Skip to main content

This content is closed to future replies and is no longer being maintained or updated.
Links may no longer function. If you have a similar request, please write a new post.

Question

 Robert Stephens (RobertS16860954)

US
RobertS16860954 Member since 2023 1 post
Posted: Jan 13, 2020
Last activity: Jan 14, 2020
Posted: 13 Jan 2020 13:09 EST
Last activity: 14 Jan 2020 2:55 EST
Closed

Pega Websocket Security Configuration

Hi Pega Community!

I have done some searching without much luck on this topic: How to secure the websocket traffic that is being used by OOTB PRPushServlet (Platform v8.2.2) - this websocket connection is used in conjunction with the Notification Channels.

A security scan of our application with 3rd party tools alerted us to a Cross Site Websocket Hijacking vector.

It seems the most basic Websocket security steps are not taken by the platform by default (Like white-listing the origin(s) of websocket connection request coming into the server). This can be simply tested here: http://websocket.org/echo.html - URL = ws(s)://<host>:<port>/<root>/PRPushServlet - it connects with no problem.

Is it possible to implement this origin check and any further Websocket security considerations?

Thanks!

***Moderator Edit-Vidyaranjan: Updated SR details***

To see attachments, please log in.
Security
System Administration
Support Case Created

Posted: 4 years ago
Posted: 13 Jan 2020 14:04 EST
Brad Tainter (Br@dTainter_GCS)
PEGA
Fellow, Technical Support, Platform Service
Pegasystems Inc.
US

Hi Rob,

I would suggest opening an SR to have this looked at.  Please provide the vulnerability report on the SR.  Once the SR is created, please reply here with the SR number.

To see attachments, please log in.

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice