Security issues in our UniGui applications

[fabiotj]

I decided to open this post because for the first time I am making an application that will need a higher level of security, and after reading the post http://forums.unigui.com/index.php?/topic/16334-can-we-apply -some-protection-against-different-attacks/#comment-89591 I found it necessary to research a little more on the topic.

I found a tool that does basic testing for free and I submitted my site and would like other more experienced users or even the support team to comment or give security tips. The tool used was: https://pentest-tools.com/website-vulnerability-scanning/website-scanner 

Attached report of the results. If you have tips on other tools, I would also appreciate it. At some point I plan to take up a paid subscription to have access to a full scanner.

 

 

PentestTools-WebsiteScanner-report - public.pdf

[Hayri ASLAN]

24 minutes ago, fabiotj said:

I decided to open this post because for the first time I am making an application that will need a higher level of security, and after reading the post http://forums.unigui.com/index.php?/topic/16334-can-we-apply -some-protection-against-different-attacks/#comment-89591 I found it necessary to research a little more on the topic.

I found a tool that does basic testing for free and I submitted my site and would like other more experienced users or even the support team to comment or give security tips. The tool used was: https://pentest-tools.com/website-vulnerability-scanning/website-scanner 

Attached report of the results. If you have tips on other tools, I would also appreciate it. At some point I plan to take up a paid subscription to have access to a full scanner.

 

 

PentestTools-WebsiteScanner-report - public.pdf 301.14 kB · 6 downloads

Hello,

 

For the first 2 issue, you can change the code in your end.

Open UniGUIApplication.pas and change Line 1946 to

    if (not FServerMonitor) and (TUGS(FUniServerInstance).ServerLimits.SessionRestrict in [srOnePerPC]) then
    begin
      FUniGUIApplication.Cookies.SetCookie(UniSessionIDCookie,  //ACookieName
                                           SessionID,           //AValue
                                           0,                   //AExpires
                                           SSL,                 //ASecure
                                           True                 //AHTTPOnly
                                           );
    end;

 

[Hayri ASLAN]

And you can also add custom headers like the below code:

 

procedure TUniServerModule.UniGUIServerModuleHTTPCommand(
  ARequestInfo: TIdHTTPRequestInfo; AResponseInfo: TIdHTTPResponseInfo;
  var Handled: Boolean);
begin
  AResponseInfo.CustomHeaders.AddValue('X-Content-Type-Options', 'nosniff');
  AResponseInfo.CustomHeaders.AddValue('X-Frame-Options', 'SAMEORIGIN');
  AResponseInfo.CustomHeaders.AddValue('X-XSS-Protection', '1; mode=block');
end;

 

[fabiotj]

Thanks a lot Hayri, I'll do that, and later on when I take the full test (paid) if I have any questions related to UniGui I'll post here again.

[fabiotj]

2 hours ago, Hayri ASLAN said:

Hello,

 

For the first 2 issue, you can change the code in your end.

Open UniGUIApplication.pas and change Line 1946 to

    if (not FServerMonitor) and (TUGS(FUniServerInstance).ServerLimits.SessionRestrict in [srOnePerPC]) then
    begin
      FUniGUIApplication.Cookies.SetCookie(UniSessionIDCookie,  //ACookieName
                                           SessionID,           //AValue
                                           0,                   //AExpires
                                           SSL,                 //ASecure
                                           True                 //AHTTPOnly
                                           );
    end;

 

Hayri, will this change later be incorporated into the unigui source or is it something I'll need to do every time? It's not a complaint, but just to know and already leave a note for when you change the version of UniGui.

[irigsoft]

6 hours ago, Hayri ASLAN said:

For the first 2 issue.

Hello, Can You test this code in UniGUIServerModuleHTTPCommand:

  if ARequestInfo.Cookies.GetCookieIndex ('UNI_GUI_SESSION_ID') > -1 then begin
      ARequestInfo.Cookies.BeginUpdate;
      ARequestInfo.CustomHeaders.AddValue('Set-Cookie', 'UNI_GUI_SESSION_ID=' + ARequestInfo.Cookies.Cookie ['UNI_GUI_SESSION_ID',''].Value + ';Secure; HttpOnly;');

OR 

    UniGUIApplication.UniApplication.Cookies.SetCookie('UNI_GUI_SESSION_ID',ARequestInfo.Cookies.Cookie ['UNI_GUI_SESSION_ID',''].Value,0,True,True,'/');

OR 

     ARequestInfo.Cookies.Cookie ['UNI_GUI_SESSION_ID',''].Secure := True;
      ARequestInfo.Cookies.Cookie ['UNI_GUI_SESSION_ID',''].HttpOnly := True;
      ARequestInfo.Cookies.Cookie ['UNI_GUI_SESSION_ID',''].Path := '/';

OR

      ARequestInfo.Cookies.Cookies [ARequestInfo.Cookies.GetCookieIndex ('UNI_GUI_SESSION_ID')].Secure := True;
      ARequestInfo.Cookies.Cookies [ARequestInfo.Cookies.GetCookieIndex ('UNI_GUI_SESSION_ID')].HttpOnly := True;
      ARequestInfo.Cookies.EndUpdate;
  end;
 

[Hayri ASLAN]

6 hours ago, fabiotj said:

Hayri, will this change later be incorporated into the unigui source or is it something I'll need to do every time? It's not a complaint, but just to know and already leave a note for when you change the version of UniGui.

Hello,

Yes we will work on this and we will add all required headers in the one of the next build

[fraxzi]

Hi,

I tried the pentest-tool and got this:

 

How to update the jQuery of uniGUI or is it possible?

 

Thanks,

Frances

 

 

[irigsoft]

1 hour ago, fraxzi said:

How to update the jQuery of uniGUI or is it possible?

Look here there a solution with edit of uniGui system .pas files : http://forums.unigui.com/index.php?/search/&q=jQuery&quick=1

@Hayri ASLAN will help here !

In my practice I disable jQuery because i don't use it.

Edited January 9, 2023 by irigsoft

[irigsoft]

5 hours ago, fraxzi said:

How to update the jQuery of uniGUI or is it possible?

 

 

If you found a solution, please share it