cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
bmajor67
Level: Power Up

PowerApps Vulnerabilities found during IT Security Scan

We are a new to PowerApps.   Our company would be using PowerApps at the enterprise level.   However, during the proof of concept stage, an IT security audit was done.   There are two(2) high level vulnerabilites found.  

 

I have done  extensive research and have been unable to find a  resolution or something I could give to IT Security to address these issues.    

 

Can anyone assist me on this or have a resolution for these: 

 

1.  Session token in URL
Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.
Risk Level : Medium
Likelihood : Low
Risk: High

Findings
Security discovered the URL in the request appears to contain a session token within the query string.
Port/Protocol
443/TCP
Path
/autherror
/bundles
/sdkpreload
/webplayer/app

 

2.  Insecure Java Deserialization
Serialization is a process used by Java to convert an object into raw binary for storage or transmission. In the latter case, the serialized object is then transmitted to a listening host, de-serialized, and then executed. If the listening host does not perform proper validation on the serialized data it receives, a malicious user can exploit this behavior to execute code on the vulnerable system.
Risk Level: High
Likelihood : Medium
Risk : High
Findings
Security inserted a time-based payload into the HTTP request that would trigger a time delay if it were unsecurely deserialized using the Jackson library/API. The base HTTP request took 2029ms to execute, whereas the request containing the payload took 83591ms, indicating that the application is deserializing arbitrary objects using the Jackson library/API and is vulnerable to arbitrary code execution
Path
/bundles/App
Parameter
PowerAppsSessionId=
Library
Jackson
Json.NET

 

Any assistance is greatly appreicated.   

 

Thanks...

2 ACCEPTED SOLUTIONS

Accepted Solutions
Community Support Team
Community Support Team

Re: PowerApps Vulnerabilities found during IT Security Scan

Hi @bmajor67 ,

 

Could you please reference 

security-model

If you always have some confuse about it, please

https://powerapps.microsoft.com/en-us/support/

 

Hope this could be helpful.

 

Best Regards.

Yumia

View solution in original post

PowerApps Staff Chris
PowerApps Staff

Re: PowerApps Vulnerabilities found during IT Security Scan

Hi bmajor67,

 

As a standard routine, we perform security and penetration testing on our products and there are no known vulnerabilities.  We would need more information to investigate your claims.  Could you please share a session trace of the scenarios (Fiddler or other intercepting proxy) or the security audit document via our support channel (https://powerapps.microsoft.com -> Create a support ticket) or our support email alias (pamobsup at microsoft.com)?

 

Thank you,

Chris

 

View solution in original post

3 REPLIES 3
Community Support Team
Community Support Team

Re: PowerApps Vulnerabilities found during IT Security Scan

Hi @bmajor67 ,

 

Could you please reference 

security-model

If you always have some confuse about it, please

https://powerapps.microsoft.com/en-us/support/

 

Hope this could be helpful.

 

Best Regards.

Yumia

View solution in original post

Moderator
Moderator

Re: PowerApps Vulnerabilities found during IT Security Scan

Thank you for reporting this. I've requested internally for the teams that seem to be affected by this to take a look and confirm/validate the issue.

 

I will let you know if there is anything else required from your side.

PowerApps Staff Chris
PowerApps Staff

Re: PowerApps Vulnerabilities found during IT Security Scan

Hi bmajor67,

 

As a standard routine, we perform security and penetration testing on our products and there are no known vulnerabilities.  We would need more information to investigate your claims.  Could you please share a session trace of the scenarios (Fiddler or other intercepting proxy) or the security audit document via our support channel (https://powerapps.microsoft.com -> Create a support ticket) or our support email alias (pamobsup at microsoft.com)?

 

Thank you,

Chris

 

View solution in original post

Helpful resources

Announcements
firstImage

Microsoft Business Applications Virtual Launch Event

Join us for an in-depth look at the new innovations across Dynamics 365 and the Microsoft Power Platform.

firstImage

Watch Sessions On Demand!

Continue your learning in our online communities.

Power Platform 2019 release wave 2 plan

Power Platform 2019 release wave 2 plan

Features releasing from October 2019 through March 2020

FirstImage

Power Platform World Tour

Coming to a city near you

thirdimage

PowerApps Community User Group Member Badge

Fill out a quick form to claim your user group badge now!

FourthImage

Join PowerApps User Group!!

Connect, share, and learn with your peers year-round

Users Online
Currently online: 75 members 3,791 guests
Please welcome our newest community members: