How to address the security alerts
Daily plenty of security alerts (SECU0001 & SECU0008) are getting logged in alert logs.
SECU0001:-
>> Unexpected properties received in HTTP request : URLAccessDetail ActionTampered Unknown reason
>Unexpected properties received in HTTP request : The following unexpected properties were received in an HTTP request for Thread TABTHREAD1: Declare_pyDisplay.pyDCDisplayState.pyActiveDocumentType
SECU0008:-
Cross Site Request Forgery attack detected and was blocked : URLAccessDetail CSRFAttack Invalid harness ID HID20EAE61BC66F56A8370E25C0CFE498FD.
Any pattern to find the cause of them ? How to address them ?
Thanks,
Brahmesh.
Pegasystems Inc.
US
Brahmesh
You may want to check out the discussion at https://pdn.pega.com/community/pega-product-support/question/understanding-secu0008-alert for more information on the alerts. This discussion includes how to turn off the checking which causes the alerts and why you may not to do so.
Matt
PEG
IN
SECU0001's are often called by systems that replay HTTP traffic. The alert is telling you that the post data and the harness don't match input field properly.
Capgemini
SE
Thanks Mathew for sharing the thread .
The issue is being occurred in 7.1.8 ,so to suppress SECU0008 alert in 7.1.8 ,Can we apply the resolution changes that are mentioned on thread ?
Disable this defense (and the messages) using prconfig or DASS:
DASS: Pega-Engine * security/urlaccessmode with a value of "allow"
prconfig: <env name="security/urlaccessmode" value="allow" />
Pegasystems Inc.
IN
I would suggest you to be very careful with the setting 'security/urlaccessmode' there was a side effect of this setting that I faced in 7.1.7 as below. you will get an error on browser saying No enum constant com.pega.pegarules.session.internal.mgmt.util.URLAccessUtil.ModeSetting."ALLOW"
Not sure about 7.1.8, however I would still suggest you not to configure above setting in DSS, try to use prconfig. In case if you have applied this setting in DSS and faced the same issue then configure the same setting in prconfig.xml file as <env name="security/urlaccessmode" value="warn" /> which will allow you access designer studio and you can change the DSS setting value to Warn.
If you are concerned about CSRF vulnerability, you can use below DSS to prevent the attacks.
security/csrf/secureall and security/csrf/mitigation set to true (in lower case and without any quotes). For more information on CSRF protection please refer to https://pdn.pega.com/configuring-csrf-protection/configuring-csrf-protection
Capgemini
SE
Thanks Arvind ,
- What actions need to be taken whenever we observe this SECU0001 alert ? - "How to address this Alert ?"
- Will there be any functional/UI Impact due to this Alert ? or Is it just for some security reasons ?
- Any sample use case to arise this alert?
Pegasystems Inc.
IN
I think below PDN link will help you answere your queries regarding SECU0001.
https://pdn.pega.com/understanding-secu0001-alert-unexpected-properties-received-http-request
Dont think there will be any impact on functionality as System is not reading these unexpected properties coming in URL and giving alert to inform you that URL is being tempered somehow.