Defenses against common vulnerabilities

The Automation 360 platform provides some defenses against common attacks on applications.

The list below contains several examples of these attacks and the security controls in place to prevent them.

SQL Injection (SQLi)

SQL injection is a high-risk vulnerability that can seriously impact the confidentiality, integrity, and availability of a database. It enables an attacker to execute any SQL of his or her choosing inside the DB, thus allowing them to read sensitive data, modify/insert data, and execute various operations.

The Control Room prevents SQL injection using query provided by the Hibernate framework.

Cross Site Scripting (XSS)

Cross-site scripting is a high-risk vulnerability that can seriously impact the confidentiality, integrity, and availability of any user web session. It enables an attacker to execute any JavaScript inside the victim's browser, allowing them to spy on the user's input/output or take unauthorized actions on behalf of the user. They could also redirect the user offsite to a malicious malware download or a credential phishing page.

The Control Room prevents cross-site scripting using automatic output encoding provided by the ReactJS framework.

OWASP Top 10

Automation Anywhere provides the following controls to protect against the OWASP Top 10:
Risk Control
A1: Injection All input is escaped before commands or queries are executed.
A2: Broken authentication and session management See the identification and authentication section.
A3: Cross-site scripting All output is encoded before being returned.
A4: Insecure direct object references Centralized authorization via Spring Security.
A5: Security misconfiguration No default passwords, stack traces hidden, secure server configuration
A6: Sensitive data exposure See the Security at rest and Security in motion sections
A7: Missing function level access control Centralized authorization via Spring Security
A8: Cross-site request forgery Using authorization HTTP header
A9: Using components with known vulnerabilities Black Duck software composition analysis tool
A10: Unvalidated redirects and forwards N/A - No redirect functionality present