The end user’s browser has no way to know that the script should not be trusted, and will run the script. Because the malicious script runs from a trusted source it is granted unauthorised access to sensitive information retained by the browser and used with that site.
-
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
-
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS).
We have identified our application is reflected to XSS attacks. What can the steps taken to remediate these attacks?
@Ashutosh Panda to answer this question there are various resources available to you on the Pega sites.
Did you first go through the available documentation on docs and the articles on the PSC?
To remediate Cross-site Scripting (XSS) attacks in your Pega application, follow these best practices:
- Maintain guardrail compliance.
- Filter all inputs.
- Filter HTML and XML outputs.
- Use PublicAPI methods for XSS filtering.
These practices are important regardless of your application’s user base, network security, physical environment, or use of autogenerated stream rules. Pega Platform includes features and facilities that prevent many security vulnerabilities. However, security is an ongoing challenge due to the many software layers in use. Therefore, it’s crucial to regularly test for and analyze potential security issues.
This is a GenAI-powered tool. All generated answers require validation against the provided references.
Understanding cross-site scripting > Suggested approach
Filtering HTML and XML outputs