SEC261

SEC261 Secure ABAP Development: One
Bug Is Enough to Put Your Application at Risk
Public
Speakers
Las Vegas, Sept 19 - 23 Bangalore, October 5 - 7 Barcelona, Nov 8 - 10
Juergen Adolf Vaibhav Raina Juergen Adolf

Holger Janz Poornima Chandrashekaraiah Georg Becker
Shinto K Anto
2016 SAP SE or an SAP affiliate company. All rights reserved. Public 2

Disclaimer
The information in this presentation is confidential and proprietary to SAP and may not be disclosed without the permission of
SAP. Except for your obligation to protect confidential information, this presentation is not subject to your license agreement or
any other service or subscription agreement with SAP. SAP has no obligation to pursue any course of business outlined in this
presentation or any related document, or to develop or release any functionality mentioned therein.
This presentation, or any related document and SAP's strategy and possible future developments, products and or platforms
directions and functionality are all subject to change and may be changed by SAP at any time for any reason without notice.
The information in this presentation is not a commitment, promise or legal obligation to deliver any material, code or functionality.
This presentation is provided without a warranty of any kind, either express or implied, including but not limited to, the implied
warranties of merchantability, fitness for a particular purpose, or non-infringement. This presentation is for informational
purposes and may not be incorporated into a contract. SAP assumes no responsibility for errors or omissions in this
presentation, except if such damages were caused by SAPs intentional or gross negligence.
All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially
from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only
as of their dates, and they should not be relied upon in making purchasing decisions.

Agenda
Introduction
Why is security a topic?
SAP NetWeaver Application Server, add-on for code vulnerability analysis
Toolset for application protection
Demo
Secure programming
Command injection
Directory traversal
XSS and XSRF
Recommendations

Introduction
Public
Current software security vulnerability situation
Your software is everywhere

How can you be sure that these highly accessible applications are also highly secure?
Today's business applications have a history

Grown over the years Created based on different development paradigms
Complex Optimized for performance
Built on changing requirements Extended but not reinvented

The challenge of security
In order to secure an application, all of its components, functions, infrastructure and

the related threats must be understood.
In order to break an application, only one flaw in any of its components/functions or

the infrastructure may be enough.
The problem:
Each new technology brings with it the risk of new vulnerabilities.
Firewalls, intrusion detection systems, signatures and encryption alone cannot make
an application secure.

Application security testing
Find vulnerabilities in the Find vulnerabilities analyzing

running application the sources
Manual Application Manual Source

Penetration Testing Code Review
Automated Source
Automated Application
Code Analysis
Vulnerability Scanning
DAST SAST
Dynamic Application Security Testing Static Application Security Testing
SAP NetWeaver Application Server, add-on

for code vulnerability analysis
Finding security issues at design time is easier and less
expensive!

SAP NetWeaver Application
Server, add-on for code
vulnerability analysis
Public
SAP security and GRC access governance portfolio
SAP Cloud SAP Cloud Identity

Applications Manage access,
SAP HANA Cloud SAP HANA Cloud Access
users and
compliance in the Platform Identity Platform Identity Governance,
cloud Authentication Provisioning access analysis
service
SAP
S/4HANA
Add-On for Code

SAP Single SAP Identity SAP Access SAP Enterprise
SAP Vulnerability
Sign-On Management Control Threat Detection
Business Analysis
Suite
Ensure corporate Find and correct
Make it simple for users to do Know your users and what Counter possible threats and
compliance to vulnerabilities in customer
what they are allowed to do they can do identify attacks
regulatory requirements code
3rd Party
Systems Make sure that SAP SAP HANA Cloud SAP NetWeaver
Platform SAP HANA
solutions run securely Platform Application Server
Security

Overview of tools
ABAP Test Cockpit (ATC)

Central place for all check tools, exemption handling, result storage
Code Inspector (SCI)

Open framework for customers, partners and SAP to develop code related checks
Extended Program Check (SLIN)

Extended program check, which analyzes the source code
SAP NetWeaver Application Server, add-on for code vulnerability analysis

Code checks for security vulnerabilities. Main focus of the tool is analyzing the data flow and the user input

Architecture overview
ABAP Developer Quality Expert
R R
ABAP Workbench
R ABAP Test Cockpit (ATC) R

ABAP Editors Transport Management
Check
Exemptions
Results
Code Inspector
Checks
ABAP Source
Code R
SLIN Security
Checks

ABAP Test Cockpit (ATC)
What is it?
ATC is an ABAP check framework which allows running static checks and unit tests for
ABAP programs
ATC is fully integrated into the development environment and transport tools, along with
instant navigation, documentation and fix recommendation
What are the benefits?
ATC is the single point of entry for all static code check tools
ATC comprises a 4-eye principle exemption process to handle findings effectively
ATC is fully integrated in the ABAP development workbench with a high usability for
developers and quality experts
ATC is not only a check tool but supports essential QA techniques like
Q-Gates or regression testing in a consolidation system
Example: What does SAP NetWeaver AS, add-on for code
vulnerability analysis show within the ABAP Test Cockpit?
Plus a
detailed
explanation
about the
reason for
the finding
and
suggestions
how to fix the
problem

Example: Whats in a message displayed by SAP NetWeaver AS,
add-on for code vulnerability analysis?

Demo
ABAP Test Cockpit and SAP NetWeaver Application Server, add-on for code vulnerability analysis
Public
SAP NetWeaver Application Server, add-on for code
vulnerability analysis
Developed by the team creating the ABAP language

Tightly integrated into standard testing infrastructure
Already tested and in use for several years
SAP SAP NetWeaver AS, add-on for code vulnerability analysis is available as of:
SAP NetWeaver AS ABAP 7.0 EhP2 Support Package 14
SAP NetWeaver AS ABAP 7.4 Support Package 05 and later
See SAP Note 1921820 for the availability of new checks.

ABAP Test Cockpit
ATC is the standard ABAP check framework at SAP

The ABAP Test Cockpit (ATC) is a tool for doing static and dynamic quality checks
of ABAP code and associated repository objects
ATC is based on Code Inspector Very easy migration:
Just re-use your current global Code Inspector check variant
ATC is available as part of:
SAP NetWeaver AS ABAP 7.3 EhP2 and later

Remote security checks
Central Check System Analyzed System

(SAP_BASIS 7.50) (planned:
SAP_BASIS 7.00)
CVA ABAP
Stub
ATC Repository
Configuration of checks and administration of check runs takes place in the central check system
The stub can be installed through SAP note. No upgrade, no SP prerequisite in analyzed systems (planned)
Recommendation: Use the central check system for CVA only
No dependencies to other software components
You can easily implement support packages and upgrades
Easy consumption of new or enhanced security checks

Demo
Remote scenario
Public
Toolset for application protection
Detection of security vulnerabilities

SAP NetWeaver Application Server, add-on for code vulnerability analysis (CVA)
Change documents, version management, authorization trace, security audit log,
Sanitizations of security vulnerabilities

Input validation, escaping, (e. g. use class CL_ABAP_DYN_PRG or ABAP statements)
Transaction FILE and function modules FILE_VALIDATE_NAME, FILE_GET_NAME, and
FILE_GET_NAME_AND_VALIDATE
Transactions SM69 and function modules SXPG_... (aka SAPXPG mechanism)
Secure Store and Forward (SSF) for encryption & digital signatures (function modules SSF_...)
Virus Scan Interface (class CL_VSI, note 786179 and 817623)
Switchable authorizations (transaction SACF, class CL_SACF, note 1908870 and 1922808)

Sanitization by class CL_ABAP_DYN_PRG
Check methods
Check methods for values

CHECK_[CHAR|STRING]_LITERAL checks input for valid literal syntax
CHECK_INT_VALUE checks input for integer value with optional sign
Check methods for names

CHECK_TABLE_[OR_VIEW_]NAME_[STR|TAB] checks whether the name is a valid table or
view within given packages
CHECK_COLUMN_NAME checks input for valid table column name
CHECK_VARIABLE_NAME checks input for valid ABAP variable name

Escaping methods for ABAP and Open SQL
CL_ABAP_DYN_PRG=>QUOTE( ): Double each of the input and put around that
QUOTE( )
CL_ABAP_DYN_PRG=>QUOTE_STR( ): Double each ` of the input and put ` around that
QUOTE_STR( )
CL_ABAP_DYN_PRG=>ESCAPE_QUOTES( ): Double each of the input
ESCAPE_QUOTES( )
CL_ABAP_DYN_PRG=>ESCAPE_QUOTES_STR( ): Double each ` of the input
ESCAPE_QUOTES_STR( )
Note: The pure escaping (last two boxes) can also be achieved through the REPLACE statement.
Escaping methods for Web techniques (cross-site scripting, XSS)
CL_ABAP_DYN_PRG=>ESCAPE_XSS_XML_HTML( ): Escaping for XML and HTML
ESCAPE_XSS_XML_HTML( )
CL_ABAP_DYN_PRG=>ESCAPE_XSS_JAVASCRIPT( ): Escaping for JavaScript Strings
ESCAPE_XSS_JAVASCRIPT( )
CL_ABAP_DYN_PRG=>ESCAPE_XSS_CSS( ): Escaping for Cascading Style Sheets
ESCAPE_XSS_CSS( )
CL_ABAP_DYN_PRG=>ESCAPE_XSS_URL( ): Escaping for URL Strings
ESCAPE_XSS_URL( )
Note: XSS escaping can also be achieved through the built-in function ESCAPE (SAP_BASIS >= 7.31).
Hints
Please use the following pattern when using check methods of CL_ABAP_DYN_PRG:
Use the returned value to proceed. This ensures that an invalid input cannot be used in a meaningful way.
Most important SAP notes related to CL_ABAP_DYN_PRG :

1487337 - Downport CL_ABAP_DYN_PRG (initial release of the class)
1852318 - Overview on the availability of the class CL_ABAP_DYN_PRG
Secure programming:
Command injection
Public
Operating system command injection
What is an OS command injection?
Context
Software invokes OS commands
Part of the OS command invocation contains external, user-provided input, e.g. dir user input
Attack / entry point
Attacker supplies malicious data in order to call:
Other, unintended OS commands (OS command injection)
The same command with manipulated parameters (OS command manipulation)
Typically aims at command chaining, i.e. the use of special OS-specific characters to execute additional
commands right after the execution of the intended command, e.g. dir foobar | format c:
Potential result
Injection and execution of unexpected, dangerous commands directly on the operating system (e.g., to
allow OS remote logons, change authorizations or configurations, etc.)

OS command injection
How to call OS commands in ABAP
CALL 'SYSTEM' ID 'COMMAND' FIELD <command>

OPEN DATASET...FILTER <command>
Specifying a filter will lead the application server to start an external program to pre-process (reading) or post-
process (writing) the data
Typical use case is to compress/decompress files before writing/reading
SAPXPG mechanism
Can be used to call OS commands on the application server
Enables customers to adapt commands to their needs
Abstracts differences between operating systems
Allows customers to define check modules per OS command, e.g., to implement a character whitelist
Comes with an authorization check

SAPXPG command definition
Transaction SM69 to maintain and execute external OS commands
Function modules SXPG_... to call the defined OS commands in applications

SAPXPG command execution
Code snippet using the SAPXPG-defined OS command LIST_DB2DUMP :

* Get directory to display from Web request
userinput = request->get_form_field( 'dir' ).
* Call Win OS command 'dir' on backend system

CALL FUNCTION 'SXPG_CALL_SYSTEM'
EXPORTING
commandname = LIST_DB2DUMP'
ADDITIONAL_PARAMETERS = userinput
Expected and malicious user input
c:\SAP\dir1 dir c:\SAP\dir1
ADDITIONAL_PARAMETERS = userinput
foobar | cmd /c telnet dir foobar | cmd /c telnet

SAPXPG check module
Writing check modules for additional parameters using template module
FUNCTION SXPG_DUMMY_COMMAND_CHECK.
*"----------------------------------------------------------------------
*"*"Lokale Schnittstelle:
*" IMPORTING
*" VALUE(PROGRAMNAME) LIKE SXPGCOLIST-OPCOMMAND
*" VALUE(PARAMETERS) LIKE SXPGCOLIST-PARAMETERS
*" VALUE(LONG_PARAMS) TYPE CHAR1024 OPTIONAL
*" EXCEPTIONS
*" NO_PERMISSION
*"----------------------------------------------------------------------

RAISE NO_PERMISSION.

ENDFUNCTION.

Mechanisms for Avoiding OS Command Injection
Avoid the use of OS commands!

If, however, it is absolutely necessary
Use existing ABAP functionality
If there is no such functionality, only use SAPXPG to call OS commands
Where possible, build the OS command statically, i.e., without user input
Do not use shells to call commands
If user input is passed to the called command perform a whitelist check using a check module
o Copy template function module SXPG_DUMMY_COMMAND_CHECK
o Escape or filter all characters that do not pass a strict whitelist
Use class CL_ABAP_DYN_PRG
Where not possible, regular expressions are powerful tool, e.g.
FIND REGEX '[^A-Za-z]' IN userinput MATCH COUNT mcnt.
o Do not use a blacklist approach

Secure programming:
Command injection
Exercise
Command injection Your system: TDI

Your client: 001
Expected time frame: 15 min. Your user: SEC261
Your password: welcome
Optional exercises: Authorization checks
Public
Secure programming:
Directory traversal
Public
Directory traversal attack
What is the risk?
Directory traversal attacks ( also called path traversal attacks ) try to abuse insufficient sanitization and
validation when taking user input as (part of) file names.
Depending on the operation, this could lead to
Disclosure of sensitive data or
Overwriting critical files
Usual countermeasures include using FILE_GET_NAME to safely construct the file name and
FILE_VALIDATE_NAME to verify the file name.

What are the sanitization methods?
The best approach is to not allow the user to define a file name but let the administrator decide. They
know their system best! If the user needs to be able to specify a complete file name including the path,
you need to make sure that the file ends up somewhere where it is supposed to be:
Use the function module FILE_GET_NAME to retrieve the definition from the administrator.
In case it is required to request the file name from the user validate the file name using the function
module FILE_VALIDATE_NAME.
Do not try to only rely on authorizations! You can circumvent these in some cases.

How to use FILE_GET_NAME to retrieve file names
Retrieving a file name with FILE_GET_NAME without validation can enable the user to control
the file name!
CALL FUNCTION 'FILE_GET_NAME'

EXPORTING
logical_filename = logical_file_name
PARAMETER_1 = param_1
INCLUDING_DIR = 'X'
IMPORTING
FILE_NAME = physical_file_name
EXCEPTIONS
FILE_NOT_FOUND = 1
OTHERS = 4.

How to use FILE_VALIDATE_NAME to validate file names
Validating a file name with FILE_VALIDATE_NAME:
CALL FUNCTION 'FILE_VALIDATE_NAME'

EXPORTING
LOGICAL_FILENAME = logical_file_name
CHANGING
PHYSICAL_FILENAME = physical_file_name
EXCEPTIONS
VALIDATION_FAILED = 1
OTHERS = 4.
IF SY-SUBRC <> 0.
IF SY-SUBRC > 1.
MESSAGE ID sy-msgid TYPE 'A' NUMBER sy-msgno
WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.
ELSE.
MESSAGE 'The filename >' && pv_fname && '< is not valid, please try again.' TYPE 'E'.
ENDIF.
ENDIF.

Transaction FILE
The transaction FILE is being used to define properties related to file system operations when
using functions like FILE_GET_NAME and FILE_GET_NAME_AND_VALIDATE.
With this transaction you can define:

Logical File Paths
Logical File Names
Variables used in the generation of file names
Syntax groups for the file name handling
Assign an OS to such a syntax group

Logical path
Logical paths allow to create platform independent path definitions. This is achieved as one
physical path per platform can be mapped to a logical path.
A logical path can be used in the definitions of logical file names to enable programs to retrieve
physical file names valid for the operating system, the application server is running on. The
definition contains:
The name to refer to the logical path
A description
One directory definition per syntax group

Logical file name
Logical file names are patterns defined in transaction FILE. These patterns are used to create
or verify file names for file system access. The definition of a logical file name includes
information about
The name to refer to the logical file name in the coding
The pattern for the file name
Optional: Data format (ASCII, Binary, Directory, ) for the file
Optional: Application area
Optional: Logical path required for validation!
The file name portion defined can be absolute

(start from a root) or relative.
File name patterns may include predefined patterns like date, time, OS or patterns based on
profile parameters and more.
Constructing the file name I
FILE_GET_NAME will take the information from the logical path, append the contents from the
logical file name and replace variable values by their actuals:
Logical Path: D:\Files\orders-out\<PARAM_1>\<FILENAME>

Logical Filename: <PARAM_2>_<DATE>-<TIME>.txt
EXPORTING
PARAMETER_1 = 'AMER'
PARAMETER_2 = 'Exton'
INCLUDING_DIR = 'X'
...
Result: D:\Files\orders-out\AMER\Exton_20161013-122409.txt

Constructing the file name II
FILE_GET_NAME will take the information from the logical path, append the contents from the
logical file name and replace variable values by their actuals:
Logical Path: D:\Files\orders-out\<PARAM_1>\<FILENAME>

Logical Filename: <PARAM_2>_<DATE>-<TIME>.txt
EXPORTING
PARAMETER_1 = '..\orders-in\EMEA'
PARAMETER_2 = 'Exton'
INCLUDING_DIR = 'X'
...
Result: D:\Files\orders-in\EMEA\Exton_20161013-122409.txt
However it will NOT validate the input!
How to use FILE_GET_NAME_AND_VALIDATE to retrieve file names
Use FILE_GET_NAME_AND_VALIDATE instead of FILE_GET_NAME to avoid directory

traversals:
CALL FUNCTION 'FILE_GET_NAME_AND_VALIDATE'

EXPORTING
logical_filename = logical_file_name_from_tx_file
INCLUDING_DIR = 'X'
IMPORTING
EMERGENCY_FLAG1 = e_flag
FILE_NAME = physical_file_name
EXCEPTIONS
VALIDATION_FAILED = 1
FILE_NOT_FOUND = 2
OTHERS = 4.
Requires note 1957910 to be implemented!

Secure programming:
Directory traversal
Exercise
Directory traversal Your system: TDI

Your client: 001
Public
Secure programming:
XSS and XSRF
Public
XSS Cross-site scripting
Introduction
Context: Web applications accept user input, which is used to create dynamic content in HTML pages
Weakness(es)
Insufficient input validation
Missing output filtering or encoding, when writing user input to HTML pages

An attacker supplies malicious data to inject client-side JavaScript into web pages viewed by other users and, as such, attacks
other clients
Potential results
Stealing access credentials, DoS, Web page modifications, executing commands on the attacked users system
Types of XSS:
1. Reflected (the most common type): The server receives input data and uses it to build a result HTML page for the same
user, without properly sanitizing the input
2. Persistent: Input data from a given user is persisted by a server, and is included later in HTML pages returned to other
users, again without proper data sanitization
Reflected XSS
Problem
Web applications accept user input, which is displayed on subsequent HTML pages (either immediately or some time after)
If user input is not parsed, malicious JavaScript can be injected into HTML pages (which are a mix of data and code)
Example
The search page echoes the search
string on the result page
Corresponding HTML fragment

<span class="urTxtStd" ct="TV">
Business Suite
</span>
If input is not validated, something like the

following would be possible
<span class="urTxtStd" ct="TV">
</span><script type="text/javascript">some code</script><span>
</span>

Persistent XSS
The following is an example for all kinds of applications that accept, store and echo user input, a feature being part of
thousands of web pages (think of SDN, guest books, forums, etc.)
Attacker Web Server

Post Forum Message: Did you know this?
Subject: GET Money for FREE !!! GET Money for FREE !!!
.....
Body: <script> attack code </script>
Re: Error message on startup
<script> attack code </script>
I found a solution!
.....
Can anybody help?
.....
Error message on startup
.....
Get /forum.jsp?fid=122&mid=2241
.....
1. Attacker sends malicious code as part of message GET Money for FREE !!!
<script> attack code </script>
2. Server stores message
3. User requests message Client

4. Message is delivered by server !!! attack code !!!
5. Browser executes script in message (= mixture of data and code)

Impact
Access to authentication credentials Denial-of-Service
Cookies, username and password Crash users` browsers, pop-up-flooding, redirection
Normal users Access to users` machines

Access to personal data (credit card, bank account) Use ActiveX objects to control machine (install botnet client,
Access to business data (bid details, construction details) keylogger, etc.)
Misuse account (order expensive goods) Upload local data to attacker`s machine
High privileged users Spoil public image of company

Control over Web application Load main frame content from other locations
Control/access: Web server machine Redirect to dialer download
Control/access: backend / database systems

Demo
XSS with BSP
Public
Countermeasures
General idea
Prevent the injection of executable code in the web page, i.e., address the problem that HTML pages
are a mixture of code and data
Find a harmless representation of user input
The following, general countermeasures exist

Constrain input
Filter unwanted input
Validate external input
Ensure that provided input matches to what the application expects
Encode output
Prevent input from being executable in the HTML page

Overview ABAP output encoding technologies
BSP extensions (HTMLB, XHTMLB and PHTMLB) (see next slides)

Dedicated encoding parameter must be enforced/used explicitly in the HTML page
Web Dynpro ABAP

Does not require developers to develop HTML themselves
Framework generates output HTML code
Automatic output encoding
No manual actions are required in the program code
ITS BusinessHTML (BHTML)

Various encoding methods must be used in the HTML page

Recommendation for BSP
For BSP, use the encode attribute forceEncode at the page level with the following directive:
<%@page language="abap" forceEncode="html" %>
Following encoding schemas can be used with this attribute:

html
url
javascript
Page directive ensures encoding of any print statement (<% variable %>) on the page according to
the specified value
If another encoding must be used, because user input will be included in an HTML tag attribute for
URLs or JavaScript coding, use the following constructs:
<a href=<%url = input %>>link</a>

<a onClick=<%javascript = input %>>link</a>

Recommendation for BSP extensions
In BSP extensions (HTMLB, XHTMLB and PHTMLB), you may also use specific encode attribute
forceEncode on the HTMLB content-tag
Limitation: Protects HTMLB tags only
Set the attribute forceEncode to ENABLED
<%@page language="abap" %>

<%@extension name="htmlb" prefix="htmlb" %>
<% DATA: name TYPE string.
name = request->get_form_field( 'name' ). %>
<htmlb:content design="design2003" forceEncode="ENABLED"
>
<htmlb:page title = "HTMLB mit forceEncode">
<htmlb:form>
<htmlb:textView text = "Hello <%= name %> />
</htmlb:form> </htmlb:page> </htmlb:content>

XSRF Cross-site request forgery
Introduction
Context
Browsers automatically append valid (= not expired) authentication cookies to each request
Thus, each request after the initial authentication is automatically authenticated, without any required user interaction
URLs are easily guessable by attackers

Attacker crafts a malicious URL and tricks the user into requesting this URL
Result
Victim executes an action on behalf of the attacker, using an already authenticated session
Simply visiting a URL may have bad consequences

Demo
XSRF with BSP
Public
Countermeasures
General idea
Ensure that URLs (requests) are not guessable by the attacker by including a random element (token)
in the request
However, an attacker can always trick users into starting an application
Recommendations
Applications must use the available anti-XSRF mechanism
For ABAP, in general, no manual efforts are required on code level
Mechanism can be enabled via checkbox in BSP/ITS
Mechanism is automatically used in WebDynpro ABAP
Developers must avoid sensitive actions (= state changes) at application start and in all automatically
reachable pages (= pages reachable without user interaction)
All other pages are protected by the anti-XSRF mechanism

Recommendations
Framework solutions are developed for the following technologies
ABAP technologies: BSP, WebDynpro, ITS
For BSP applications

Activate the XSRF protection mechanism in the BSP
properties
Mark start BSP pages
To be reachable without the anti XSRF-token
Which must not result in any state-change
A token-generating JavaScript is added automatically into
every page, manipulating the DOM tree during the
onLoad event
You notice immediately if your application breaks when
activating the anti XSRF-token

Web-based attacks: Recommendations
Validate input
The entire (!) HTTP request must be considered as input, including HTTP headers, cookies, web forms
Client-side checks cannot be trusted; always (!) re-do the check on the server side
Follow advice given in the section on injection attacks (whitelist vs. blacklist, etc.)
Encode output
User input must not become executable; use the existing mechanisms for output encoding
Use strong session management

Use the session management provided by the SAP NetWeaver platform, and do NOT build your own session
management
Short sessions (achieved through cookie expires)
Use server-side cookies (instead of client-side cookies)

Ensure that no state changes are done at applications start (= on start pages), other pages are
protected by the anti-XSRF mechanism

Secure programming:
XSS and XSRF
Exercise
XSS and XSRF Your system: TDI

Your client: 001
Public
Recommendations
Public
Recommendations
Always have security in mind when developing software!

Its best practice to build good software in the first place. Repairing later is far more expensive.
And after all: you dont want to put insecure software into productive use.
Move sanitizations as close as possible to the critical statement!
The critical statement and the sanitization often depends on the deployed technology.
Moreover, the sanitization is automatically reused when the code is reused.
Use a static code analyzer. Use it every time you change your code!
Using a static code analyzer is a quick win. Many security problems can be detected just after
the code has been written.
Dont forget dynamic security tests!
It might be tempting, but you cant rely on static checks alone. There are security issues which
a static code checker cannot find, e. g. missing encryption or virus check.
Train your developers!
If they dont know of the possible security problems they cant avoid them. The ABAP keyword
documentation can serve as a starting point, and has been enhanced for critical statements.

SAP NetWeaver AS, add-on for code vulnerability analysis
Overview of available Checks
SQL Injection
(Open SQL)
Web SQL Injection

Exploitability (ADBC)
Backdoors & Code Injection

Authorizations Security Checks (ABAP)
Directory
Call Injection
Traversal
OS Command
Injection

Overview of the available checks
SQL injection (Open SQL)
Manipulation of dynamic Open SQL

Potential manipulation of the dynamic WHERE condition (1101)
Potential manipulation of a dynamic WHERE condition using the parameter I_FILTER of the object services
method CREATE_QUERY (1122)
Potential manipulation of the SET clause in the statement UPDATE (1112)
Potential read performed on an illegal database table in a SELECT statement (1118)
Potential read performed on an illegal database table in a modifying OpenSQL statement (1120)
Potential read performed on invalid table columns (1114)
Potential use of illegal columns in a dynamic GROUP BY clause (1116)
Potential use of illegal columns in a dynamic HAVING clause (1117)

SQL injection (ADBC)
Manipulation of SQL statements

Potential injection of harmful SQL statements of clauses in execution of DDL statements in ADBC (1128)
Potential injection of harmful SQL statements of clauses in execution of DML statements in ADBC (1130)
Read performed on sensitive database table (11G0)
Write performed on sensitive database table (11G1)

Code injection (ABAP)
Manipulation of ABAP code created dynamically

Potential injection of harmful code in the statements INSERT REPORT and GENERATE SUBROUTINE POOL
(1108)
Potential manipulation of the dynamic WHERE condition in an internal table (1190)
Potential injection of harmful code when the RFC-enabled function module RFC_ABAP_INSTALL_AND_RUN
was called (1109)

Call injection
Manipulation in dynamic calls

Potential call of an illegal transaction using the statement CALL TRANSACTION (1142, 114F, 114G)
Potential call of an unwanted transaction using the statement LEAVE TO TRANSACTION (1143)
Potential call of an illegal program using the statement SUBMIT (1141)
Potential call of invalid function module using RFC (1140)
UI-driven or RFC-driven dynamic call of a function module (1144)
C function call with names as potential user input (1171)
Statement COMMUNICATION used (11C1)

Injections of operating system commands

Statement CALL 'SYSTEM' used (1170)
Potential manipulation in the FILTER addition of the statement OPEN DATASET (1106)
FILTER addition of the statement OPEN DATASET used (1107)

Directory traversal
Access to illegal directories and files

Potential manipulation of the file name in the statement OPEN DATASET or DELETE DATASET (1104)
Potential manipulation of the file name in the method CREATE_UTF8_FILE_WITH_BOM of the class
CL_ABAP_FILE_UTILITIES (1124)
Non-secure parameter of the function module FILE_GET_NAME or FILE_VALIDATE_NAME used (1126)

Backdoors & authorizations
Weak authorization checks or user administration bypassed

Hard-coded user name, possibly from undeleted test code or an indication of a back door (0821)
Hard-coded host name sy-host, possibly from undeleted test code or an indication of a back door (11S1)
Hard-coded system ID sy-sysid, possibly from undeleted test code or an indication of a back door (11S2)
Hard-coded client sy-mandt, possibly from undeleted test code or an indication of a back door (11S3)
System variable sy-xxxx compared with a hard-coded value from forgotten test code or that could indicate a back door (11S4).
SY-SUBRC not evaluated after the statement AUTHORITY-CHECK (1160)
SY-SUBRC not evaluated after switchable authorization check (1161)
AUTHORITY-CHECK with explicit user name (1180)
AUTHORITY-CHECK with explicitly specified user name sy-uname (1181)
SY-SUBRC not handled after a security-relevant function was called (1165)
CALL TRANSACTION without or with possibly insufficient authorization
check (1142, 114A, 114B, 114C, 114D, 114E, 114F, 114G)
Potentially missing authorization check in a report (11A1)
Potentially missing authorization check in an RFC function module (11A2)

Web exploitability
Possible attacks using Web technologies

Obsolete escape method used (1150)
Potential reflected cross-site scripting (1134)
Potential invalidated URL redirect (11P1)
Potential risk of cross-site scripting (1132)
forceEncode="enabled" not specified for htmlb:content (1151)
Obsolete design or no design specified for htmlb:content (1152)
BSP application is not protected against XSRF (11RF)

SAP TechEd Online
Continue your SAP TechEd

education after the event!
Access replays of
Keynotes
Demo Jam
SAP TechEd live interviews
Select lecture sessions
Hands-on sessions


Further information
Related SAP TechEd sessions:

SEC600 - Find and Fix Security Vulnerabilities in ABAP Coding Using ATC and CVA
DEV265 - ABAP Today
DEV266 - Code Better with ABAP in Eclipse
DEV267 - Building Applications with ABAP Using Code Pushdown to the Database
DEV268 - Building an End-to-End SAP Fiori App Based on SAP S/4HANA and ABAP
SAP Public Web

scn.sap.com
www.sap.com
SAP Education and Certification Opportunities

www.sap.com/education
Watch SAP TechEd Online

www.sapteched.com/online

Feedback
Contact information:
Please complete your
Juergen Adolf
session evaluation for Product Manager
Email: juergen.adolf@sap.com
SEC261.

