OWASP Global AppSec Lisbon 2024

Based on our recent research, this talk explores security risks in leading Low-Code/No-Code (LCNC) application development platforms. It highlights the possibility of spreading malware and stealing data using injection and supply chain attacks.


Low-Code/No-Code application platforms (LCAP) are rapidly emerging as the preferred technology for creating enterprise applications. However, we argue that attackers currently hold an unfair advantage. Time-tested application layer tricks are experiencing a revival when used against applications built on these platforms.
 

First, our attention turns to Robotic Process Automation (RPA), which is becoming increasingly popular across organizations of all sizes. It is a perilous misconception that RPAs created using LCNC technologies are immune to “classic” application layer attacks. Moreover, most organizations consider these to be “internal facing” applications. Our research unveils a different reality where LCNC applications are, in fact, vulnerable to SQL injections, authorization mishaps, and OS command injections. Additionally, we show how these vulnerabilities can in practice be exploited by external attackers.


Next, we delve into some intriguing supply chain attacks. As the adoption of LCAPs gains momentum, a common thread emerges - the integration of code reuse and sharing mechanisms via marketplaces. Whether it’s Forge for OutSystems, AppSource for Microsoft Power Platform, or the UiPath Marketplace, these platforms embrace the concept of empowering app developers by leveraging content created and openly shared by their peers. It’s a double-edged sword - a shortcut to innovation but also a potential gateway for attackers.


Our session aims to discuss and demonstrate the critical topic of security risks associated with LCNC app development and robotic process automation (RPA). As security professionals still struggle with applying adequate security practices into the LCNC app development life cycle, we confront a harsh reality: the current security stack falls short in shielding businesses from these looming threats. The absence of effective tools to detect and mitigate SQL injections or govern the use of third-party components within various LCAPs intensifies the risk, leaving these environments particularly vulnerable.