Mittwoch, 23. Juli 2008

Mastering SAP Technologies 2008

Seems like Doug, owner of Eventful Management, was fed up with Melbourne's rainy winter weather. Anyway, this year's Mastering SAP Technologies moved from Melbourne (where it took place in 2007) to the Gold Coast. Winter at Gold Coast is really more like a nice summer day in Germany. Blue sky, 25° Celsius, and hundreds of kilometers of beautiful beaches.

So people were in a good mood and the SDN networking meeting went very nice with Thomas Jung leading the discussions. One of the hot topics in the meeting was the future of the Business Server Pages (BSP) development at SAP. Even though WebDynpro is the successor of BSP, Thomas presented a view new things he developed in BSP.

BSP indeed is a nice way to develop Web applications with SAP technology. However, when it comes to security, a BSP developer has to actively do certain things to secure the Web application. The developer has to do input validation and output encoding manually. If the developer does not perform those measures at any place, the Web application may be vulnerable.

I got some feedback to my comments on BSP security during the SDN networking meeting. Some suggested to include real ABAP coding examples during my talk, which I did. Here is the source code of a very simple example of a BSP Web page:

<%@page language="abap"%>
 <html>
  <body>
    <% data: x type string.
     x = request->get_form_field( 'x' ).
    %>
    <a href="<%=x%>">Next</a>
  </body>
 </html>"

As the Web page prints user input directly into an HTML page without any Input validation and output encoding, the Web page contains a Cross Site Scripting (XSS) security vulnerability. Actually, I found this code online as an example for BSP coding.

To mitigate this security threat, you need to filter the user input by passing it to the ABAP function cl_http_utility=>escape_url. This is the only way to fix the XSS vulnerability without breaking the functionality of the code.

As the above coding renders user input into a hyperlink, the page also has a Cross Site Request Forgery (XSRF) vulnerability, which allows attackers to trick victims into making arbitrary (potentially malicious) requests to other Web pages. But that's a different story.

So are those SAP vulnerabilities? No, they aren't. BSP works similarly to Java Server Pages (JSP), or PHP. Both technologies suffer from the same quirks. If you want to stick to BSP, you have to do a lot of security homework to keep up with the hackers. Note, that by using WebDynpros, you have a lot less to worry about, but you still have to worry. ... but that's a different story.
Eingestellt von um

Keine Kommentare:

Kommentar veröffentlichen

Abonnieren Kommentare zum Post (Atom)