Question
Direct Web Access Security
We are currently developing an application which utilises the OOTB Direct Web Access functionality. From a security perspective I understand that a once only identifier is generated and this is authenticated and also the external assignment must be static page. However is there any online documentation providing information regarding built in security validation of the form to avoid SQL injection attacks or other similar malicious activities?
Hi
Apart from the above two articles you can check this one also which talks about the known limitations of DWA
As long as you use Report Definitions to run your queries, you don't have to worry about SQL injection in Pega7 because it uses prepared statements for the filter criteria.
You might want to be careful about any custom SQL functions that you use with report definitions (not the OOTB ones) for SQL injections.
The unique id is the hash of the URL sent from the server and if any modification to the URL happens, DWA request is rejected.
Since the URL is fixed, there is no chance of injecting into SQL by tampering the parameter values.
You are right about static web pages. This is true as of 7.2.2.
The features that provide protection for your application against SQLi attacks protect DWA as well. There is nothing special about DWA that make it more vulnerable to SQLi attacks than non-DWA browser users.
I hope you must have found some of the articles related to DWA over PDN. But with regards to security validation of the form to avoid SQL injection attacks or other similar malicious activities, we will look into this and come back.
DWA Reference:
https://pdn.pega.com/how-customize-directed-web-access
https://pdn.pega.com/how-implement-directed-web-access