Jump to content

Penetration Test Results

loQsoft

By loQsoft
in General

 Share

Recommended Posts

loQsoft Member

loQsoft

Posted
Posted

Hello Dear uniGUI users;


I wanted to share my experience with penetration testing with uniGUI users

A project I developed for the defense industry with uniGUI was subjected to a 5-day penetration test by a professional company that performs Penetration Testing. This test was done both with different applications and manually.

A total of 3 findings were found.
- Finding 1: For example, when a file with an extension of .exe is changed to .pdf, it allows this type of file to be uploaded.
-Solution 1: Checking the content of the PDF file.

function TfrmEkler.IsDangerousFile(const AStream: TFileStream): Boolean;
const
  DangerousSignatures: array[0..11] of string = (
    '<script', '<%=', '<%@', 'eval(', 'base64_decode', 'system(',
    'iframe', 'onerror=', 'exec(', 'cmd.exe', '/JS', '/JavaScript'
  );
var
  Buffer: TBytes;
  FileContent: string;
  i: Integer;
begin
  Result := False;

  // 1 Eğer dosya büyükse, sadece ilk 10 KB’ı kontrol edelim
  SetLength(Buffer, Min(AStream.Size, 10240));
  AStream.Position := 0;
  AStream.Read(Buffer[0], Length(Buffer));

  // 2 Binary içeriği string’e çevirerek zararlı kodları ara
  FileContent := TEncoding.ANSI.GetString(Buffer);

  for i := 0 to High(DangerousSignatures) do
  begin
    if Pos(DangerousSignatures[i], LowerCase(FileContent)) > 0 then
    begin
      Result := True;
      ShowMessage('Zararlı içerik tespit edildi! Yükleme reddedildi.');
      Exit;
    end;
  end;
end;

procedure TfrmEkler.UploadCompleted(Sender: TObject; AStream: TFileStream);
var
  FileExt, DestName, DestFolder: string;
  MagicBytes: array[0..3] of Byte;
  DestStream: TFileStream;
begin
  // 1 Dosya uzantısını kontrol et
  FileExt := LowerCase(ExtractFileExt(Upload.Filename));

  // Dosya uzantısının .pdf olup olmadığını kontrol et
  if FileExt <> '.pdf' then
  begin
    ShowMessage('Sadece PDF dosyaları yükleyebilirsiniz!');
    Exit;
  end;

  // 2 Dosyanın ilk 4 byte’ını kontrol et (Magic Bytes)
  if AStream.Size < 4 then
  begin
    ShowMessage('Geçersiz veya bozulmuş dosya!');
    Exit;
  end;

  AStream.Position := 0;  // Baştan oku
  AStream.Read(MagicBytes, 4);

  // PDF dosyalarının ilk 4 byte'ı %PDF (25 50 44 46) olmalıdır
  if not ((MagicBytes[0] = $25) and (MagicBytes[1] = $50) and
         (MagicBytes[2] = $44) and (MagicBytes[3] = $46)) then
  begin
    ShowMessage('Bu bir PDF dosyası değil! Güvenlik nedeniyle reddedildi.');
    Exit;
  end;

  // 3 Dosyanın içeriğinin zararlı olup olmadığını kontrol et
  if IsDangerousFile(AStream) then
  begin
    ShowMessage('Dosyada zararlı içerik tespit edildi! Yükleme iptal edildi.');
    Exit;
  end;

  // 4 Dosyayı güvenli bir klasöre kaydet
  DestFolder := UniServerModule.StartPath + 'FILES\LOQ\';
  DestName := DestFolder + AdayKodu + '_' + ExtractFileName(Upload.Filename);

  try
    DestStream := TFileStream.Create(DestName, fmCreate);
    try
      AStream.Position := 0; // Dosyayı baştan oku
      DestStream.CopyFrom(AStream, AStream.Size);
    finally
      DestStream.Free;
    end;

    dtIletisim.Edit;
    dtIletisimFileName.AsString := AdayKodu + '_' + Upload.Filename;
    dtIletisim.Post;

    ShowMessage('Dosya başarıyla yüklendi.');
  except
    on E: Exception do
    begin
      ShowMessage('DİKKAT! Yükleme işlemi başarısız oldu. Lütfen tekrar deneyiniz. Hata: ' + E.Message);
      dtIletisimFileName.Clear;
    end;
  end;
 

- Finding 2: When html codes such as <h1>loQsoft</h1> are entered in the fields, it accepts this data. or <iframe id="if1" src="https://www.google.com"></iframe>.
Solution 2: Preventing the entry of characters containing html codes (<,/,> etc.)

procedure TMainForm.UniFormCreate(Sender: TObject);
begin
  UniSession.AddJS(
    'document.addEventListener("keypress", function(e) { ' +
    '  var forbiddenChars = ["<", ">", "&", String.fromCharCode(34), String.fromCharCode(39)]; ' +
    '  if (forbiddenChars.includes(String.fromCharCode(e.which))) { ' +
    '    e.preventDefault(); ' +
    '  } ' +
    '}, true);'
  );

end;

-Finding 3: Using protocols such as TLS1.0 and SSL v3.0
Solution 3: Setting UniServerModule.SLL.SLLVersion parameters.

In summary, I wanted to share that all the findings are completely related to coding, and no findings were detected that were caused by unuGUI Framework.

 

Best Regards,

 

  • Like 1
  • Thanks 3
  • Upvote 4
adragan Active Member

adragan

Posted
Posted
On 2/19/2025 at 5:25 PM, loQsoft said:

Hello Dear uniGUI users;


I wanted to share my experience with penetration testing with uniGUI users

A project I developed for the defense industry with uniGUI was subjected to a 5-day penetration test by a professional company that performs Penetration Testing. This test was done both with different applications and manually.

A total of 3 findings were found.
- Finding 1: For example, when a file with an extension of .exe is changed to .pdf, it allows this type of file to be uploaded.
-Solution 1: Checking the content of the PDF file.

function TfrmEkler.IsDangerousFile(const AStream: TFileStream): Boolean;
const
  DangerousSignatures: array[0..11] of string = (
    '<script', '<%=', '<%@', 'eval(', 'base64_decode', 'system(',
    'iframe', 'onerror=', 'exec(', 'cmd.exe', '/JS', '/JavaScript'
  );
var
  Buffer: TBytes;
  FileContent: string;
  i: Integer;
begin
  Result := False;

  // 1 Eğer dosya büyükse, sadece ilk 10 KB’ı kontrol edelim
  SetLength(Buffer, Min(AStream.Size, 10240));
  AStream.Position := 0;
  AStream.Read(Buffer[0], Length(Buffer));

  // 2 Binary içeriği string’e çevirerek zararlı kodları ara
  FileContent := TEncoding.ANSI.GetString(Buffer);

  for i := 0 to High(DangerousSignatures) do
  begin
    if Pos(DangerousSignatures[i], LowerCase(FileContent)) > 0 then
    begin
      Result := True;
      ShowMessage('Zararlı içerik tespit edildi! Yükleme reddedildi.');
      Exit;
    end;
  end;
end;

procedure TfrmEkler.UploadCompleted(Sender: TObject; AStream: TFileStream);
var
  FileExt, DestName, DestFolder: string;
  MagicBytes: array[0..3] of Byte;
  DestStream: TFileStream;
begin
  // 1 Dosya uzantısını kontrol et
  FileExt := LowerCase(ExtractFileExt(Upload.Filename));

  // Dosya uzantısının .pdf olup olmadığını kontrol et
  if FileExt <> '.pdf' then
  begin
    ShowMessage('Sadece PDF dosyaları yükleyebilirsiniz!');
    Exit;
  end;

  // 2 Dosyanın ilk 4 byte’ını kontrol et (Magic Bytes)
  if AStream.Size < 4 then
  begin
    ShowMessage('Geçersiz veya bozulmuş dosya!');
    Exit;
  end;

  AStream.Position := 0;  // Baştan oku
  AStream.Read(MagicBytes, 4);

  // PDF dosyalarının ilk 4 byte'ı %PDF (25 50 44 46) olmalıdır
  if not ((MagicBytes[0] = $25) and (MagicBytes[1] = $50) and
         (MagicBytes[2] = $44) and (MagicBytes[3] = $46)) then
  begin
    ShowMessage('Bu bir PDF dosyası değil! Güvenlik nedeniyle reddedildi.');
    Exit;
  end;

  // 3 Dosyanın içeriğinin zararlı olup olmadığını kontrol et
  if IsDangerousFile(AStream) then
  begin
    ShowMessage('Dosyada zararlı içerik tespit edildi! Yükleme iptal edildi.');
    Exit;
  end;

  // 4 Dosyayı güvenli bir klasöre kaydet
  DestFolder := UniServerModule.StartPath + 'FILES\LOQ\';
  DestName := DestFolder + AdayKodu + '_' + ExtractFileName(Upload.Filename);

  try
    DestStream := TFileStream.Create(DestName, fmCreate);
    try
      AStream.Position := 0; // Dosyayı baştan oku
      DestStream.CopyFrom(AStream, AStream.Size);
    finally
      DestStream.Free;
    end;

    dtIletisim.Edit;
    dtIletisimFileName.AsString := AdayKodu + '_' + Upload.Filename;
    dtIletisim.Post;

    ShowMessage('Dosya başarıyla yüklendi.');
  except
    on E: Exception do
    begin
      ShowMessage('DİKKAT! Yükleme işlemi başarısız oldu. Lütfen tekrar deneyiniz. Hata: ' + E.Message);
      dtIletisimFileName.Clear;
    end;
  end;
 

- Finding 2: When html codes such as <h1>loQsoft</h1> are entered in the fields, it accepts this data. or <iframe id="if1" src="https://www.google.com"></iframe>.
Solution 2: Preventing the entry of characters containing html codes (<,/,> etc.)

procedure TMainForm.UniFormCreate(Sender: TObject);
begin
  UniSession.AddJS(
    'document.addEventListener("keypress", function(e) { ' +
    '  var forbiddenChars = ["<", ">", "&", String.fromCharCode(34), String.fromCharCode(39)]; ' +
    '  if (forbiddenChars.includes(String.fromCharCode(e.which))) { ' +
    '    e.preventDefault(); ' +
    '  } ' +
    '}, true);'
  );

end;

-Finding 3: Using protocols such as TLS1.0 and SSL v3.0
Solution 3: Setting UniServerModule.SLL.SLLVersion parameters.

In summary, I wanted to share that all the findings are completely related to coding, and no findings were detected that were caused by unuGUI Framework.

 

Best Regards,

 

In Windows all executable start with 'MZ' characters. It shouldn't take to much time to check that.

Maybe check first that and afterwords do the rest of the tests.

Anyway, very interesting.

mazluta Advanced Member

mazluta

Posted
Posted

Since i Have DMS (Data Management System) and it all about files and document i have a pascal unit just for that.
any one how will use it can do with it what he want + i don't take any responsibility for any use of this unit.

add the unit to the uses class.

call :  

if IsFileTypeAsClaim('c:\aa\a1.mkv' {full file name and path}) then
    showmessage('file is ok.')
else
    showmessage('The file is not of the declared type.');

uCheckFileType.pas

  • Like 1
  • Thanks 1

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing
×
×
  • Create New...