Professional Documents
Culture Documents
Disclaimer
This presentation outlines our general product direction and should not be relied on in making a purchase decision. This presentation is not subject to your license agreement or any other agreement with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or to develop or release any functionality mentioned in this presentation. This presentation and SAP's strategy and possible future developments are subject to change and may be changed by SAP at any time for any reason without notice. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in this document, except if such damages were caused by SAP intentionally or grossly negligent.
Learning Objectives
Agenda
1. Security
Why? Security @ SAP
2. Secure ABAP
Secure Programming & Secure User Interface
4. Developer Responsibilities
2011 SAP AG. All rights reserved. / Page 4
Security Why?
Agenda
1. Security
Why? Security @ SAP
2. Secure ABAP
Secure Programming & Secure User Interface
4. Developer Responsibilities
2011 SAP AG. All rights reserved. / Page 7
At the heart of the PIL Product Security Standard: Security Requirements The PIL Security Standard defines a common set of security requirements for all SAP products, belonging to 3 areas:
Legal Compliance
SAP
Requirements of the PIL Product Standard Security are strongly aligned with the requirements and problems identified by the IT security community, e.g.,
Common Weaknesses Enumeration (CWE) CWE provides a unified, measurable set of software weaknesses that is enabling more effective discussion, description, selection, and use of software security tools and services that can find these weaknesses in source code and operational systems Open Web Application Security Project (OWASP Top10) The Open Web Application Security Project (OWASP) is a not-for-profit worldwide charitable organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. The OWASP Top 10 is a risk focused list of the Top 10 Most Critical Web Application Security Risks. Common Vulnerabilities and Exposures (CVE) CVE is a dictionary of publicly known information security vulnerabilities and exposures , i.e., vulnerabilities in shipped software products
Source http://cwe.mitre.org/top25/
2011 SAP AG. All rights reserved. / Page 10
SAP
Source http://cwe.mitre.org/top25/
2011 SAP AG. All rights reserved. / Page 11
SAP
SAP
Agenda
1. Security
Why? Security @ SAP
2. Secure ABAP
Secure Programming & Secure User Interface
4. Developer Responsibilities
2011 SAP AG. All rights reserved. / Page 13
Secure user interface development is possible only when the following security categories are fulfilled
Cross-Site Scripting (XSS) XSS attacks are set out to manipulate HTML pages by injection of malicious script code or by other indirect techniques, such as redirection to another server, logical attacks. SQL Injection SQL injection attacks arise from direct integration of user input into SQL statements without appropriate validation or filtering. Input Validation Make sure that the input is in expected form to prevent unexpected data from altering the intended execution of the program. Canonicalization Input variables content is transformed into its simplest and shortest representation for successful filter mechanisms to avoid polymorph attacks.
Directory Traversal URL is manipulated such that the web server reveals the content of a file anywhere on the server, residing outside web server's root directory. These attacks take advantage of special-character sequences in URL input parameters, cookies, etc. Cookie Manipulation The cookie contains information used by web applications to persist and pass variables back and forth between the browser and the web application. The risk of tampering with data and even information disclosure is very high.
Agenda
1. Security
Why? Security @ SAP
2. Secure ABAP
Secure Programming & Secure User Interface
4. Developer Responsibilities
2011 SAP AG. All rights reserved. / Page 17
Weakness(es)
Insufficient input validation Missing output filtering or encoding, when writing user input back to HTML pages
Potential results
Stealing access credentials, DoS, Web page modifications, executing commands on the attacked users system
2 Types of XSS
Non-persistent / reflected (the most common type): The server receives input data and uses it to build a result HTML page for the same user, without properly sanitizing the input Persistent: Input data from a given user is persisted by the server, and is included later on in HTML pages returned to other users, again without proper data sanitization
2011 SAP AG. All rights reserved. / Page 18
Attacker
Post Forum Message: Subject: GET Money for FREE !!! Body: <script> attack code </script>
Web Server
Did you know this? ..... GET Money for FREE !!! <script> attack code </script> Re: Error message on startup ..... I found a solution! ..... Can anybody help? Get /forum.jsp?fid=122&mid=2241 ..... Error message on startup .....
