Question
TATA CONSULTANCY SERVICES
IN
Last activity: 4 Oct 2018 11:08 EDT
Understanding the SECU0008 Alert
Hi,
- When does system generates SECU0008 Alert ?
- What actions need to be taken whenever we observe this Alert ? or I would like to ask - "How to address this Alert ?"
- Will there be any functional/UI Impact due to this Alert ? or Is it just for some security reasons ?
Thanks
Hari Kumar Alampuru
**Moderation Team has archived post**
This post has been archived for educational purposes. Contents and links will no longer be updated. If you have the same/similar question, please write a new post.
Accepted Solution
Try dynamic system setting Pega-Engine.prconfig/security/urlaccessmode/default
See SR-A11177 - waiting to see impact of this setting on a very large CPM system
believe the notes in SR (from my email not gcssupport) are ...
|
ROOT CAUSE
|
Pegasystems
IN
SECU0008
Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious Web site, email, blog, instant message, or program causes a user's Web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.
Updated: 27 Nov 2015 4:26 EST
Pegasystems Inc.
IN
Below are prconfig settings, based upon PRPC version, availability may vary
security/csrf/referervalidation: the switch used to toggle the "CSRF mitigation using referer validation" feature on or off. Default value is FALSE sample value: TRUE
security/csrf/validreferers: comma separated host names. This setting specifies the valid referers the incoming requests can have. sample value: http://wrupaaw7,http://wrupaaw7:8080
security/csrf/mode: flag to decide how to respond to probable csrf attacks. Valid values are deny/warn
deny - all requests suspected to be csrf are rejected and also logged onto the console. An AES alert SECU0008 is also thrown.
warn- all requests suspected to be csrf are processed as usual but an error message is logged on to the console and also an alert with SECU0008 as code is raised.
security/csrf/exceptionalActivities: list of activities separated by comma which are given exception for CSRF validation. Sample value: Code-Security.LogOff,@baseclass.WBGetRuleXmlWithKeys
security/csrf/exceptionalStreams: list of streams separated by comma which are given exception for CSRF validation. Sample value: CloseAllRules,ShowAllDirtyRules,WebWB_MyFavorites
TATA CONSULTANCY SERVICES
IN
Thank you both Arvind Malav Rajiv Nistala !!
But I see 2 Support Articles which say that --> CSRFAttack is due to a new parameter introduced as a part of Pega 7.X Upgrade, etc. Can someone advise if this is a Pega BUG ? Sorry to mix-up these two issues. As for our customer application, we are observing many WARN LOGS which are mentioned in these both Support Articles - CSRFAttack Invalid harness ID, CSRFAttack Missing harness ID.
SA-12895
https://community.pega.com/support/support-articles/csrfattack-observed-logs
2015-07-02 08:02:47,851 | WARN | WebContainer : 2 | mgmt.util.URLAccessContext | Msg: URLAccessModeWarn:URLAccessPermitted URLAccessDetail CSRFAttack Invalid harness ID HID821A4B556A3FBBA95E79DE6B1188E97E :From @baseclass.pzUpdateClipboardModels
Thank you both Arvind Malav Rajiv Nistala !!
But I see 2 Support Articles which say that --> CSRFAttack is due to a new parameter introduced as a part of Pega 7.X Upgrade, etc. Can someone advise if this is a Pega BUG ? Sorry to mix-up these two issues. As for our customer application, we are observing many WARN LOGS which are mentioned in these both Support Articles - CSRFAttack Invalid harness ID, CSRFAttack Missing harness ID.
SA-12895
https://community.pega.com/support/support-articles/csrfattack-observed-logs
2015-07-02 08:02:47,851 | WARN | WebContainer : 2 | mgmt.util.URLAccessContext | Msg: URLAccessModeWarn:URLAccessPermitted URLAccessDetail CSRFAttack Invalid harness ID HID821A4B556A3FBBA95E79DE6B1188E97E :From @baseclass.pzUpdateClipboardModels
ROOT CAUSE:
The root cause of this problem is a backward compatibility defect in Pegasystems’ code/rules. A new parameter was added to RedirectAndRun that should be specified in any custom code.
SA-10754
2015-05-28 07:35:56,801 [ WebContainer : 7] [WorkThread] [ SvcDsktp:01.01.44] ( mgmt.util.URLAccessContext) WARN modl-sd.xxxrp.xxxxxx.com|172.xx.43.xxx - URLAccessModeWarn:URLAccessPermitted URLAccessDetail CSRFAttack Missing harness ID :From @baseclass.doUIAction display :CVG 1 0 0 0 0 :MQD className=PegaCA-Portal&CPMAction=ShowCompositeTab&action=display&pyActivity=%40baseclass.doUIAction&harnessName=ContractCompositeHarness&PreDisplayActivity=RefreshComposite
ROOT CAUSE:
The root cause of this problem is defect/misconfiguration in the operating environment.
The reported behavior occurs as a negative testing, user clicks on two links very rapidly and thus ajax response of first is not complated and second is executed, so transaction mismatch happens.
Thanks
Hari Kumar Alampuru
TATA CONSULTANCY SERVICES
IN
Do anyone know how to either Supress/Resolve these SECU0008 ALERT/WARN Messages ? We are observing both these WARN & ALERT Messages in a huge number in production environment.
Application running on CPM 7.1.3 on Pega 7.1.7
Pegasystems Inc.
US
Hari,
You can change the prconfig settings that Arvind describes above. I would recommend, in a non-production environment, looking into why you are getting the warnings in the first place, in my experience resaving or updating old rules that are tripping the warning not makes the warning go away but it also helps eliminate potential security holes. We (SpyVsSpy) did this with PMF a few months back.
Matt
TATA CONSULTANCY SERVICES
IN
Thanks Matthew Morency for the reply. I did verified this setting but could not able to find the configuration in Prconfig & as well as DSS. Looks like this setting is not defined in our application bust still we see these WARN & ALERT Messages. Can you please advise further ?
Also, not sure why we are seeing these messages only after Pega 7 Uplift. Any clue ?
Pegasystems Inc.
US
Hari,
I will look more into your first question today and provide an answer.
As far as the second question, the CSRF checks and associated SECU0008 warnings came into the Pega 7 only recently.
Matt
Updated: 1 Dec 2015 12:03 EST
Pegasystems Inc.
US
Hari,
I have pasted the documentation on the settings below, you may need to restart to have them take effect:
| The following dynamic system settings have been introduced to address the CSRF issue | |
| • | security/csrf/securedActivities – comma separated list; The format for list of activities would be Data-Admin-Operator-ID.AddNewOperator, PegaAccel-Task-GenerateApp.CreateAllOperatorIds, Data-Admin-.pzCreateOperator |
| • | security/csrf/securedStreams - comma separated list; The format for the list of streams would be @baseclass.ActionPreviousOperator, @baseclass.Operator-MenuPassword |
(It is better to avoid the classnames which only means more coverage.)
Hari,
I have pasted the documentation on the settings below, you may need to restart to have them take effect:
| The following dynamic system settings have been introduced to address the CSRF issue | |
| • | security/csrf/securedActivities – comma separated list; The format for list of activities would be Data-Admin-Operator-ID.AddNewOperator, PegaAccel-Task-GenerateApp.CreateAllOperatorIds, Data-Admin-.pzCreateOperator |
| • | security/csrf/securedStreams - comma separated list; The format for the list of streams would be @baseclass.ActionPreviousOperator, @baseclass.Operator-MenuPassword |
(It is better to avoid the classnames which only means more coverage.)
- security/csrf/validreferers - comma separated host names. This setting specifies the valid referers the incoming requests can have. sample value: http://wrupaaw7,http://wrupaaw7:8080
- security/csrf/mitigation - the switch used to toggle the "CSRF mitigation using referer validation" feature on or off. Default value is FALSE sample value: TRUE
- security/csrf/secureall - Indicates that all activities and streams are secured – no exceptions.
| • | AES alert with code SECU0008 would be raised for the CSRF attack suspects |
Sample settings
| security/csrf/securedActivities | Data-Admin-Operator-ID.AddNewOperator, PegaAccel-Task-GenerateApp.CreateAllOperatorIds, Data-Admin-.pzCreateOperator, ReloadSection,GetLocationInFlow,PegaAccel-Task-DocumentApp.pzDocumentNow,@baseclass.WBGetRuleXmlWithKeys,getCorrInsert,PegaAccel-Task-DocumentApp.pzDocumentNow,@baseclass.WBGetRuleXmlWithKeys, |
| security/csrf/securedStreams | @baseclass.ActionPreviousOperator, @baseclass.Operator-MenuPassword, Operator-Profile-ChangePassword |
| security/csrf/validreferers | http://wrupaaw7,http://wrupaaw7:8080,https://mail.google.com/mail/?shva=1#inbox,https://mail.google.com, |
| DSS - security/csrf/mitigation | false |
Using the security/csrf/secureall=true as it is too restrictive. For the list of secured activites, it is recommended to utilize the SQL below to identify those needing to be added to the setting. Primarily though you need to secure activities that can be triggered by a user or have 'May Start' checked. Depending on the number of activities in the system this could be a large entry in the DSS. To determine what activities qualify you can run a query similar to this:
- Select distinct(pyrulename) from rulesschema.pr4_rule where pxobjclass='Rule-Obj-Activity' and PYRULEAVAILABLE in ('Yes','Final') and PYINPUTMAYSTART = 'true'
The cross site scripting alerts in 717 are a huge problem when running CPM. Frankly, it does not work - we generate thousands of false positive SECU0008 warnings. Unless someone takes time and effort to do full regression test on Pega applications to develop the 'whitelist' its better to disable the SECU0008 alerts at customer sites - especially since we have no information on PDN on what to do with a SECU0008 and AES does not provide any advice. As of 719 and AES 717, SECU0008 alerts are at best a huge distraction
TATA CONSULTANCY SERVICES
IN
Hi Andrew Werden Thanks for commenting in this discussion.
In-case if we need to whitelist the Streams & Activities that need to be secured, it will be a huge number (definitely in thousands) for the Big Financial Institutions using Pega/CPM (just like as our customer ).
Yes, Andrew's point is correct ! Most of them would be false alerts also. As CCP's log-into our application & use the Portal in a most secured way (SSO) but still we see these Alerts/WARN Messages as when they navigate to different screens in the Portal. When we consider all Production Nodes, we are observing 1,53,000 SECU0008 Alerts on a Peak Business Day which we want to either -- get rid-off OR eliminate OR need to fix.
As I mentioned earlier not able to find any security configurations defined in either DSS nor prconfig. Not sure how this can be TURNED OFF ??
Accepted Solution
Try dynamic system setting Pega-Engine.prconfig/security/urlaccessmode/default
See SR-A11177 - waiting to see impact of this setting on a very large CPM system
believe the notes in SR (from my email not gcssupport) are ...
|
ROOT CAUSE
|
TATA CONSULTANCY SERVICES
IN
Thanks so much Andrew Werden. Have Informed our Internal Team to Turn-off of this Alert.
Verizon
IN
Hi AndrewWerden,
Its not working for me, I tried the below DSS to not to log SECU0008 alert, but its not working for me.
Pega-Engine.prconfig/security/urlaccessmode with value allow
Can you pls help, am I missing anything here ?
Thanks!
-Rajasri