Pentesting an OutSystems-based web application follows many of the same methodologies as traditional web pentesting. Common vulnerabilities, can still be found, so manual testing is still essential.
However, I noticed that many patterns are present in these systems, making some basic automation possible. This tool assists pentesters in performing OutSystems-specific tasks.
The script provides the following functionalities:
- Recursively scan for module references
- Check modules for application definitions and language resources
- Identify modules with
Default.aspxdefault entry point - Check for module service endpoints
- Inspect module assets for screen service endpoints
- Generate an OpenAPI specification from screen service endpoints
- There are many TODO-s, check Issues, give ideas, and if possible, help making them reality.