11/4/2014

SAP Incident Wizard

JSON Hijacking Possible ( 0001008352/2014 )
Back

Print

Classification
Message
Reporter
Customer
Partner
Last change
Status
Language
Component
Priority

1008352 / 2014
created 17.10.2014 - 06:20:50 CET
Anabatic Anabatic
PT Bank Tabungan Pensiunan Nasional (1269577)
PT Anabatic Technologies
04.11.2014 - 02:31:21 CET by Anabatic Anabatic
Customer Action
Automatic closing of message on 25.11.2014
English
MOB-ONP-CIS
High
Business operations are seriously threatened and urgent tasks cannot be executed.

Affected System
System ID / Name
Installation No. / Name
System Type
Product Version
Operating System
Database
Technical Usage Type
Changed on
Connection Status

SMP / SMP as BTPN MEAP
0020841000 / SYBASE installation
Production system
SAP MOBILE PLATFORM 3.0

No technical usage types available
02.10.2014 by Richard Gideon Wibisono (S0012002528)
Connection Closed

Problem Details: JSON Hijacking Possible
Short Text
JSON Hijacking Possible
Long Text
JSON Hijacking is an advanced attack that is similar to Cross-Site
Request Forgery, however unlike CSRF a malicious site is able to obtain
information from the target site. This interception ("hijacking") of
confidential data occurs when a response to a HTTP GET request is
returned in JSON format. JSON Hijacking is a technique that through
overloading the Array or Object constructors in browser scripting
languages with constructors whom intercepts the data. This allows the
malicious site to monitor JSON messages and possible steal sensitive
data.
This policy states that any area of the website or web application that
contains sensitive information can be accessed
Page:
https://apptbouat02.dev.corp.btpn.co.id:8083/sapui5/resources/sap/ui/commons/library-preload.json
https://apptbouat02.dev.corp.btpn.co.id:8083/sapui5/resources/sap/ui/layout/library-preload.json
https://apptbouat02.dev.corp.btpn.co.id:8083/sapui5/resources/sap/ui/ux3/library-preload.json
https://apptbouat02.dev.corp.btpn.co.id:8083/sapui5/resources/sap/ui/table/library-preload.json
https://apptbouat02.dev.corp.btpn.co.id:8083/sapui5/resources/sap/viz/library-preload.json
https://apptbouat02.dev.corp.btpn.co.id:8083/sapui5/resources/sap/ui/layout/themes/sap_goldreflection/libraryparameters.json
https://apptbouat02.dev.corp.btpn.co.id:8083/sapui5/resources/sap/ui/commons/themes/sap_goldreflection/libraryparameters.json
https://apptbouat02.dev.corp.btpn.co.id:8083/sapui5/resources/sap/ui/core/themes/sap_goldreflection/libraryparameters.json
https://apptbouat02.dev.corp.btpn.co.id:8083/sapui5/resources/sap/ui/ux3/themes/sap_goldreflection/libraryparameters.json
Steps for Reconstruction
Request:
GET /sapui5/resources/sap/ui/commons/library-preload.json HTTP/1.1
Referer:
https://apptbouat02.dev.corp.btpn.co.id:8083/sapui5/resources/sap/ui/commons/library-preload.json
Accept: */*
Pragma: no-cache
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101
Firefox/22.0
Host: apptbouat02.dev.corp.btpn.co.id:8083
Connection: Keep-Alive
X-WIPP: AscVersion=10.20.666.10
X-Scan-Memo: Category="Audit.Attack";
SID="600180472B70852AEAC21CD71615AF6D";
PSID="40DE4CBC47287605971637895DE40131"; SessionType="AuditAttack";
CrawlType="None"; AttackType="None"; OriginatingEngineID="65cee7d3-561f40dc-b5eb-c0b8c2383fcb"; AttackSequence="0"; AttackParamDesc="";
AttackParamIndex="0"; AttackParamSubIndex="0"; CheckId="10733";
Engine="Request+Modify"; Retry="False";
SmartMode="NonServerSpecificOnly"; ThreadId="45";
ThreadType="StateRequestorPool";
X-RequestManager-Memo: StateID="263"; sc="1";
ID="39bc9453-b708-456d-abbf-7453aa7c3de7";

https://websmp130.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/smp_custmsg/main.do?event=LOAD&pointer=002007974700010083522014&sid=MjAxN…

