Jump to content

Security issues in our UniGui applications


fabiotj

Recommended Posts

I decided to open this post because for the first time I am making an application that will need a higher level of security, and after reading the post http://forums.unigui.com/index.php?/topic/16334-can-we-apply -some-protection-against-different-attacks/#comment-89591 I found it necessary to research a little more on the topic.

I found a tool that does basic testing for free and I submitted my site and would like other more experienced users or even the support team to comment or give security tips. The tool used was: https://pentest-tools.com/website-vulnerability-scanning/website-scanner 

Attached report of the results. If you have tips on other tools, I would also appreciate it. At some point I plan to take up a paid subscription to have access to a full scanner.

 

 

PentestTools-WebsiteScanner-report - public.pdf

  • Like 1
  • Thanks 1
Link to comment
Share on other sites

24 minutes ago, fabiotj said:

I decided to open this post because for the first time I am making an application that will need a higher level of security, and after reading the post http://forums.unigui.com/index.php?/topic/16334-can-we-apply -some-protection-against-different-attacks/#comment-89591 I found it necessary to research a little more on the topic.

I found a tool that does basic testing for free and I submitted my site and would like other more experienced users or even the support team to comment or give security tips. The tool used was: https://pentest-tools.com/website-vulnerability-scanning/website-scanner 

Attached report of the results. If you have tips on other tools, I would also appreciate it. At some point I plan to take up a paid subscription to have access to a full scanner.

 

 

PentestTools-WebsiteScanner-report - public.pdf 301.14 kB · 6 downloads

Hello,

 

For the first 2 issue, you can change the code in your end.

Open UniGUIApplication.pas and change Line 1946 to

    if (not FServerMonitor) and (TUGS(FUniServerInstance).ServerLimits.SessionRestrict in [srOnePerPC]) then
    begin
      FUniGUIApplication.Cookies.SetCookie(UniSessionIDCookie,  //ACookieName
                                           SessionID,           //AValue
                                           0,                   //AExpires
                                           SSL,                 //ASecure
                                           True                 //AHTTPOnly
                                           );
    end;

 

Link to comment
Share on other sites

And you can also add custom headers like the below code:

 

procedure TUniServerModule.UniGUIServerModuleHTTPCommand(
  ARequestInfo: TIdHTTPRequestInfo; AResponseInfo: TIdHTTPResponseInfo;
  var Handled: Boolean);
begin
  AResponseInfo.CustomHeaders.AddValue('X-Content-Type-Options', 'nosniff');
  AResponseInfo.CustomHeaders.AddValue('X-Frame-Options', 'SAMEORIGIN');
  AResponseInfo.CustomHeaders.AddValue('X-XSS-Protection', '1; mode=block');
end;

 

  • Like 1
Link to comment
Share on other sites

2 hours ago, Hayri ASLAN said:

Hello,

 

For the first 2 issue, you can change the code in your end.

Open UniGUIApplication.pas and change Line 1946 to

    if (not FServerMonitor) and (TUGS(FUniServerInstance).ServerLimits.SessionRestrict in [srOnePerPC]) then
    begin
      FUniGUIApplication.Cookies.SetCookie(UniSessionIDCookie,  //ACookieName
                                           SessionID,           //AValue
                                           0,                   //AExpires
                                           SSL,                 //ASecure
                                           True                 //AHTTPOnly
                                           );
    end;

 

Hayri, will this change later be incorporated into the unigui source or is it something I'll need to do every time? It's not a complaint, but just to know and already leave a note for when you change the version of UniGui.

  • Like 1
  • Upvote 1
Link to comment
Share on other sites

6 hours ago, Hayri ASLAN said:

For the first 2 issue.

Hello, Can You test this code in UniGUIServerModuleHTTPCommand:

  if ARequestInfo.Cookies.GetCookieIndex ('UNI_GUI_SESSION_ID') > -1 then begin
      ARequestInfo.Cookies.BeginUpdate;
      ARequestInfo.CustomHeaders.AddValue('Set-Cookie', 'UNI_GUI_SESSION_ID=' + ARequestInfo.Cookies.Cookie ['UNI_GUI_SESSION_ID',''].Value + ';Secure; HttpOnly;');

OR 

    UniGUIApplication.UniApplication.Cookies.SetCookie('UNI_GUI_SESSION_ID',ARequestInfo.Cookies.Cookie ['UNI_GUI_SESSION_ID',''].Value,0,True,True,'/');

OR 

     ARequestInfo.Cookies.Cookie ['UNI_GUI_SESSION_ID',''].Secure := True;
      ARequestInfo.Cookies.Cookie ['UNI_GUI_SESSION_ID',''].HttpOnly := True;
      ARequestInfo.Cookies.Cookie ['UNI_GUI_SESSION_ID',''].Path := '/';

OR

      ARequestInfo.Cookies.Cookies [ARequestInfo.Cookies.GetCookieIndex ('UNI_GUI_SESSION_ID')].Secure := True;
      ARequestInfo.Cookies.Cookies [ARequestInfo.Cookies.GetCookieIndex ('UNI_GUI_SESSION_ID')].HttpOnly := True;
      ARequestInfo.Cookies.EndUpdate;
  end;
 

  • Thanks 1
Link to comment
Share on other sites

6 hours ago, fabiotj said:

Hayri, will this change later be incorporated into the unigui source or is it something I'll need to do every time? It's not a complaint, but just to know and already leave a note for when you change the version of UniGui.

Hello,

Yes we will work on this and we will add all required headers in the one of the next build

  • Like 2
Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
×
×
  • Create New...