Hello,

On security test processes, we have faced XSS vulnerability issue. When a payload added to GET request of DeleteAttachment activity, it becomes executable. You can see the screenshots on attachments. We received screenshots from security consultant company.

While we are researching security articles on Pega, we reached the link below.

https://community.pega.com/knowledgebase/articles/security-settings-prconfigxml-file

There are some categories named SubmitObfuscatedURL, Urlencryption and ErrorOnInvalidThreadName. Article says that all of these 3 categories must be applied before production. And I guess ErrorOnInvalidThreadName is related to our case. (Rejects requests that contain invalid characters in the threadname of the URL that potentially can be malicious, for example, symbol characters.) Or are there other techniques to prevent XSS requests ?

If I apply these settings, how will the applications on production be affected ? And in order to test these settings on test system, how can I create a request that contains a simple javascript function ?

Thanks.

***Edited by Moderator Marissa to update platform capability tags****

***Moderator Edit-Vidyaranjan: Updated SR details***