Getting cross site forgery attack error
Hi,
We are facing cross site forgery attack for one of the user when the user is trying to open the assignment link from the email. When opened the link from the email, portal is not getting launched. observed "Cross Site Request Forgery attack detected and was blocked" exception in security logs.
Can anyone please help us how to proceed further in fixing this issue.
Thanks.
Pegasystems Inc.
GB
SECU0008
Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious Web site, email, blog, instant message, or program causes a user's Web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.
See the available documentation:
https://docs.pega.com/pega-customer-service-implementation-guide/85/cross-site-request-forgery-csrf
https://docs.pega.com/security/85/enabling-and-configuring-cross-site-request-forgery-settings
https://collaborate.pega.com/question/understanding-secu0008-alert
What is the exact content of the message? It's usually straightforward to map it to the Content Security Policy item to analyze.
--> You may want to check the URL you are using within the Email to check that the CSS, activities etc are all allowed.
When you are using "OpenAssignment" in pyMobileSnapStart, you must pass these 2 parameters correctly in the URL -
- InsHandle - This is the pzInsKey of the assignment (Starts with something like ASSIGN-WORKLIST XYZ_FLOW)
- InsClass - The class of the assignment (Starts with Assign-)
Construct these 2 parameters correctly and test.
See this discussion
SECU0008
Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious Web site, email, blog, instant message, or program causes a user's Web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.
See the available documentation:
https://docs.pega.com/pega-customer-service-implementation-guide/85/cross-site-request-forgery-csrf
https://docs.pega.com/security/85/enabling-and-configuring-cross-site-request-forgery-settings
https://collaborate.pega.com/question/understanding-secu0008-alert
What is the exact content of the message? It's usually straightforward to map it to the Content Security Policy item to analyze.
--> You may want to check the URL you are using within the Email to check that the CSS, activities etc are all allowed.
When you are using "OpenAssignment" in pyMobileSnapStart, you must pass these 2 parameters correctly in the URL -
- InsHandle - This is the pzInsKey of the assignment (Starts with something like ASSIGN-WORKLIST XYZ_FLOW)
- InsClass - The class of the assignment (Starts with Assign-)
Construct these 2 parameters correctly and test.
See this discussion
https://collaborate.pega.com/question/open-case-url-email-body
https://collaborate.pega.com/question/how-address-security-alerts
https://collaborate.pega.com/question/user-should-be-able-launch-assignment-email