Posted: 19 Oct 2016 15:31 EDT Last activity: 10 Nov 2016 5:20 EST
How to limit the Activites that can be run from a Pega Mashup screen
I couldn't find any documentation on PDN with regards to how to limit the activities that can be run from a pega Mashup screen. I vaguely recall seeing some old documentation related to some configuration in prConfig.xml, but I couldn't find those on PDN anymore.
our pega screen is embeded in a webspher portal page which is exposed to the internet, so the page is subject to simple hacks such as updating the iframe url to call another activity.
***Updated by Moderator: Vidyaranjan| Included categories***
You can have a CSRF setting enabled (we have DSS) to fix your issue.
the following dynamic system settings have been introduced to address the CSRF issue
security/csrf/securedActivities – comma separated list; The format for list of activities would be Data-Admin-Operator-ID.AddNewOperator, PegaAccel-Task-GenerateApp.CreateAllOperatorIds, Data-Admin-.pzCreateOperator
security/csrf/securedStreams - comma separated list; The format for the list of streams would be @baseclass.ActionPreviousOperator, @baseclass.Operator-MenuPassword
(It is better to avoid the classnames which only means more coverage.)
security/csrf/validreferers - comma separated host names. This setting specifies the valid referers the incoming requests can have. sample value:http://wrupaaw7,http://wrupaaw7:8080
security/csrf/mitigation - the switch used to toggle the "CSRF mitigation using referer validation" feature on or off. Default value is FALSE sample value: TRUE
security/csrf/secureall - Indicates that all activities and streams are secured – no exceptions.
AES alert with code SECU0008 would be raised for the CSRF attack suspects
Using the security/csrf/secureall=true as it is too restrictive.
For the list of secured activites, it is recommended to utilize the SQL below to identify those needing to be added to the setting. Primarily though you need to secure activities that can be triggered by a user or have 'May Start' checked. Depending on the number of activities in the system this could be a large entry in the DSS.
To determine what activities qualify you can run a query similar to this:
Selectdistinct(pyrulename) from rulesschema.pr4_rule where pxobjclass='Rule-Obj-Activity'and PYRULEAVAILABLE in ('Yes','Final') and PYINPUTMAYSTART = 'true'
From what I understood, this is a CSRF mitigation solution, but my scenario is different here: rather than guarding the authenticated user from third party attacks, this screen is open to any unauthenticated users from the internet, so I want to create some kind of a white list of activities that can be executed, and any attempt to execute any other activities will be prohibited.
Securing applications (including activities) in Pega 7 is done using the core platform security features including the Pega Access Manager, operator access groups (including rule security mode configuration), roles and privileges. There are no Pega Web Mashup (formerly known as IAC) specific features for application security along the lines of what I believe you're asking about. Lastly, the Pega 7 Platform is secure by default from XSS, CSRF and other common attacks when applications are built in a guardrails compliant manner.