Pega Customer Service enhancements to prevent Broken Access Control
Broken Access control (BAC) refers to all access control issues in web applications that allow end users to gain unauthorized access to privileged data and functionality. Open Web Application Security Project (OWASP) identifies BAC as one of the top 10 security vulnerabilities. BAC usually occurs when users can bypass access control checks by leveraging vulnerabilities such as uniform resource locator (URL)-based requests that do not verify user privileges.
For more information about the Pega Platform enhancements to prevent Broken Access Control (BAC), see Protecting the application layer.
In the 8.3 release, Pega Customer Service has modified the rules that call secured activities in the Pega Platform. The query strings and parameters in the calls are registered so that they cannot be tampered with by the end users.
The following list shows the modified rules for Pega Customer Service. If you have overridden any of these rules in your Pega Customer Service for Insurance implementation layer, you need to update them with the changed rules. Run the Pre-Upgrade Checker to identify which of these changed rules are overridden in your implementation layer. For information about the Pre-Upgrade Checker, see the Pega Customer Service and Pega Sales Automation Upgrade Guide on the Pega Customer Service product page.
| # | Rule | Rule name | Class name | Available |
|---|---|---|---|---|
| 1 | Rule-HTML-Section | ChatToasterPop | ChannelServices-Interaction-Chat | Yes |
| 2 | Rule-HTML-Section | CSShowOffers | Int-PegaCDH-Container-Offer | Yes |
| 3 | Rule-HTML-Section | CPMAccountDetails | PegaCA-Interface-Contact | Yes |
| 4 | Rule-HTML-Section | CSOffer | Int-PegaCDH-Container-Offer | Yes |
| 5 | Rule-HTML-Section | CSShowNextBestAction | Int-PegaCDH-Container-Action | Yes |
| 6 | Rule-HTML-Section | CustomerAcceptedRequest | PegaCA-Work-CobrowsingSession | Yes |
| 7 | Rule-HTML-Property | SlotPicker | NA | Yes |
| 8 | Rule-HTML-Section | CPMIPSearchResults | CPM-Portal | Yes |
| 9 | Rule-HTML-Section | CPMAutoLauchServiceProcess | PegaCA-Work | Yes |
| 10 | Rule-HTML-Section | CPMFavoritesListDisplay | CPM-Portal | Yes |
| 11 | Rule-Navigation | CPMSearchResultMenu | CPM-Search-Result | Yes |
| 12 | Rule-Navigation | CPMProspectSearchResultMenu | PegaCRM-Entity-Contact | Yes |
| 13 | Rule-HTML-Section | CaseLockLostInfo | PegaCA-Work-Interaction | Yes |
| 14 | Rule-HTML-Section | CACollectSessionCode_FA | PegaCA-Work-CobrowsingSession | Yes |
| 15 | Rule-HTML-Section | CPMConfirmIncludes | Work- | Yes |
| 16 | Rule-HTML-Section | CPMINTERACTIONPORTALHEADER | CPM-PORTAL | Yes |
| 17 | RULE-HTML-FRAGMENT | SCREENPOPINTERACTIONSTARTER | NA | Yes |
| 18 | Rule-HTML-Section | AutoClose | Work- | Yes |
In addition to the above changes, several Pega Customer Service activities that do not need to be started from a client in the form of an AJAX call or any other UI request have also been modified. The Allow direct invocation from the client or service check box is cleared for these activity rules. To see the list of modified activity rules, download the CSH-List-of-Activity-Rules-URL-Tampering.xlsx file.
Previous topic Rules that have been finalized to prevent overrides Next topic Pega Customer Service Hotfixes, version 7.x