Common Security vulnerabilities for Pega will be found during Security scan:
For any application Security scanning will takes place. And most of the security warnings will have below two error messages which are usually considered as low:
1)Error Message:
Session Cookie Does Not Contain the "Secure" Attribute
In session cookies "secure" word, is not there, then using normal javascript and http injection can be done to hack the session cookies, so its recommendable to add this attribute.
Resolution:
Perform the following local-change:
Add the below Dynamic System Settings(DSS) in Pega PRPC, so it will be applicable for all the servers/nodes which pega is connected.
prconfig/HTTP/SetSecureCookie/default
value = "true"
Owning ruleset - Pega-Engine
Else if this need to be apply only to particular node, then in the config file we can mention it.
<env name="HTTP/SetSecureCookie" value="true" />
=======================
2)Error Message:
Cookie Does Not Contain The "HTTPOnly" Attribute
In session cookies "HTTPOnly" word, is not there, then using normal javascript and http injection can be done to hack the session cookies, so its recommendable to add this attribute.
Resolution:
Perform the following local-change:
Add the below Dynamic System Settings(DSS) in Pega PRPC, so it will be applicable for all the servers/nodes which pega is connected.
DSS: purpose - prconfig/cookie/HttpOnly/default(default can vary based on node classification)
Ruleset - Pega-Engine
Value - true
Restart the server after this DSS is set to take the changes affect
Else if this need to be apply only to particular node, then in the config file we can mention it.
<env name="HTTP/SetSecureCookie" value="true" />
=======================
Note: Please let me know, similar to this if any common issues will be found, we can add it in the post, so that it will be help for all of us to know.
For any application Security scanning will takes place. And most of the security warnings will have below two error messages which are usually considered as low:
1)Error Message:
Session Cookie Does Not Contain the "Secure" Attribute
In session cookies "secure" word, is not there, then using normal javascript and http injection can be done to hack the session cookies, so its recommendable to add this attribute.
Resolution:
Perform the following local-change:
Add the below Dynamic System Settings(DSS) in Pega PRPC, so it will be applicable for all the servers/nodes which pega is connected.
prconfig/HTTP/SetSecureCookie/default
value = "true"
Owning ruleset - Pega-Engine
Else if this need to be apply only to particular node, then in the config file we can mention it.
<env name="HTTP/SetSecureCookie" value="true" />
=======================
2)Error Message:
Cookie Does Not Contain The "HTTPOnly" Attribute
In session cookies "HTTPOnly" word, is not there, then using normal javascript and http injection can be done to hack the session cookies, so its recommendable to add this attribute.
Resolution:
Perform the following local-change:
Add the below Dynamic System Settings(DSS) in Pega PRPC, so it will be applicable for all the servers/nodes which pega is connected.
DSS: purpose - prconfig/cookie/HttpOnly/default(default can vary based on node classification)
Ruleset - Pega-Engine
Value - true
Restart the server after this DSS is set to take the changes affect
Else if this need to be apply only to particular node, then in the config file we can mention it.
<env name="HTTP/SetSecureCookie" value="true" />
=======================
Note: Please let me know, similar to this if any common issues will be found, we can add it in the post, so that it will be help for all of us to know.
Thanks for sharing such a nice info. I hope you will share more information
ReplyDeletepega cssa online training
pega cssa training
learn pega cssa
pega cssa certification course
pega cssa certification course
pega cssa certification online course
pega cssa certification online training
pega cssa certification training
pega cssa online course
pega cssa course
pega cssa 7.4
pega cssa certification
This comment has been removed by the author.
ReplyDelete