Security risks

Questions and answers on designing your Servoy solutions, database modelling and other 'how do I do this' that don't fit in any of the other categories

Security risks

Postby aly813 » Fri Jan 08, 2021 5:10 pm

After security risk scan i got 2 threats.
1- 150120 Session Cookie (Authentication Related) Does Not Contain The "secure" Attribute.
2- 150124 Clickjacking - Framable Page.
What can cause this and how to work around it?
Thanks
aly813
 
Posts: 4
Joined: Thu Jun 28, 2018 9:32 pm

Re: Security risks

Postby jcompagner » Fri Jan 08, 2021 5:21 pm

the session cookie needs to be configured in by the container (so tomcat: https://geekflare.com/secure-cookie-flag-in-tomcat/)

the other one i think can also be solved in the container, tomcat has a filer for that

https://support.ptc.com/help/thingworx/ ... omcat.html
Johan Compagner
Servoy
User avatar
jcompagner
 
Posts: 8460
Joined: Tue May 27, 2003 7:26 pm
Location: The Internet

Re: Security risks

Postby aly813 » Mon Feb 01, 2021 7:52 pm

I made the change for cookies but still, The Chrome cookie viewer does not show secure

<session-config>
<session-timeout>30</session-timeout>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>
Last edited by aly813 on Mon Feb 01, 2021 8:32 pm, edited 1 time in total.
aly813
 
Posts: 4
Joined: Thu Jun 28, 2018 9:32 pm

Re: Security risks

Postby jcompagner » Mon Feb 01, 2021 8:13 pm

and you access it through https ?
If you do that you need to check it your self and look correctly at the tomcat/war configurating because the last time i checked this it worked fine
Johan Compagner
Servoy
User avatar
jcompagner
 
Posts: 8460
Joined: Tue May 27, 2003 7:26 pm
Location: The Internet

Re: Security risks

Postby aly813 » Thu Feb 18, 2021 5:21 pm

It seems that the change we made took care of the Cookies problem, however, the new scan report shows this error "150162 Use of JavaScript Library with Known
Vulnerability", it suggests upgrading the jQuery library and TinyMCE the question here Which version we should use for both of them and how we can upgrade.
Keep in mind that we are using Servoy version 2020.3.0.3562.
Thanks
aly813
 
Posts: 4
Joined: Thu Jun 28, 2018 9:32 pm

Re: Security risks

Postby jcompagner » Thu Feb 18, 2021 5:33 pm

those can't be upgraded by a user (not with hacking)
Those updates needs to be done by Servoy, problem is that TinyMCE will for NG1 very likely not be updated anymore.
Johan Compagner
Servoy
User avatar
jcompagner
 
Posts: 8460
Joined: Tue May 27, 2003 7:26 pm
Location: The Internet

Re: Security risks

Postby pbdavis » Thu Feb 18, 2021 7:50 pm

Johan do you have a version of Servoy that does have the security vulnerabilities? They claim you must be at least at 3.5.0 for jQuery and 5.4 for TinyMCE.
Will Servoy fix these vulnerabilities in their LTS version?
Paul Davis
Belcan Engineering Group, LLC
pbdavis
 
Posts: 60
Joined: Thu Nov 30, 2017 5:40 pm
Location: Florida, USA

Re: Security risks

Postby jcompagner » Fri Feb 19, 2021 3:20 pm

i will have a look for 2021.03 to upgrade our libs. (angular,jquery and will also have a look if TinyMCE is possible)

one problem is that i think that the claim "do use jquery 3.5 or later"
can potentially break a lot of components and custom html in an servoy solution. So we need to restore that legacy behavior: https://jquery.com/upgrade-guide/3.5/#d ... the-change
by default for now.
Johan Compagner
Servoy
User avatar
jcompagner
 
Posts: 8460
Joined: Tue May 27, 2003 7:26 pm
Location: The Internet

Re: Security risks

Postby pbdavis » Thu Mar 04, 2021 7:59 pm

After making the suggested changes for Session Cookie and Clickjacking, the Media Field (IMAGE_MEDIA) element stopped working. We can no longer upload images. When you click on the load media folder a pop-up appears with a sad face "website.com refused to connect".
Can anyone help fix the Media Field element?
Paul Davis
Belcan Engineering Group, LLC
pbdavis
 
Posts: 60
Joined: Thu Nov 30, 2017 5:40 pm
Location: Florida, USA

Re: Security risks

Postby jcompagner » Thu Mar 04, 2021 9:11 pm

what is exactly the request you see in the chrome dev tools when you do an upload?
what is the response and request exactly?
Johan Compagner
Servoy
User avatar
jcompagner
 
Posts: 8460
Joined: Tue May 27, 2003 7:26 pm
Location: The Internet

Re: Security risks

Postby pbdavis » Thu Mar 04, 2021 11:06 pm

I'm not sure where to find what you want in the dev tools. Here is the error in the console:
Refused to display 'https://xyz.com/servoy-webclient/?x=68j1QO31odfVcx*YVy9AubrAgt5C49Cm' in a frame because it set 'X-Frame-Options' to 'deny'.
Paul Davis
Belcan Engineering Group, LLC
pbdavis
 
Posts: 60
Joined: Thu Nov 30, 2017 5:40 pm
Location: Florida, USA

Re: Security risks

Postby jcompagner » Thu Mar 04, 2021 11:19 pm

ok then that is only fixable by using X-Frame-Options: SAMEORIGIN
because you need to allow iframes to the same host.
Johan Compagner
Servoy
User avatar
jcompagner
 
Posts: 8460
Joined: Tue May 27, 2003 7:26 pm
Location: The Internet

Re: Security risks

Postby pbdavis » Fri Mar 05, 2021 4:37 pm

Sorry for my ignorance, but could you provide details on what I need to change?
Thanks.
Paul Davis
Belcan Engineering Group, LLC
pbdavis
 
Posts: 60
Joined: Thu Nov 30, 2017 5:40 pm
Location: Florida, USA

Re: Security risks

Postby jcompagner » Fri Mar 05, 2021 5:59 pm

you did change something that did set this:

X-Frame-Options' to 'deny'

and that can't be the change can only be

X-Frame-Options' to 'sameorigin'
Johan Compagner
Servoy
User avatar
jcompagner
 
Posts: 8460
Joined: Tue May 27, 2003 7:26 pm
Location: The Internet

Re: Security risks

Postby pbdavis » Fri Mar 05, 2021 8:06 pm

I don't see anything like that in what I changed. I added the following to the file D:\Servoy_V9.1\application_server\server\webapps\ROOT\WEB-INF\web.xml
Code: Select all
<session-config>
<session-timeout>30</session-timeout>
            <cookie-config>
                        <http-only>true</http-only>
                        <secure>true</secure>
            </cookie-config>   
</session-config>

    <filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <async-supported>true</async-supported>
        <init-param>
            <param-name>hstsEnabled</param-name>
            <param-value>true</param-value>
        </init-param>
        <init-param>
            <param-name>hstsMaxAgeSeconds</param-name>
            <param-value>31536000</param-value>
        </init-param>
        <init-param>
            <param-name>hstsIncludeSubDomains</param-name>
            <param-value>true</param-value>
        </init-param>
    </filter>
   
    <filter-mapping>
        <filter-name>httpHeaderSecurity</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
    </filter-mapping>
Paul Davis
Belcan Engineering Group, LLC
pbdavis
 
Posts: 60
Joined: Thu Nov 30, 2017 5:40 pm
Location: Florida, USA

Next

Return to Programming with Servoy

Who is online

Users browsing this forum: Google [Bot] and 10 guests