The callback URL will be present throughout certain workflow within the application, allowing operation status and other data to be delivered back to the program via that URL (ex: Publishing dashboard from one server to another server). What if a scammer changes the URL and manages to regain access to the encrypted data? This is a kind of Server-side request forgery (SSRF) attack.
A Server-side request forgery (SSRF) attack is an attack that misuses server functionality to access or modify resources. By modifying the request URL, the attacker induces a server-side application to make requests to an unintended destination.
This attack can be avoided by configuring known domains in Bold BI in a known domain JSON file.
Go to the UMS Administration page in Bold BI and click on the
Configuration tab. A list of known domains in a JSON file can be configured here.
known_domains.json file to configure the allowed and denied domain list on this page.
If you want to configure known domains in Bold BI, you must set the
Enabled node to
You can add a list of denied domains to the
Deny node. If you want to allow or deny all external domains, you can use wildcard
* in known domain JSON nodes. You can also use a wildcard with the subdomain
You can add a list of allowed domains to the
Allow node. You can add more than one domain with a comma.
Important: Internal Bold BI domains are allowed by default, i.e. domains from Bold BI sites.
Once configured, click the
Save button to update the Known Domain JSON file.
Note: If you have configured the same domain in both
Deny, the domain will be denied as the denied list takes first priority.