1. Attacker sends malicious code as part of message 2. Server stores message 3. User requests message 4. Message is delivered by server
Client
!!! attack code !!!
BSP example
http://.../bsp/asdf/sample?name=Test
<%@page language=abap %> <% DATA: name TYPE string. name = request-> get_form_field('name'). %> <html><body> <p>Hello <%= name %></p> </body></html> <html> <p>Hello <img src= onerror=alert(document.cookie);> </p><body></body></html>
Automatic output encoding No manual actions are required in the program code
BSP extensions (HTMLB, XHTMLB and PHTMLB) Dedicated encoding parameter must be enforced/used explicitly in the HTML page ITS BusinessHTML (BHTML) Various encoding methods must be used in the HTML page
http://.../bsp/asdf/sample?name=Test
<% DATA: input TYPE string. input = request-> get_form_field('name'). CALL METHOD CL_HTTP_UTILITY=>ESCAPE_HTML EXPORTING unescaped = input IMPORTING escaped = input_enc. %> <html><body> <p>Hello <%= input_enc %></p> </body></html>
SAP
Agenda
1. Security
Why? Security @ SAP
2. Secure ABAP
Secure Programming & Secure User Interface
4. Developer Responsibilities
2011 SAP AG. All rights reserved. / Page 23
Backdoors
Description The undocumented personal test hacks used by the developers for gaining unauthorized access. After a compromise the attacker will use the easier access to get around the compromised system for any security mechanisms. Business Risks Can potentially lead to a user gaining unauthorized access to privileged data within your SAP database. They allow malicious developers to secretly access extra-functionality by feeding certain triggers to the program. Very likely to violate regulatory compliance and Increase user privileges. Best Practices Avoid the usage of backdoors/hard coded usernames used for developer hacks inside any productive version of an application.
Note: There are also backdoors not based on code but on privileges
Secret Accounts Hacked Accounts Modified Accounts
2011 SAP AG. All rights reserved. / Page 27
Agenda
1. Security
Why? Security @ SAP
2. Secure ABAP
Secure Programming & Secure User Interface
4. Developer Responsibilities
2011 SAP AG. All rights reserved. / Page 28
Weakness
Insufficient user input normalization and validation, so that attacks can bypass security filters by using special-characters sequences
Potential result
Unauthorized access (execution, modification, deletion, read) of server or application resources outside of the intended container or directory
Directory Traversal is a threat whenever file paths are processed. Typical scenarios:
Web applications URL parameter RFC-Modules input parameter Command line parameter
2011 SAP AG. All rights reserved. / Page 29
An attacker may provide any other relative pathname to access resources outside of the intended directory, e.g., the malicious user input
../../../etc/passwd
Is concatenated to
/srv/sapprod/zapp1/../../../etc/passwd
Typical scenarios
1. 2. 3.
An application defines a logical file name in code or customizing. This logical file name is later, at runtime, translated into the OS (and customer) specific physical file name. An application permits a physical file name to be entered in some UI. This physical file is checked against a logical file. An application permits a logical file to be entered in some UI. The set of permitted file names has been configured with aliases, which are again translated.
References
Note 1497003: Potential directory traversals in applications SAP Wiki: Knowledge Base SEC-136 Directory Traversal
After fixing
CONSTANTS logical_filename = 'EXAMPLE_FIN1'. [] CALL FUNCTION 'FILE_VALIDATE_NAME' EXPORTING logical_filename = logical_filename CHANGING physical_filename = pa_file EXCEPTIONS OTHERS = 1. IF sy-subrc <> 0. MESSAGE ID sy-msgid TYPE sy-msgty NUMBER sy-msgno WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4. ENDIF. OPEN DATASET pa_file FOR INPUT IN TEXT MODE ENCODING DEFAULT. IF sy-subrc <> 0. ENDIF.
