SECU0005 alert: A thread name in a URL contains invalid characters

The SECU0005 alert is generated when PRPC or the Pega 7 Platform encounters a thread name in the URL of an HTTP request that does not already exist in the requestor and whose name contains invalid characters.

This alert allows you to identify potentially malicious scripts that have been inserted into the thread name portion of the URL so that you can research and correct the thread name or other issues as appropriate.

Example message text

The alert identifies the HTTP request and the invalid thread name that it contains.

2010-03-25 15:53:14,273 GMT*6*SECU0005*0*0*f146b299c9a4c06c90ce0655b1540299*NA*NA*NA*NA*NA*?*-1*13*http-8080-1*NA*com.pega.pegarules.session.internal.
engineinterface.service. HttpAPI*sernsg2k8|fe80:0:0:0:86b:4a66:5fcc:
d5b3*NA*NA*NA*NA*NA*NA* NA*NA*NA*NA*NA*Invalid thread name detected: Application - Import &amp*

Default prconfig.xml settings

You can modify the default settings in the alerts section of the prconfig.xml file as follows:

<env name="initialization/ErrorOnInvalidThreadName" value="false" />

The ErrorOnInvalidThreadName value is a Boolean value. The default value is false. When set to true, processing for that request stops and an error message is returned. Otherwise, processing continues normally.

<env name="initialization/AdditionalValidCharactersInThreadNames" value="{semicolon-delimited list of characters}" />

Uppercase and lowercase letters, numbers, spaces, underscores (_), forward slashes (/), ampersands (&), dashes (-), dollar signs ($), and URL-encoded spaces (%20) are allowed by default. Use this setting to include additional characters as valid. The setting value is a semicolon-separated list of characters. The value ";;;" adds a semicolon. Each value is either a single character or three characters that represent a URL-encoded value, for example: %20.

Restart the server after you have changed the settings.

Reason for the alert

A thread name in the URL of an HTTP request that does not already exist in the requestor and its name contains invalid characters. You can take the following actions:

  • Modify your application to avoid creating thread names with invalid characters.
  • Verify that the invalid character is safe to use from a security standpoint and that it does not make your application vulnerable to cross-site scripting attacks. Add the character to the AdditionalValidCharactersInThreadNames setting.
Suggest Edit

100% found this useful

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.