The S-Unit Top 10
TSU-05: Insecure consumption of integrations
TSU-05 concerns security issues that arise when microflows invoke external systems (APIs), such as via SOAP, REST, or OData. In Mendix, such external services are often used to process user data or data about users. This data is then transmitted either in the URL or in the body of the HTTP request.
Consequences of insecure user input
Vulnerabilities arise when user input is used in an insecure way to construct such a URL or request. This can lead to:
- Unauthorized access to backend API functionality
- Manipulation or abuse of data through injection (for example via path traversal)
- Attacks in which the application itself accesses other systems, such as in Server-Side Request Forgery (SSRF)
Best practices for secure API integrations in Mendix microflows
When a microflow invokes an external web service, you must properly secure both the construction of the URL and the content of the request. Ensure that the involved microflow or the back-end system verifies whether the user is authorized to use the selected web service.
These best practices help with that:
1. Secure construction of URLs and paths
- Do not use user-modifiable attributes for the hostname of a URL (up to and including the first / in the path).
→ Use fixed values, such as Mendix constants. - Avoid constructing backend URL paths using user input.
- If a user-specific value must be included in the URL (e.g. a user ID):
- ensure that the user cannot modify this attribute themselves
- do not generate the attribute based on user input
- Always use urlEncode() when attributes are part of a URL (path or query) to prevent path traversal and parameter injection
2. Handling user-supplied URLs (e.g. webhooks)
- If you must accept user-supplied URLs:
- ensure that the request does not contain passwords or other sensitive data
- do not expose HTTP responses or error messages directly to the user
3. Protection against Server-Side Request Forgery (SSRF)
- If you want to block traffic to internal services (e.g. via a whitelist or blacklist):
- take into account that the Mendix REST client automatically follows redirects
- consider using a different HTTP client in which redirects are explicitly disabled
4. Secure construction of request bodies
- Never construct JSON or XML requests using string concatenation
- REST → always use Export Mappings
- SOAP → use Export Mappings or Simple Expressions
- For other request types (a=b&c=d):
- ensure that all values are properly encoded (e.g. using urlendcode () ).
5. Authentication and autorisation
- If the backend API supports it:
- use authentication on the backend API so that the backend itself can restrict access to only the permissions of the end user
- If that is not possible:
- implement explicit authorization checks in the microflow (for example, to prevent Insecure Direct Object References)
Vulnerabilities within TSU-05
The following vulnerabilities commonly occur within this category:
-
Manipulation of API calls via path traversal
-
Manipulation through parameter injection
-
XML injection
-
JSON injection
-
Unauthorized access to data via Insecure Direct Object Reference
-
Unintended leakage of sensitive data via Server-Side Request Forgery
-
Unauthorized access to internal systems via Server-Side Request Forgery
Train your Mendix security skills
Recognize and prevent vulnerabilities in Mendix at an early stage?
Explore our updated Mendix security trainings based on The S-Unit Top 10.
Integrate The S-Unit Top 10 into your CI/CD pipeline.
Want to know how your Mendix application scores against The S-Unit Top 10? In collaboration with Omnext, we have developed a Mendix-specific SAST solution that continuously and automatically scans for vulnerabilities. By integrating The S-Unit Top 10 into the CI/CD pipeline, risks are identified early and made immediately visible. Learn more about our collaboration with Omnext and the Mendix-specific SAST module.
