OWASP 2024 Global AppSec San Francisco

This session presents a new attack technique called “OData Injection” that affects many API based environments and in particular Microsoft Power Automate, part of the Microsoft Power Platform. The technique can be used by attackers to extract sensitive data and bypass access controls. Furthermore, we show that if you think that “No Code” = “No Vulnerabilities”, you are in for a BIG surprise. Not only that applications and automations written by citizen developers are vulnerable to good ol’ injection attacks but these could be exploited by external attackers. We prove our points using demos of the attacks and vulnerabilities that simulate our findings in the field.


Low Code / No Code (LCNC) Development and Robotic Process Automations (RPA, automations) is a rapidly growing trend within enterprises going through a digital transformation process. These tools and environments allow business users (called citizen developers), who are not software engineers, to quickly build enterprise applications, by just dragging and dropping objects within the platform’s UI. These applications typically automate their daily tasks and accelerate digital transformation within the organization - all this without writing a single line of code. Top platforms to support LCNC are Microsoft Power Platform and UiPath Cloud Automation.


It is widely believed by organizations that since no code is involved in the development process, it is safe to assume that the resulting applications are not vulnerable to traditional security issues.Think again! Our research, backed by analyzing tens of thousands of applications and flows in large enterprises, shows that automations and applications which are perceived as “internal applications” are in fact exposed to external attackers. For the first time at BlackHat, we will show how applications and automations built in the Microsoft Power Platform and UiPath Automation Cloud environments are also vulnerable to SQL Injection, OS Command Injection and more.