Skip to main content

This content has been archived and is no longer being updated.

Links may not function; however, this content may be relevant to outdated versions of the product.

Authentication and Security Risks

Suggest edit Updated on September 13, 2021

This presentation is part of the Authentication Overview Self-Study Course.

Transcript

I want to focus on two very common attacks that we have run across in the past.

Replay Attack

A replay attack is carried out by the attacker – who can either be the originator of the request himself, or a malicious hacker who has managed to intercept the link between the application that authenticates the user and the application server hosting PegaRULES.
In a replay attack the adversary records the data and plays it back at a later time to gain access to a system.  A replay attack can be prevented through hardening the link between the two systems by connecting them through a private network interface, or it can be avoided through the use of security tokens as we've discussed earlier.

Cross Site Scripting Attack

In this exploit, a hacker interjects a malicious script into the URL parameters that will execute in the context of the end user's browser.  The script can run commands with the privileges the end user has on their own computer, steal cookies, or mount so-called phishing attacks.  A cross-site scripting vulnerability is easy to prevent by filtering suspicious character such as angle brackets (<>) from the input parameters.  Avoid displaying the content of URL parameters when you display an authentication failure.  When you "display" the unfiltered URL parameter, you cause the possibly malicious script to execute.

It's also best practice from a security standpoint not to display the parameters causing the failure as this may give the hacker clues how to get into the system more quickly.

Did you find this content helpful? YesNo

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

Ready to crush complexity?

Experience the benefits of Pega Community when you log in.

We'd prefer it if you saw us at our best.

Pega.com is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us