Table of Contents

Pega Customer Service enhancements to prevent Broken Access Control

Broken Access control (BAC) refers to all access control issues in web applications that allow end users to gain unauthorized access to privileged data and functionality. Open Web Application Security Project (OWASP) identifies BAC as one of the top 10 security vulnerabilities. BAC usually occurs when users can bypass access control checks by leveraging vulnerabilities such as uniform resource locator (URL)-based requests that do not verify user privileges.

For more information about the Pega Platform enhancements to prevent Broken Access Control (BAC), see Protecting the application layer.

In the 8.3 release, Pega Customer Service has modified the rules that call secured activities in the Pega Platform. The query strings and parameters in the calls are registered so that they cannot be tampered with by the end users.

The following list shows the modified rules for Pega Customer Service. If you have overridden any of these rules in your Pega Customer Service for Insurance implementation layer, you need to update them with the changed rules. Run the Pre-Upgrade Checker to identify which of these changed rules are overridden in your implementation layer. For information about the Pre-Upgrade Checker, see the Pega Customer Service and Pega Sales Automation Upgrade Guide on the Pega Customer Service product page.

# Rule Rule name Class name Available
1 Rule-HTML-Section ChatToasterPop ChannelServices-Interaction-Chat Yes
2 Rule-HTML-Section CSShowOffers Int-PegaCDH-Container-Offer Yes
3 Rule-HTML-Section CPMAccountDetails PegaCA-Interface-Contact Yes
4 Rule-HTML-Section CSOffer Int-PegaCDH-Container-Offer Yes
5 Rule-HTML-Section CSShowNextBestAction Int-PegaCDH-Container-Action Yes
6 Rule-HTML-Section CustomerAcceptedRequest PegaCA-Work-CobrowsingSession Yes
7 Rule-HTML-Property SlotPicker NA Yes
8 Rule-HTML-Section CPMIPSearchResults CPM-Portal Yes
9 Rule-HTML-Section CPMAutoLauchServiceProcess PegaCA-Work Yes
10 Rule-HTML-Section CPMFavoritesListDisplay CPM-Portal Yes
11 Rule-Navigation CPMSearchResultMenu CPM-Search-Result Yes
12 Rule-Navigation CPMProspectSearchResultMenu PegaCRM-Entity-Contact Yes
13 Rule-HTML-Section CaseLockLostInfo PegaCA-Work-Interaction Yes
14 Rule-HTML-Section CACollectSessionCode_FA PegaCA-Work-CobrowsingSession Yes
15 Rule-HTML-Section CPMConfirmIncludes Work- Yes
16 Rule-HTML-Section CPMINTERACTIONPORTALHEADER CPM-PORTAL Yes
17 RULE-HTML-FRAGMENT SCREENPOPINTERACTIONSTARTER NA Yes
18 Rule-HTML-Section AutoClose Work- Yes

    In addition to the above changes, several Pega Customer Service activities that do not need to be started from a client in the form of an AJAX call or any other UI request have also been modified. The Allow direct invocation from the client or service check box is cleared for these activity rules. To see the list of modified activity rules, download the CSH-List-of-Activity-Rules-URL-Tampering.xlsx file.

    Suggest Edit

    Have a question? Get answers now.

    Visit the Pega Support Community to ask questions, engage in discussions, and help others.