Defenses against common vulnerabilities

The Automation 360 platform provides some defenses against common attacks on applications.

The list below contains several examples of these attacks and the security controls in place to prevent them.

SQL Injection (SQLi)

SQL injection is a high-risk vulnerability that can seriously impact the confidentiality, integrity, and availability of a database. It enables an attacker to execute any SQL of his or her choosing inside the DB, thus allowing them to read sensitive data, modify/insert data, and execute various operations.

The Control Room prevents SQL injection using query provided by the Hibernate framework.

Cross Site Scripting (XSS)

Cross-site scripting is a high-risk vulnerability that can seriously impact the confidentiality, integrity, and availability of any user web session. It enables an attacker to execute any JavaScript inside the victim's browser, allowing them to spy on the user's input/output or take unauthorized actions on behalf of the user. They could also redirect the user offsite to a malicious malware download or a credential phishing page.

The Control Room prevents cross-site scripting using automatic output encoding provided by the ReactJS framework.

OWASP Top 10

Automation Anywhere provides the following controls to protect against the OWASP Top 10:


Risk	Control
A1: Injection	All input is escaped before commands or queries are executed.
A2: Broken authentication and session management	See the identification and authentication section.
A3: Cross-site scripting	All output is encoded before being returned.
A4: Insecure direct object references	Centralized authorization via Spring Security.
A5: Security misconfiguration	No default passwords, stack traces hidden, secure server configuration
A6: Sensitive data exposure	See the Security at rest and Security in motion sections
A7: Missing function level access control	Centralized authorization via Spring Security
A8: Cross-site request forgery	Using authorization HTTP header
A9: Using components with known vulnerabilities	Black Duck software composition analysis tool
A10: Unvalidated redirects and forwards	N/A - No redirect functionality present