Question

3
Replies
266
Views
EngincanY Member since 2018 68 posts
Tekfen Holding
Posted: April 4, 2019
Last activity: October 2, 2019
Closed

How can we prevent application execute requests include XSS vulnerability ?

Hello,

On security test processes, we have faced XSS vulnerability issue. When a payload added to GET request of DeleteAttachment activity, it becomes executable. You can see the screenshots on attachments. We received screenshots from security consultant company.

While we are researching security articles on Pega, we reached the link below.

https://community.pega.com/knowledgebase/articles/security-settings-prconfigxml-file

There are some categories named SubmitObfuscatedURL, Urlencryption and ErrorOnInvalidThreadName. Article says that all of these 3 categories must be applied before production. And I guess ErrorOnInvalidThreadName is related to our case. (Rejects requests that contain invalid characters in the threadname of the URL that potentially can be malicious, for example, symbol characters.) Or are there other techniques to prevent XSS requests ?

If I apply these settings, how will the applications on production be affected ? And in order to test these settings on test system, how can I create a request that contains a simple javascript function ?

Thanks.

***Edited by Moderator Marissa to update platform capability tags****

***Moderator Edit-Vidyaranjan: Updated SR details***

Pega Platform Security System Administration SR Exists
Moderation Team has archived post
Share this page LinkedIn