2016 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate
company) in Germany and other countries. Please see http://www.sap.com/corporate-en/about/legal/copyright/index.html for additional trademark information and notices.
Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its
affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and
services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as
constituting an additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop
or release any functionality mentioned therein. This document, or any related presentation, and SAP SEs or its affiliated companies strategy and possible future
developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time
for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-
looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place
undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

SEC261

Uploaded by

Copyright:

Available Formats

SEC261

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SEC261

Uploaded by

Copyright:

Available Formats

What are the main security risks that applications face?

What are the main security risks that applications face?

What are some techniques that can be used to analyze applications for security vulnerabilities?

What are some techniques that can be used to analyze applications for security vulnerabilities?

SEC261 Secure ABAP Development: One

Bug Is Enough to Put Your Application at Risk

Las Vegas, Sept 19 - 23 Bangalore, October 5 - 7 Barcelona, Nov 8 - 10

Juergen Adolf Vaibhav Raina Juergen Adolf

2016 SAP SE or an SAP affiliate company. All rights reserved. Public 2

2016 SAP SE or an SAP affiliate company. All rights reserved. Public 3

2016 SAP SE or an SAP affiliate company. All rights reserved. Public 4

Your software is everywhere

Today's business applications have a history

2016 SAP SE or an SAP affiliate company. All rights reserved. Public 6

In order to secure an application, all of its components, functions, infrastructure and

In order to break an application, only one flaw in any of its components/functions or

2016 SAP SE or an SAP affiliate company. All rights reserved. Public 7

Find vulnerabilities in the Find vulnerabilities analyzing

Manual Application Manual Source

SAP NetWeaver Application Server, add-on

2016 SAP SE or an SAP affiliate company. All rights reserved. Public 8

SAP Cloud SAP Cloud Identity

Add-On for Code

2016 SAP SE or an SAP affiliate company. All rights reserved. Public 10

ABAP Test Cockpit (ATC)

Code Inspector (SCI)

Extended Program Check (SLIN)

SAP NetWeaver Application Server, add-on for code vulnerability analysis

2016 SAP SE or an SAP affiliate company. All rights reserved. Public 11

ABAP Developer Quality Expert

R ABAP Test Cockpit (ATC) R

2016 SAP SE or an SAP affiliate company. All rights reserved. Public 12

What are the benefits?

ATC comprises a 4-eye principle exemption process to handle findings effectively

2016 SAP SE or an SAP affiliate company. All rights reserved. Public 14

2016 SAP SE or an SAP affiliate company. All rights reserved. Public 15

Developed by the team creating the ABAP language

2016 SAP SE or an SAP affiliate company. All rights reserved. Public 17

ATC is the standard ABAP check framework at SAP

2016 SAP SE or an SAP affiliate company. All rights reserved. Public 18

Central Check System Analyzed System

2016 SAP SE or an SAP affiliate company. All rights reserved. Public 19

Detection of security vulnerabilities

Sanitizations of security vulnerabilities

2016 SAP SE or an SAP affiliate company. All rights reserved. Public 21

Check methods for values

Check methods for names

2016 SAP SE or an SAP affiliate company. All rights reserved. Public 22

CL_ABAP_DYN_PRG=>QUOTE( ): Double each of the input and put around that

CL_ABAP_DYN_PRG=>QUOTE_STR( ): Double each ` of the input and put ` around that

CL_ABAP_DYN_PRG=>ESCAPE_QUOTES( ): Double each of the input

CL_ABAP_DYN_PRG=>ESCAPE_QUOTES_STR( ): Double each ` of the input

CL_ABAP_DYN_PRG=>ESCAPE_XSS_XML_HTML( ): Escaping for XML and HTML

CL_ABAP_DYN_PRG=>ESCAPE_XSS_JAVASCRIPT( ): Escaping for JavaScript Strings

CL_ABAP_DYN_PRG=>ESCAPE_XSS_CSS( ): Escaping for Cascading Style Sheets

CL_ABAP_DYN_PRG=>ESCAPE_XSS_URL( ): Escaping for URL Strings

Most important SAP notes related to CL_ABAP_DYN_PRG :

2016 SAP SE or an SAP affiliate company. All rights reserved. Public 27

CALL 'SYSTEM' ID 'COMMAND' FIELD <command>

2016 SAP SE or an SAP affiliate company. All rights reserved. Public 28