2011 SAP AG. All rights reserved. / Page 33
An attacker may use following attack patterns to get access to other files on the server, outside of the applications root:
%2F = / http://host/zapp1?file=../../../etc/passwd %252F = %2F = / http://host/zapp1?file=..%2F..%2F..%2Fetc/passwd http://host/zapp1?file=..%252F..%252F..%252Fetc/passwd http://host/zapp1?file=..%252F..%252F..%252Fetc/passwd%00.html
Note: ABAP ICM/ICF is not susceptible to double-encoding attacks. This is just an example from the past, used to illustrate the difficulty of proper validation
2011 SAP AG. All rights reserved. / Page 34
Function NORMALIZE_URL can be used to transform relative URLs into absolute URLs according to the syntax rules of RFC1808
DATA: I_UNNORMALIZED TYPE STRING, E_NORMALIZED TYPE STRING.
SAP
Agenda
1. Security
Why? Security @ SAP
2. Secure ABAP
Secure Programming & Secure User Interface
4. Developer Responsibilities
2011 SAP AG. All rights reserved. / Page 36
What about Im just using this variable value in my dynamically created code.
Problem if you fail to carefully validate the variable value
val = '3' val = '3. DELETE FROM USR02'
FORM read_data USING val TYPE STRING. rep_append 'REPORT ZREAD_DYNAMIC.'. rep_append 'DATA: lv_val TYPE STRING.'. CONCATENATE 'lv_val = ' val '.' into l_statement. rep_append l_statement. INSERT REPORT lv_dynamic FROM reptab. SUBMIT (lv_dynamic) AND RETURN. ENDFORM.
REPORT ZREAD_DYNAMIC. DATA: lv_val TYPE STRING. lv_val = 3. DELETE FROM USR02.
Partial mitigation
Place authorization checks before the injected code Use rigorous whitelists that limit which constructs are allowed, i.e., In case of dynamic calls
Create a whitelist of permitted function modules, classes, reports, e.g., with help of utility class CL_ABAP_DYN_PRG
Filter all non-alphanumeric characters, e.g., via regular expressions In case of dynamically generated coding, create a whitelist of permitted ABAP commands, e.g., with help of utility class CL_ABAP_DYN_PRG
SAP
Agenda
1. Security
Why? Security @ SAP
2. Secure ABAP
Secure Programming & Secure User Interface
4. Developer Responsibilities
2011 SAP AG. All rights reserved. / Page 40
Developer Responsibilities
Understand Security Software Lifecycle Security SAP Security Solution Map Attention while Developing! Follow the Security Plan Adhere to Secure ABAP Programming Guideline Avoid Vulnerabilities listed in Security Advisories Evaluate the Application Security Test Tools ( ATC, Code Inspector ) Checklist for Secure Programming
Code Inspector Transaction Code: SCI Menu Path: Program -> Check -> Code Inspector
This Checklist lists the most important issues that you should pay attention to in order to develop secure applications.
General No Backdoors Safe state in case of errors Password Security No plain text & hardcoded password Front-End Security/User Interface Input Validation No HTTP GET No SQL Injection, XSS, Path Traversal Access Security No revealing of data in error messages and URLs Hidden HTML Fields for Secrecy ABAP Programmers only Call Transaction with Authority Check, S_DEVELOP for ABAP command execution
In-accurate programming
SAP
Further Information
SAP Public Web:
General Info about Security SDN: https://www.sdn.sap.com/irj/sdn/security SAP Security Forum: https://www.sdn.sap.com/irj/sdn/forumID=208 SAP Security Guides: https://www.service.sap.com/securityguide SAP Security Notes: http://service.sap.com/securitynotes
Contact Feedback