<-- Back

Modified client requests can update form data

Issue

A user with a standard role can intercept and modify a request from the Mendix client, for example, using Burp Suite, and submit a different email address when updating their profile. The Mendix Runtime accepts the request and returns the updated value without a validation error.

This may raise concerns that manipulated requests could bypass security controls or enable privilege escalation.

Environment

  • Free app
  • Applications hosted in Mendix Cloud

Cause

This behavior is expected when the authenticated user has write access to the relevant entity attribute. A browser client must always be treated as untrusted: anything a user can submit through the UI can also be altered before it reaches the server.

Burp Suite does not bypass Mendix Runtime security. The Runtime still evaluates the request using the active user session and the app’s entity access rules. However, entity access rules authorize whether a user may write an attribute; they do not determine whether the submitted value is valid, safe, or appropriate for a particular business process.

For example, if a user is permitted to edit their email address, changing the email value in a captured request is still an authorized write unless the application includes additional server-side rules that reject it.

Solution / Workaround

Implement server-side validation and business authorization for every value that must meet additional requirements:

  • Use a microflow to validate, normalize, and, where applicable, sanitize user input before committing it.

  • Keep system-controlled or security-sensitive attributes such as roles, approval status, ownership, or entitlement flags non-writable for standard users.

  • Ensure entity access rules restrict each role to the objects and attributes it is intended to read or modify. Do not rely on page or widget visibility as a security control.

  • For values requiring proof beyond format validation, use a trusted external verification mechanism. For example, validating an IBAN’s structure does not prove that it belongs to the current user; use the relevant bank or payment-provider verification service where required.

  • Review the application’s security configuration in Studio Pro and consider enabling Strict Mode as an additional safeguard against unintended access.

Mendix-native queries are parameterized, and client-displayed values are HTML-escaped, which protects standard native usage from SQL injection. Input used in custom Java, JavaScript, external interfaces, custom database queries, or rendered HTML must still be handled securely. See Implement Best Practices for App Security, especially the sections on access rules and avoiding injection.

Internal information related

  • 282936
  • G01EQTEP83G/p1783932931743799

Additional information

Not Applicable

Have more questions? Submit a request

0 Comments

Article is closed for comments.

To provide feedback, please open a ticket here. Don't forget to include the article's URL along with the feedback you would like to provide.