Question

141
Views
Close popover
Bala G (BKrishna)
e-Pragati

e-Pragati
IN
BKrishna Member since 2018 27 posts
e-Pragati
Posted: July 18, 2020
Last activity: July 20, 2020

How to fix HTTP request smuggling security issue in Pega Application?

https://portswigger.net/web-security/request-smuggling

Please find attached word document which contains detailed screenshots. 

Step 1: Access the URL and capture the request. https://preprod-myXX.XXXXXX.in/prweb/sso1/ex7EeZQhwqVsPcJXG37rCQ%5B%5B*/!STANDARD

Step 2: Adding the duplicate headers and forward the request.

Step 3: The attacker causes part of their front-end request to be interpreted by the back-end server as the start of the next request. It is effectively prepended to the next request, and so can interfere with the way the application processes that request. This is a request smuggling attack, and it can have devastating results. Now, Forward the request twice or multiple times in order to observe the error message with “status-501 ,GPOST Method not implemented”.

Any help greatly appreciated.

Thanks,

***Edited by Moderator: Pallavi to update platform capability tags***  

Pega Platform 7.3.1 Low-Code App Development System Administration Security Technology Services Senior System Architect