Skip to main content

This content is closed to future replies and is no longer being maintained or updated.
Links may no longer function. If you have a similar request, please write a new post.

Question

 Nandhinee Karunanithi (NandhineeK)
Inautix Technologies

Inautix Technologies
IN
NandhineeK Member since 2013 3 posts
Inautix Technologies
Posted: Mar 26, 2021
Last activity: Mar 31, 2021
Posted: 26 Mar 2021 2:00 EDT
Last activity: 31 Mar 2021 5:27 EDT
Closed

Cross-Site Request Forgery

Can someone guide me how to fix Cross-Site Request Forgery (CSRF) vulnarablity in pega 7.4. Is

To see attachments, please log in.
Pega Platform 7.4
Security
Consumer Services
System/Cloud Ops Administrator

Posted: 3 years ago
Posted: 27 Mar 2021 5:59 EDT
Hoyath Ali (Hoyath Ali)
Bluevoir
Principle Engineer
Bluevoir
IN

@NandhineeK

I guess 7.4 doesn't have a landing page for configuring csrf

You can make use of the following DSS(RS: Pega-Engine). (Requires server restart to take effect)

security/csrf/securedActivities – comma separated list; The format for list of activities would be Data-Admin-Operator-ID.AddNewOperator, PegaAccel-Task-GenerateApp.CreateAllOperatorIds, Data-Admin-.pzCreateOperator  

security/csrf/securedStreams - comma separated list; The format for the list of streams would be @baseclass.ActionPreviousOperator, @baseclass.Operator-MenuPassword

security/csrf/validreferers - comma separated host names. This setting specifies the valid referers the incoming requests can have. sample value: http://wrupaaw7,http://wrupaaw7:8080

security/csrf/mitigation - the switch used to toggle the "CSRF mitigation using referer validation" feature on or off. The default value is FALSE sample value: TRUE

security/csrf/secureall - Indicates that all activities and streams are secured – no exceptions.

Note: There might be changes(addition of new ones) in DSS over the versions. Please do check as per the version. 

To see attachments, please log in.
Posted: 3 years ago
Posted: 31 Mar 2021 5:27 EDT
Nandhinee Karunanithi (NandhineeK)
Inautix Technologies

Inautix Technologies
IN

@Hoyath yes  below change resolved the issue

 

Solution type: Local Change - Pega Rule Solution description: Requested user to correct the DSS as mentioned below. security/csrf/secureall = true security/urlaccessmode = allow security/csrf/mitigation = true  

To see attachments, please log in.

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice