We recently performed pen test in AES server and found couple of issues related to XSS . Please find below descriptions for the same.
Issue1: Cross-site scripting (reflected)
Mitigation step : Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Issue2 : Cross-site scripting (reflected)
Mitigation step : In most situations where user-controllable data is copied into application responses, cross-site scripting
attacks can be prevented using two layers of defenses.
We scanned the results in hotfix manager and found HFix-36540 was 'critical missing' . Kindy advise if HFix-36540 will solve both of the above mentioned issues.
***Edited by Moderator Marissa to update platform capability tags****
The hotfix you have referenced is specific to Pega 73 and provides protection against unauthorized execution of rule export, file download and the schema modification wizard. It is not a general purpose hotfix for any XSS issues, nor is it specific to or related to the AES application. If you have specific issues from a vulnerability assessment I suggest you upload findings to Pega support for review and discussion.
Please do let us know the SR# in case you end up creating an SR with Pega Support to have this discussed in detail. We will track the SR through this post and update it once a resolution is agreed upon.
Thanks! I see that the SR provided you HFix-36540 as you had requested for only that one hotfix. However, in the above reply, Andy mentioned that - this hotfix is not a general purpose hotfix for any XSS issues, nor is it specific to or related to the AES application. If you have specific issues from a vulnerability assessment I suggest you upload findings to Pega support for review and discussion.
Do you have a specific issue? If yes, do you plan to create an SR for it as suggested? Or did HFix-36540 serve your purpose?
Point 1 :The reason why I raised SR-C2442 is that i found some critical missing in hot fix scan results related to XSS .I have requested it and received the file and haven't imported the hfix yet.( i could not access the file in the specified path. I have reopened the ticket to get the file again).Kindly advise if you could help in this ?
Point 2 : after installation, we did pen test for AES server found 2 issues related XSS that i mentioned earlier in detail. Kindly advise whether i can use HFix-36540 to resolve any of 2 issues or do i need to separate SR's for both pen test issues?
Thank you for the clarification. You are going the right way on the SR! From Andy's response above, I'm thinking you would have to create a new SR for the issues related to XSS. However, I'd advise you to complete applying the hotfix and see how your system responds before raising new SRs.