Skip to main content

This content is closed to future replies and is no longer being maintained or updated.
Links may no longer function. If you have a similar request, please write a new post.

Question

 Sowmya Patllola (SowmyaP37)
Amazon.com Inc

Amazon.com Inc
IN
SowmyaP37 Member since 2021 5 posts
Amazon.com Inc
Posted: Jan 24, 2022
Last activity: Jan 24, 2022
Posted: 24 Jan 2022 8:14 EST
Last activity: 24 Jan 2022 9:34 EST
Closed

Getting cross site forgery attack error

Hi, 

We are facing cross site forgery attack for one of the user when the user is trying to open the assignment link from the email. When opened the link from the email, portal is not getting launched. observed "Cross Site Request Forgery attack detected and was blocked" exception in security logs.

Can anyone please help us how to proceed further in fixing this issue.

Thanks.

 

***Edited by Moderator Marije to change type from General to Product, added Product details and Capability tags****
To see attachments, please log in.
Pega Platform
User Experience
Security
Case Management
Other Industry

Posted: 3 years ago
Posted: 24 Jan 2022 9:34 EST
Marije Schillern (MarijeSchillern)
MOD
Senior Knowledge Management Specialist
Pegasystems Inc.
GB

@SowmyaP37 

SECU0008

Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious Web site, email, blog, instant message, or program causes a user's Web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.

See the available documentation:

https://docs-previous.pega.com/pega-customer-service-implementation-guide/85/cross-site-request-forgery-csrf

https://docs-previous.pega.com/security/85/enabling-and-configuring-cross-site-request-forgery-settings

https://collaborate.pega.com/question/understanding-secu0008-alert

What is the exact content of the message? It's usually straightforward to map it to the Content Security Policy item to analyze.

--> You may want to check the URL you are using within the Email to check that the CSS, activities etc are all allowed. 

 When you are using "OpenAssignment" in pyMobileSnapStart, you must pass these 2 parameters correctly in the URL -

  • InsHandle - This is the pzInsKey of the assignment (Starts with something like ASSIGN-WORKLIST XYZ_FLOW)
  • InsClass - The class of the assignment (Starts with Assign-)

Construct these 2 parameters correctly and test.

See this discussion

Show More

@SowmyaP37 

SECU0008

Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious Web site, email, blog, instant message, or program causes a user's Web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.

See the available documentation:

https://docs-previous.pega.com/pega-customer-service-implementation-guide/85/cross-site-request-forgery-csrf

https://docs-previous.pega.com/security/85/enabling-and-configuring-cross-site-request-forgery-settings

https://collaborate.pega.com/question/understanding-secu0008-alert

What is the exact content of the message? It's usually straightforward to map it to the Content Security Policy item to analyze.

--> You may want to check the URL you are using within the Email to check that the CSS, activities etc are all allowed. 

 When you are using "OpenAssignment" in pyMobileSnapStart, you must pass these 2 parameters correctly in the URL -

  • InsHandle - This is the pzInsKey of the assignment (Starts with something like ASSIGN-WORKLIST XYZ_FLOW)
  • InsClass - The class of the assignment (Starts with Assign-)

Construct these 2 parameters correctly and test.

See this discussion

https://collaborate.pega.com/question/open-case-url-email-body

https://collaborate.pega.com/question/how-address-security-alerts

https://collaborate.pega.com/question/user-should-be-able-launch-assignment-email

 

 

Show Less
To see attachments, please log in.

Related content:

Related content has not currently been identified for this post.

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice