CSRF Protection
Our cybersecurity team scanned our PEGA 7.2.2 Dev environment. The results show a medium vulnerability for ‘HTML form without CSRF protection’. After reading the PDN article, PEGA recommends implementing the following settings.
- security/csrf/secureall
- security/csrf/mitigation
- XML/AllowDocTypes
After adding these settings and restarting server, our cybersecurity team performed another scan. However, the results were the same. Can anyone help us understand how to remedy the issue…
PEGA Articles:
- https://community.pega.com/knowledgebase/articles/security/configuring-csrf-protection
- https://community.pega.com/knowledgebase/articles/security/dynamic-system-settings-application-security
***Moderator Edit-Vidyaranjan: Updated SR details***
Pegasystems Inc.
US
Hi Henry,
Please open up a support request and include the vulnerability report. A GCS support engineer will be better able to assist as to what is going on with those details. Once you open the support request, please reply here with the SR #.
BPM Company
NL
After enabling CSRF protection in Pega, can you see a CSRF token in any URL of your application?
If no, something went wrong with your configuration.
If yes, then your security team's script is not valid. (don't blame all the time Pega, sometimes other technologies could be wrong :))
Pegasystems Inc.
US
Hi Henry,
The link here has an example of the token: https://community.pega.com/knowledgebase/articles/security/configuring-csrf-protection
http://wpegaw7:8080/prweb/PRServlet/TAHJBMlezN2PlS_vY7_FYDZ_YYZfLifF*/!@ae520a0ced4965ca3b79b12289f8676b!STANDARD?...
ae520a0ced4965ca3b79b12289f8676b – The token, which is checked by the Pega 7 Platform for validation.
Hi Henry,
The link here has an example of the token: https://community.pega.com/knowledgebase/articles/security/configuring-csrf-protection
http://wpegaw7:8080/prweb/PRServlet/TAHJBMlezN2PlS_vY7_FYDZ_YYZfLifF*/!@ae520a0ced4965ca3b79b12289f8676b!STANDARD?...
ae520a0ced4965ca3b79b12289f8676b – The token, which is checked by the Pega 7 Platform for validation.
The reason for having you open an SR is so that your security details are not added to the posting and it can be reviewed for what the issue truly is.
Veteran Careers First
US
After looking at this example it appears our URL in our dev environment has the token. I also compared our Dev environment with our QA environment. The QA does not because CSRF was not implemented so that makes sense...so far. Our Dev does appear to have token so maybe it's not a PEGA issue. But I will look deeper to confirm my understanding of the issue.