Jump to content

Security Vulnerabilities / CSRF / XSS


vbdavie
 Share

Recommended Posts

I will presume that uniGUI utilizes AJAX to do it's communication to the server. I have a concern about vulnerabilities with the framework. There are many types of vulnerabilities. Can anyone please comment on whether or not uniGUI is vulnerable to the CSRF or XSS attacks?  And if so, how to mitigate them?

 

As far as sql injection is concerned, that is more of a programmer carefully crafting their sql statements, so no worries there. IE: Check for ' and replace with '' .... replace apostrophe with two apostrophes.

 

Thanks

Davie

  • Upvote 1
Link to comment
Share on other sites

  • 10 months later...

uniGUI uses Ext.js. As far as I know, ExtJS is vulnerable to all sorts of injection and XSS attacks, unless the programmer is very careful. See:

 

https://www.sencha.com/forum/showthread.php?296844-HTML-injection-attack-against-the-grid-row-s-TR-id-and-dataRecordId-attributes

 

 

Ext.js doesn't do any HTML escaping by default, not just in the table row...

 

HOW UNFORTUNATE, SENCHA

 

That said, uniGUI does a better job at protecting the server from those attacks, at least some vulnerabilities have been fixed throughout the years

 

http://forums.unigui.com/index.php?/topic/3979-javascript-injection-problem-on-form-show

 

But some issues are still open...

 

http://forums.unigui.com/index.php?/topic/6907-unidbgrid-and-form-title-html-injection

http://forums.unigui.com/index.php?/topic/5252-unicode-support-issue-unprintable-chars

 

depending on what kind of software you are developing there are probably workarounds (browse the forums and you will find plenty).
Happy bugging/debugging!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...