applicable rules will be applied
  3. Check if the module roles are correctly linked to user roles (not granted too much module roles)
  4. Check if user roles are correctly linked to users (not granted too much roles)

If you have any further questions or concerns, let me know!

Good luck! Johan


This sounds like you've not configured your application security properly. 


Security is a big topic, but an obvious thing to check is that individual users have XPath Constraints applied to their role that limit access to data only to that specific user. You can give admin users more powerful roles that have the ability to access other's details if necessary.


I suggest refreshing yourself with Access Rules in the Mendix documentation as it covers how to do this.


You may also want to look at the Configure Advanced Security learning path in the Mendix Academy as it covers this topic in greater depth.


Good luck!