1/3

If those JSON files can be access by anonymous and there is no encryption for it. I've still found the json hijacking issue.10. Thanks for your reply.Info for SAP by Anabatic Anabatic Dear AGS Product Support I've uploaded Vulnerability Assesment Test result in this link https://drive. the data which is retrieved from the SMP server still requires login details and session IDs which neither in this case would provide data from the backend however I will forward this to engineering to review and look further into this. If you find out any problem or issue.Info for SAP by Anabatic Anabatic Dear AGS Product Support.02:00:27 CET . 27. https://appsmpuat01.dev. Could you check the attachment on this incident? As you described.Reply by SAP Dear customer. Thank you for your support on this issue.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/smp_custmsg/main. I will inform you after applying ssl configuration on this machine regarding this issue.08:21:39 CET . All of url contain jsonfileis based on management cockpit url https://appsmpuat01. Best Regards.05:16:39 CET .07:14:43 CET .Reply by SAP Dear customer. ThreadId="46". AGS Product Support hakwoo KIM 21.10.08:13:05 CET .11/4/2014 SAP Incident Wizard X-Request-Memo: ID="9419bb08-4b61-4344-ade8-140280751c26".2014 . Thanks and best regards. RESTFUL API is easy to access and then its result is also very easy to understand.Info for SAP by Sumarto Santosa Sumarto Dear AGS Product Support After applying ssl using CA and re-run the Vulnerability Assessment test.10.2014 . My document is what can be possible on SMP side. So. Issue about ssl certificate hostname discrepancy also occurs in the Vulnerability Assessment test.2014 .11. right now SMP Server on our machine haven't been configured on any ssl certification including CA. While the json libraries do appear to have been exposed. AGS Product Support hakwoo KIM 27. Could you let me know what is your executed test to check vulnerability?Authorized user can access the following url But I am not sure it will be also accessible to unauthorized user also.10.2014 . this kind of file should not be exposed it's content.10.com/file/d/0BxowzwlSdkyxZjZGd1FuYVhUTXc/view?usp=sharing please check regarding the issue Thanks.btpn. From having had a brief read through of the information previous in this and the appendixes of the vulnerability report I will forward this to engineering.co. Geoff Poolman SAP Active Global Support 28.Reply by SAP Dear customer.2014 .Reply by SAP Dear customer. I have picked up this incident from my APJ colleagues to review further the findings.Info for Customer by SAP Hello Sumarto. it will be critical problem on your side. I hope it would be helpful to you.10.dev.02:31:17 CET .11:35:00 CET . RESTFUL API is easy to access and then its result is https://websmp130. Thanks and best regards.btpn.2014 . AGS Product Support hakwoo KIM 31. Cookie: CustomCookie=WebInspect97364ZX53FBD2725A6843CA966459A8E8D2AEB6Y6E55 Communication 04.sap-ag.id:8083/Admin/ Thanks and best regards. Please feel free to let me know that.10.do?event=LOAD&pointer=002007974700010083522014&sid=MjAxN… 2/3 .corp.2014 .co. Thanks 22.google. you need to make authentication to forbid to unauthorized user or certification which will make possible to encription. But you may need to figure it out how to contol security beckend side also.id:8083/Admin/ in our client policy.08:56:55 CET . Could you check the attachment on this incident? As you described.corp.2014 . Thank you 17.

If those JSON files can be access by anonymous and there is no encryption for it. you need to make authentication to forbid to unauthorized user or certification which will make possible to encription.2014 - Print https://websmp130. My document is what can be possible on SMP side. Customer I have got this message. I will let you know what you have to send further log or information.06:41:07 CET . But you may need to figure it out how to contol security beckend side also.2014 . I will send it to you. This message will contain all about this issue.do?event=LOAD&pointer=002007974700010083522014&sid=MjAxN… 3/3 . it will be critical problem on your side. AGS Product Support Contacts & Notifications Reporter Name Phone Number Anabatic Anabatic +62 25567000 Mobile Telephone E-Mail v-wiwit.com Notification By SMS By e-mail Opening System Other By SMS By e-mail Other By SMS By e-mail Other By SMS By e-mail SAP Notes 0000000012 Individual solution without a specific SAP Note Attachments Description File Name Created from Date Time Please check this document Planning Your Security Landscape. I hope you write down or attach every detailed information related to this issue. AGS Product Support hakwoo KIM 17.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/smp_custmsg/main.sap-ag.rahmanto@btpn. Thanks and best regards.11/4/2014 SAP Incident Wizard also very easy to understand. So. I hope it would be helpful to you.Info for Customer by SAP Dear.10. If I can get any solution or W/A for this message.docx SAP 08:13 Back 17.10. I will contact to you soon after I analyze this issue Thanks and Best regards.