How to detect when a Thread name in a URL contains invalid characters (SECU0005 alert)

If Process Commander encounters a Thread name in the URL of an HTTP request that does not already exist in the requestor and whose name contains invalid characters, the system generates this security alert. This alert helps prevent malicious scripts inserted into the Thread name portion of the URL from being executed on the client web browser.

Alert log message

The alert identifies the HTTP request and the invalid Thread name it contains.

2010-03-25 15:53:14,273 GMT*6*SECU0005*0*0*f146b299c9a4c06c90ce0655b1540299*NA*NA*NA*NA*NA*?*-1*13*http-8080-1*NA*com.pega.pegarules.session.internal.
engineinterface.service. HttpAPI*sernsg2k8|fe80:0:0:0:86b:4a66:5fcc:
d5b3*NA*NA*NA*NA*NA*NA* NA*NA*NA*NA*NA*Invalid thread name detected: Application - Import &amp*

Modifying the alert settings

You can modify the default settings in the alerts section of the prconfig.xml file, as follows:

1. Open the prconfig.xml file and update these alerts sections:

ErrorOnInvalidThreadName

<env name = “initialization/ErrorOnInvalidThreadName" value="false" />

The ErrorOnInvalidThreadName value is a boolean. This default value is "false". When set to "true", processing for that request stops and an error message is returned. Otherwise, processing continues normally and there is no error message.

AdditionalValidCharactersInThreadNames

<env name = “initialization/AdditionalValidCharactersInThreadNames" value="{comma-delimited list of characters}" />

Upper case and lower case letters, numbers, spaces (" "), underscores ("_"), forward slashes ("/"), ampersands ("&"), dashes ("-"), dollar signs ("$"), and URL-encoded spaces ("%20") are allowed by default.

Use this setting to include additional characters as valid. The setting value is a semi-colon separated list of characters. It treats ";;;" as adding semicolon itself. Each value is either a single character or 3 characters representing a URL encoded value, for example: %20.

2. Stop and restart the server.

Next steps

Do either of the following:

• Modify your application to avoid creating Thread names with invalid characters.
• Verify that the invalid character is safe to use from a security standpoint (it doesn't make your application vulnerable to cross-site scripting attacks). Add the character to the AdditionalValidCharactersInThreadNames setting.

Related PDN article

Consult these Pega Developer Network article PRKB-25868: Best practices to avoid cross-site scripting (XSS) vulnerabilities.

	prconfig.xml file, stream rule types, stream processing, thread, Rule Security Analyzer
	Understanding alerts Show-HTML method JavaServer Page tag — url About the Clipboard tool Understanding page names and reserved pages

SysAdmin category