The S-Unit

The S-Unit 100% offensive security
Menu

The S-Unit Top 10

TSU-09: Insecure UI components

TSU-09: Insecure UI components

TSU-09 concerns security issues in Mendix components that are rendered or executed in the user’s (mobile) browser. Mendix uses various types of UI components that run in the browser and can therefore expose sensitive or malicious data. This includes, among others:

  • Pages and snippets
  • Nanoflows
  • JavaScript-widgets
  • JavaScript actions
  • Constants with Expose to Client set to Yes

Mendix UI components: a treasure trove for attackers

The Mendix platform does not technically restrict access to pages; it only controls their visibility. This means that all pages and UI components are readable by attackers, even if they are not visible to regular users.

As a result, for example:

  • internal information or procedures may become visible on admin pages
  • hard-coded API keys or secrets may be leaked via nanoflows

 

Standard Mendix widgets automatically protect against the injection of HTML or JavaScript via user input.
This protection does not automatically apply to:

  • third-party widgets
  • custom JavaScript
  • widgets or code that explicitly render HTML

This can lead to Cross-Site Scripting (XSS) and the hijacking of user sessions.

Best practices voor veilige UI-componenten

When designing pages, nanoflows, and other UI components, ensure that no sensitive information is hard-coded. If you use Marketplace or custom UI components to display user data, they must actively prevent HTML and JavaScript injection.

Follow these best practices:

1. Secure storage of sensitive information

  • If sensitive information needs to be available to specific users or pages/nanoflows, store this data in a persistent entity with strict access rules.
  • If sensitive information is only required in backend components (such as microflows), use a Mendix constant with Expose to client = No or store the data in a persistent entity without access rules.
  • If sensitive data is required in a nanoflow but must not be visible to users, convert the nanoflow (or the relevant part) into a microflow.

2. Secure use of Marketplace widgets

  • When using Marketplace widgets:
    • verify that the widget is actively maintained
    • check whether the widget has undergone security testing

3. Preventing HTML and JavaScript injection

  • Avoid rendering user input as HTML. If this is unavoidable, use a specialized widget that prevents unwanted JavaScript execution, such as the HTML Element widget.

4. Secure development of custom widgets and JavaScript actions

  • Are you developing a custom widget or JavaScript action that adds or modifies HTML? Do not build HTML through string manipulation. Also, avoid unsafe methods such as document.write or innerHTML; instead, use the secure HTML mechanisms provided by the JavaScript library in use (Dojo/Dijit or React).
  •  

5. Secure use of Dojo/Dijit and React

  • Do you use Dojo/Dijit or React? Avoid functionality that allows arbitrary HTML, such as dangerouslySetInnerHTML. Also avoid dynamically setting JavaScript-related HTML attributes, such as href in a-tags and event handlers.

Vulnarabilities within TSU-09

These are the most common risks associated with insecure UI-components.

  • Exposure of credentials as static values on admin pages
  • Exposure of credentials as hard-coded values in nanoflows
  • Exposure of secret keys as hard-coded values in nanoflows
  • Cross-Site Scripting due to rendering of modifiable user attributes
  • Cross-Site Scripting due to dynamic HTML construction
  • Cross-Site Scripting due to missing validation of user-supplied URLs
  • Exposure of application secrets via client-exposed constants

Train your Mendix security skills

Want to identify and prevent vulnerabilities in Mendix at an early stage? Take a look at our renewed Mendix security trainings based on The S-Unit Top 10.

Mendix trainings

Integrate The S-Unit Top 10 into your CI/CD pipeline.

Want to know how your Mendix application scores against The S-Unit Top 10? In collaboration with Omnext, we have developed a Mendix-specific SAST solution that continuously and automatically scans for vulnerabilities. By integrating The S-Unit Top 10 into the CI/CD pipeline, risks are identified early and made immediately visible. Learn more about our collaboration with Omnext and the Mendix-specific SAST module.

Mendix specific SAST-module
Would you like to know more about the services of The S-Unit? Or do you have another S-ential question for us?
Get in touch