Back Forward How to detect when a Thread name in a URL contains invalid characters (SECU0005 alert)

If PRPC encounters a Thread name in the URL of an HTTP request that does not already exist in the requestor and whose name contains invalid characters, the system generates this security alert. This alert helps prevent malicious scripts inserted into the Thread name portion of the URL from being executed on the client web browser.

Alert log message

The alert identifies the HTTP request and the invalid Thread name it contains.

2010-03-25 15:53:14,273 GMT*6*SECU0005*0*0*f146b299c9a4c06c90ce0655b1540299*NA*NA*NA*NA*NA*?*-1*13*http-8080-1*NA*com.pega.pegarules.session.internal.
engineinterface.service. HttpAPI*sernsg2k8|fe80:0:0:0:86b:4a66:5fcc:
d5b3*NA*NA*NA*NA*NA*NA* NA*NA*NA*NA*NA*Invalid thread name detected: Application - Import &amp*

Modifying the alert settings

You can modify the default settings in the alerts section of the prconfig.xml file, as follows:

  1. Open the prconfig.xml file and update these alerts sections:
ErrorOnInvalidThreadName

<env name = “initialization/ErrorOnInvalidThreadName" value="false" />

The ErrorOnInvalidThreadName value is a boolean. This default value is "false". When set to "true", processing for that request stops and an error message is returned. Otherwise, processing continues normally and there is no error message.
AdditionalValidCharactersInThreadNames

<env name = “initialization/AdditionalValidCharactersInThreadNames" value="{comma-delimited list of characters}" />

Upper case and lower case letters, numbers, spaces (" "), underscores ("_"), forward slashes ("/"), ampersands ("&"), dashes ("-"), dollar signs ("$"), and URL-encoded spaces ("%20") are allowed by default.

Use this setting to include additional characters as valid. The setting value is a semi-colon separated list of characters. It treats ";;;" as adding semicolon itself. Each value is either a single character or 3 characters representing a URL encoded value, for example: %20.

  1. Stop and restart the server.

As an alternative to the prconfig.xml file, you can use Dynamic System Settings to configure your application.
See How to create or update a prconfig setting.

Next steps

Do either of the following:

Related PDN article

Consult the PDN article Best practices to avoid cross-site scripting (XSS) vulnerabilities.

Definitions prconfig.xml file, stream rule types, stream processing, thread
Related topics Understanding alerts
Show-HTML method
JavaServer Page tag — url
About the Clipboard tool
About the Rule Security Analyzer
Understanding page names and reserved pages

UpSysAdmin category

Help System home page Help Home