Question
Bradesco Seguros
BR
Last activity: 13 Mar 2025 10:18 EDT
To address vulnerabilities related to the OWASP A3_2017-Sensitive_Data_ directive
Hello All, hope you're all doing well.
We are currently facing an issue that still isn't very clear on how to resolve, even after raising a support ticket with Pega.
According to our security team, the Pega applications have a vulnerability gap related to the OWASP A3_2017-Sensitive_Data_ directive.
A test was conducted using the Pentest tool, and it was identified that when filling out a form in one of our applications, the information becomes visible. By using browser debugging tools, we can see, as shown in the attached image, in the Network tab, the content of the form request payload in plain text.
According to our security team, this information must be encrypted or masked. We understand that applying the Data Encryption configuration within the platform will be sufficient for addressing the issue of data storage in the database. However, regarding this point of the web form and communication with the backend for processing, it doesn't seem feasible—or am I mistaken? I need an idea, some guidance, to help resolve this issue
Regards.
Accepted Solution
Updated: 13 Mar 2025 10:24 EDT
Pegasystems Inc.
GB
@GuiValino1984 please can you confirm the support ticket you raised for this issue?
Ticket INC-C11560 (To address vulnerabilities related to the OWASP A3_2017-Sensitiv) is still open and you were given the following update:
- The data captured from the browser network trace is in plain text.
- This data is transmitted via HTTPS and is encrypted using a public certificate key.
- Only the server possessing the private certificate key can decrypt this data.
Pentest tools typically employ what is known as a man-in-the-middle attack, such as Burp Suite.
This tool establishes a proxy and launches a browser that connects to this proxy. When the browser accesses a website, the proxy can read the data in plain text by substituting the actual certificate with its own.
For more information on man-in-the-middle attacks, please refer to this article: What Is a Man-in-the-Middle (MITM) Attack? | IBM
Additionally, please review this article from Pega: Fortifying Pega Cloud Applications: A Comprehensive Security Guide | Support Center
From a Pega-perspective, please familiarize with our documentation:
@GuiValino1984 please can you confirm the support ticket you raised for this issue?
Ticket INC-C11560 (To address vulnerabilities related to the OWASP A3_2017-Sensitiv) is still open and you were given the following update:
- The data captured from the browser network trace is in plain text.
- This data is transmitted via HTTPS and is encrypted using a public certificate key.
- Only the server possessing the private certificate key can decrypt this data.
Pentest tools typically employ what is known as a man-in-the-middle attack, such as Burp Suite.
This tool establishes a proxy and launches a browser that connects to this proxy. When the browser accesses a website, the proxy can read the data in plain text by substituting the actual certificate with its own.
For more information on man-in-the-middle attacks, please refer to this article: What Is a Man-in-the-Middle (MITM) Attack? | IBM
Additionally, please review this article from Pega: Fortifying Pega Cloud Applications: A Comprehensive Security Guide | Support Center
From a Pega-perspective, please familiarize with our documentation:
Mitigating common security vulnerabilities
Pegasystems Inc.
US
An answer has already been provided in INC-C11560. If you have further questions, please update the INC.
Thank you.
- Michael