Question

3
Replies
307
Views
Close popover
Engincan Yildiz (EngincanY)
Tekfen Holding
Software Senior Specialist
Tekfen Holding
TR
EngincanY Member since 2018 73 posts
Tekfen Holding
Posted: April 4, 2019
Last activity: October 2, 2019
Closed

How can we prevent application execute requests include XSS vulnerability ?

Hello,

On security test processes, we have faced XSS vulnerability issue. When a payload added to GET request of DeleteAttachment activity, it becomes executable. You can see the screenshots on attachments. We received screenshots from security consultant company.

While we are researching security articles on Pega, we reached the link below.

https://community.pega.com/knowledgebase/articles/security-settings-prconfigxml-file

There are some categories named SubmitObfuscatedURL, Urlencryption and ErrorOnInvalidThreadName. Article says that all of these 3 categories must be applied before production. And I guess ErrorOnInvalidThreadName is related to our case. (Rejects requests that contain invalid characters in the threadname of the URL that potentially can be malicious, for example, symbol characters.) Or are there other techniques to prevent XSS requests ?

If I apply these settings, how will the applications on production be affected ? And in order to test these settings on test system, how can I create a request that contains a simple javascript function ?

Thanks.

***Edited by Moderator Marissa to update platform capability tags****

***Moderator Edit-Vidyaranjan: Updated SR details***

Pega Platform Security System Administration Support Case Exists
Moderation Team has archived post,
Close popover This thread is closed to future replies. Content and links will no longer be updated. If you have the same/similar Question, please write a new Question.