Penetration Testing Guide for Mendix Applications

1. Introduction to Mendix

Mendix is a low-code application development platform that allows you to build web and mobile applications visually, with minimal manual coding. Since Mendix does not require users to have any technical background to be able to build web app, developers often:

• Do not prioritize security
• Place false security assumptions on framework
• Implement security measures without consideration for bypasses

Mendix automatically mitigates key security risks: the client protects against JavaScript threats like XSS, while the runtime blocks server-side attacks such as SQL injection and code execution by treating all client requests as untrusted. Mendix app developers do not need to take these technical security aspects into consideration, however authorization and access rights need to be configured by the developers. As stated in official Mendix documentation: “To provide full security for a Mendix application, you need to explicitly give access to forms, entities, and microflows to a user role.” Naturally, this is the area we should focus on, as it leaves room for potential developer mistakes.

2. Key Components

2.1. Entities

Entities represent real-world objects, such as customers or invoices. An instance of an entity is called an object. To return array with objects containing all entities and attributes available to the current user you can leverage the following console command:

mx.session.sessionData.metadata

Additionally, you can inspect response from get_session_data XAS action which is called right after login to retrieve session metadata needed on the client side.

2.2 Microflows and Nanoflows

• Microflows: Execution of server-side logic, including handling complex business processes and database operations.
• Nanoflows: Lightweight flows that execute logic locally on the client.

Use the following console command to list the microflows that are exposed and callable from the client for current session:

mx.session.sessionData.microflows

2.3 User Roles and Permissions

User roles in Mendix are combinations of module roles, which are specific sets of access rights. Proper configuration of these roles is crucial for security.

2.4 Server APIs for direct interaction

• CRUD: instantiate, commit, etc.
• Search: retrieve_by_xpath, retrieve_by_ids
• Metadata: get_session_id, metamodel.json

retrieve_by_xpath action allows users to specify XPath expressions to query entities:

POST /xas/ HTTP/2
.
.
.
{
	"action":"retrieve_by_xpath",
	"params":{
		"xpath":"//<NAME_OF_THE_ENTITY>",
		"schema":{
			"offset":0,
			"amount":20
		},
		"count":true
	}
}

retrieve_by_ids action allows users to retrieve objects by providing valid GUID:

POST /xas/ HTTP/2
.
.
.
{
	"action":"retrieve_by_ids",
	"params":{
		"ids":[
			"<OBJECT_GUID>"
		],
		"schema":{
		}
	}
}

For microflow execution you can use the following client-side API call:

mx.data.action({  
params: { actionname: "<NAME_OF_THE_MICROFLOW>" },  
callback: console.log,  
});

3. Common Vulnerabilities - Attack Surface

• Insecure access controls on entities/attributes – Ensure fine-grained access controls are correctly configured to avoid unauthorized access.
• Insecure access controls on microflows – Access controls on microflows must be properly set to prevent execution of insecure logic.
• Microflows with insecure functionality
• Insecure AppStore/Custom components – Custom Java components are especially prone to contain security flaws.

4. Real-World Examples

4.1. Sensitive information stored in session metadata

In this particular case, the application required additional authorization to access admin panel via Administrators GUI. However, it was discovered that the admin key used for authorization could be found in plain text format in session metadata. Essentially, anyone with access to the administrator session could use mx.session.sessionData.metadata console command to retrieve this key and obtain access to critical functionalities inside admin panel.

4.2. Insecure access controls on entities

This is a common finding that occurs regularly in Mendix applications. Misconfigured access controls allow low privileged users to query entities which should be accessible only to higher privileged users. In one of the applications I encountered, the low privileged users could retrieve personal records for 5000 employees, even though none of these records were displayed in the GUI for these types of users.

4.3. IDOR vulnerability at /file endpoint

The /file endpoint is inherent part of Mendix applications. Mendix uses it to serve files stored in FileDocument-based entities. Always check if the application fails to properly enforce access controls on /file?guid=<id> endpoint, allowing unauthorized users to access other user’s files. These file GUIDs may appear to be random numbers, but when comparing multiple GUIDs, certain patterns may become noticeable. In one of the applications I encountered, it was possible to brute-force the last 4 digits of a valid GUID, which resulted in access to additional files.

4.4. Unrestricted access to API documentation endpoints

A Mendix app offers various endpoints that can be used to obtain information about offered services. The paths used by these endpoints end in -doc. Check if any of these endpoints are publicly accessible:

/api/
/api-doc/
/debugger/
/rest/
/rest-doc/
/ws/
/ws-doc/
/odata-doc/

4.5. Insecure Content Security Policy

Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting attacks by disabling dangerous behaviors such as untrusted JavaScript execution. The CSP header is often misconfigured, allowing untrusted scripts and styles to be executed. Specifically, the use of unsafe-inline and unsafe-eval weakens the security model of CSP and makes application susceptible to cross-site scripting and code injection attacks. Mendix provides an updated guide (2025) on how to make more strict and secure CSP. (https://docs.mendix.com/howto/security/csp/)

5. References

• Mendix Documentation (https://docs.mendix.com/)
• Runtime Security (https://www.mendix.com/evaluation-guide/security/runtime-security/)
• Best Security Practices (https://docs.mendix.com/howto8/security/best-practices-security/)
• Security Findings FAQ (https://docs.mendix.com/support/security-findings-faq/)
• Uncovering Dark Security & Hacking Secrets in the Mendix Platform (https://www.youtube.com/watch?v=p0HXudOLagE)
• CTF Writeups:
  • https://medium.com/@alex.polle/write-up-mendix-ctf-2023-event-secret-time-1-tier-2-ded2c699d25a
  • https://medium.com/@alex.polle/write-up-mendix-ctf-2023-event-company-secrets-tier-1-96d783bc024a
  • https://medium.com/@alex.polle/write-up-mendix-ctf-2024-event-as-ordered-beginner-599823f7410f