fabiotj Posted January 7, 2023 Share Posted January 7, 2023 I decided to open this post because for the first time I am making an application that will need a higher level of security, and after reading the post http://forums.unigui.com/index.php?/topic/16334-can-we-apply -some-protection-against-different-attacks/#comment-89591 I found it necessary to research a little more on the topic. I found a tool that does basic testing for free and I submitted my site and would like other more experienced users or even the support team to comment or give security tips. The tool used was: https://pentest-tools.com/website-vulnerability-scanning/website-scanner Attached report of the results. If you have tips on other tools, I would also appreciate it. At some point I plan to take up a paid subscription to have access to a full scanner. PentestTools-WebsiteScanner-report - public.pdf 1 1 Quote Link to comment Share on other sites More sharing options...
Hayri ASLAN Posted January 7, 2023 Share Posted January 7, 2023 24 minutes ago, fabiotj said: I decided to open this post because for the first time I am making an application that will need a higher level of security, and after reading the post http://forums.unigui.com/index.php?/topic/16334-can-we-apply -some-protection-against-different-attacks/#comment-89591 I found it necessary to research a little more on the topic. I found a tool that does basic testing for free and I submitted my site and would like other more experienced users or even the support team to comment or give security tips. The tool used was: https://pentest-tools.com/website-vulnerability-scanning/website-scanner Attached report of the results. If you have tips on other tools, I would also appreciate it. At some point I plan to take up a paid subscription to have access to a full scanner. PentestTools-WebsiteScanner-report - public.pdf 301.14 kB · 6 downloads Hello, For the first 2 issue, you can change the code in your end. Open UniGUIApplication.pas and change Line 1946 to if (not FServerMonitor) and (TUGS(FUniServerInstance).ServerLimits.SessionRestrict in [srOnePerPC]) then begin FUniGUIApplication.Cookies.SetCookie(UniSessionIDCookie, //ACookieName SessionID, //AValue 0, //AExpires SSL, //ASecure True //AHTTPOnly ); end; Quote Link to comment Share on other sites More sharing options...
Hayri ASLAN Posted January 7, 2023 Share Posted January 7, 2023 And you can also add custom headers like the below code: procedure TUniServerModule.UniGUIServerModuleHTTPCommand( ARequestInfo: TIdHTTPRequestInfo; AResponseInfo: TIdHTTPResponseInfo; var Handled: Boolean); begin AResponseInfo.CustomHeaders.AddValue('X-Content-Type-Options', 'nosniff'); AResponseInfo.CustomHeaders.AddValue('X-Frame-Options', 'SAMEORIGIN'); AResponseInfo.CustomHeaders.AddValue('X-XSS-Protection', '1; mode=block'); end; 1 Quote Link to comment Share on other sites More sharing options...
fabiotj Posted January 7, 2023 Author Share Posted January 7, 2023 Thanks a lot Hayri, I'll do that, and later on when I take the full test (paid) if I have any questions related to UniGui I'll post here again. Quote Link to comment Share on other sites More sharing options...
fabiotj Posted January 7, 2023 Author Share Posted January 7, 2023 2 hours ago, Hayri ASLAN said: Hello, For the first 2 issue, you can change the code in your end. Open UniGUIApplication.pas and change Line 1946 to if (not FServerMonitor) and (TUGS(FUniServerInstance).ServerLimits.SessionRestrict in [srOnePerPC]) then begin FUniGUIApplication.Cookies.SetCookie(UniSessionIDCookie, //ACookieName SessionID, //AValue 0, //AExpires SSL, //ASecure True //AHTTPOnly ); end; Hayri, will this change later be incorporated into the unigui source or is it something I'll need to do every time? It's not a complaint, but just to know and already leave a note for when you change the version of UniGui. 1 1 Quote Link to comment Share on other sites More sharing options...
irigsoft Posted January 7, 2023 Share Posted January 7, 2023 6 hours ago, Hayri ASLAN said: For the first 2 issue. Hello, Can You test this code in UniGUIServerModuleHTTPCommand: if ARequestInfo.Cookies.GetCookieIndex ('UNI_GUI_SESSION_ID') > -1 then begin ARequestInfo.Cookies.BeginUpdate; ARequestInfo.CustomHeaders.AddValue('Set-Cookie', 'UNI_GUI_SESSION_ID=' + ARequestInfo.Cookies.Cookie ['UNI_GUI_SESSION_ID',''].Value + ';Secure; HttpOnly;'); OR UniGUIApplication.UniApplication.Cookies.SetCookie('UNI_GUI_SESSION_ID',ARequestInfo.Cookies.Cookie ['UNI_GUI_SESSION_ID',''].Value,0,True,True,'/'); OR ARequestInfo.Cookies.Cookie ['UNI_GUI_SESSION_ID',''].Secure := True; ARequestInfo.Cookies.Cookie ['UNI_GUI_SESSION_ID',''].HttpOnly := True; ARequestInfo.Cookies.Cookie ['UNI_GUI_SESSION_ID',''].Path := '/'; OR ARequestInfo.Cookies.Cookies [ARequestInfo.Cookies.GetCookieIndex ('UNI_GUI_SESSION_ID')].Secure := True; ARequestInfo.Cookies.Cookies [ARequestInfo.Cookies.GetCookieIndex ('UNI_GUI_SESSION_ID')].HttpOnly := True; ARequestInfo.Cookies.EndUpdate; end; 1 Quote Link to comment Share on other sites More sharing options...
Hayri ASLAN Posted January 8, 2023 Share Posted January 8, 2023 6 hours ago, fabiotj said: Hayri, will this change later be incorporated into the unigui source or is it something I'll need to do every time? It's not a complaint, but just to know and already leave a note for when you change the version of UniGui. Hello, Yes we will work on this and we will add all required headers in the one of the next build 2 Quote Link to comment Share on other sites More sharing options...
fraxzi Posted January 9, 2023 Share Posted January 9, 2023 Hi, I tried the pentest-tool and got this: How to update the jQuery of uniGUI or is it possible? Thanks, Frances Quote Link to comment Share on other sites More sharing options...
irigsoft Posted January 9, 2023 Share Posted January 9, 2023 (edited) 1 hour ago, fraxzi said: How to update the jQuery of uniGUI or is it possible? Look here there a solution with edit of uniGui system .pas files : http://forums.unigui.com/index.php?/search/&q=jQuery&quick=1 @Hayri ASLAN will help here ! In my practice I disable jQuery because i don't use it. Edited January 9, 2023 by irigsoft Quote Link to comment Share on other sites More sharing options...
irigsoft Posted January 9, 2023 Share Posted January 9, 2023 5 hours ago, fraxzi said: How to update the jQuery of uniGUI or is it possible? If you found a solution, please share it Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.