sci202-secure abap programming

1

SCI202

Secure ABAP Programming

Selvaraj K, Quality Governance & Production

Frank Buchholz, Active Global Support

October 2010

© 2010 SAP AG. All rights reserved. / Page 2

Disclaimer

This presentation outlines our general product direction and should not be relied on in making a

purchase decision. This presentation is not subject to your license agreement or any other

agreement with SAP. SAP has no obligation to pursue any course of business outlined in this

presentation or to develop or release any functionality mentioned in this presentation. This

presentation and SAP's strategy and possible future developments are subject to change and

may be changed by SAP at any time for any reason without notice. This document is provided

without a warranty of any kind, either express or implied, including but not limited to, the implied

warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP

assumes no responsibility for errors or omissions in this document, except if such damages

were caused by SAP intentionally or grossly negligent.

2


Learning Objectives

As a result of this workshop, you will be able to:

Learn common security vulnerabilities in ABAP applications

Understand secure ABAP programming methodologies

Realize the responsibilities of a developer


Agenda

1. Security

Why?

Security @ SAP

2. Secure ABAP

Secure Programming & Secure User Interface

3. Common Vulnerabilities in ABAP Applications

Cross Site Scripting

Backdoors

Path Traversals

Dangerous ABAP Commands

4. Developer Responsibilities

3


Security – Why?

Why security is needed in every software application?

Appropriate security is that which protects the organization from undue operational risks in a

cost-effective manner

Cyber attacks are becoming more stealthy and sophisticated, creating a complex and

dynamic risk environment for IT-based operations

To address these concerns significant efforts are taken to reduce vulnerabilities, improve

resistance to attack, protect integrity, business compliance, intellectual properties and trust

relations with partners

Open standards & networks create new business opportunities, but also new dangers


Security – Law of Weakest Link

Law of Weakest Link

To SECURE an application, all of its components, functions, infrastructure and

the related threats must be understood & implemented!

To BREAK an application, only one flaw in any of its components, functions

or the infrastructure may be enough!

4


Agenda

1. Security

Why?

Security @ SAP

2. Secure ABAP




Backdoors

Path Traversals




Software Security @ SAP

SAP development projects have to adhere to PIL

The Product Innovation Lifecycle (PIL) is the SAP approach to product quality.

PIL consists of process and product standards. The product standards define common

requirements to all SAP products

The PIL Security Standard defines

security requirements targeting:Vulnerability

Prevention

TCO

Reduction

Legal

Compliance

Requirements are

included in the planning phase

fulfilled in development

checked in the test phase

Organization

Standard Owner

Expert Network

– multiplication and reporting over all development units

Production Unit

– enforces compliance of SAP product development

5


Security Solution Map

ComplianceRegulatory

ComplianceAuditing

SAP Solutions for

Governance, Risk

and Compliance

Security Targets

Secure

CollaborationWeb Services Security Content Security Security Interoperability

Identity and

Access

Management

Identity ManagementAuthorization Concepts

and Management

Authentication and Single

Sign-On

Infrastructure

Security

Network and

Communications Security

Operating System and

Database SecurityFront-End Security

Software

Lifecycle

Security

Secure Product

DevelopmentSecure Delivery

Secure

Configuration

Secure Change

Management

Security

Governance


Agenda

1. Security

Why?

Security @ SAP

2. Secure ABAP




Backdoors

Path Traversals



6


Secure ABAP – Secure Programming

Following security categories is mandatory for a secure program development.

Password Security

Passwords as an authentication credential should be protected and never be visible e.g.

by display in plain text, hardcoded in programs, recorded in logs, etc.

Secure Data Storage (ABAP/DB)

Functionality for storing sensitive data such as passwords or credit card numbers that are

stored in encrypted form using crypto algorithms to be safe against data manipulations

Security Logging

Audits and logs are important for monitoring the security of your system and to track

events in case of problems.

SAP Virus Scan Interface

Virus scanning should be performed every time potentially polluted data is imported via

input channels into the SAP system.

Secure Store and Forward Mechanism (SSF)

SSF functions "wrap" data and digital documents in secure formats using digital

signatures and encryption before they are saved on data carriers or transmitted over

(potentially) insecure communication lines.


Secure ABAP – Secure User Interface

Secure user interface development is possible only when the following security

categories are fulfilled

Cross-Site Scripting (XSS)

XSS attacks are set out to manipulate HTML pages by injection of malicious script code or

by other indirect techniques, such as redirection to another server, logical attacks.

SQL Injection

SQL injection attacks arise from direct integration of user input into SQL statements

without appropriate validation or filtering.

Input Validation

Make sure that the input is in expected form to prevent unexpected data from altering the

intended execution of the program.

Canonicalization

Input variable’s content is transformed into its simplest and shortest representation for

successful filter mechanisms to avoid polymorph attacks.

7


Secure ABAP – Secure User Interface

Directory Traversal

URL is manipulated such that the web server reveals the content of a file anywhere on

the server, residing outside web server's root directory. These attacks take advantage of

special-character sequences in URL input parameters, cookies, etc.

Cookie Manipulation

The cookie contains information used by web applications to persist and pass variables

back and forth between the browser and the web application. The risk of tampering with

data and even information disclosure is very high.


Agenda

1. Security

Why?

Security @ SAP

2. Secure ABAP




Backdoors

Path Traversals



8


Common Vulnerabilities in ABAP Applications


Description

The unfiltered / invalidated user input provided as a markup to generate dynamic content

in an application for redirection of servers and logical attacks.

A Cross Site Scripting (XSS) vulnerability exists, if a web application displays user input

without filtering HTML tags appropriately.

Business Risks

Allows the attacker to steal the form input & user session (Identity theft)

Remotely access client file system through embedded ActiveX controls and also perform

key logging.

Best Practices

Validate or filter the user input for special command sequences and ensure that output

returned to the end user is properly encoded.

Escape undesired tags from the dynamically generated pages.


ABAP Vulnerabilities

Cross Site Scripting (XSS)

ABAP Code with XSS vulnerability

DATA: request TYPE REF TO IF_HTTP_REQUEST.

DATA: html TYPE STRING.

DATA: out TYPE REF TO if_bsp_writer.

out = me->get_previous_out( ).

html = request->get_form_field( 'user_input' ).

out->print_string( `<input type="text" name="data" value="` ).

out->print_string( html ).

out->print_string( `">` ).

9



Cross Site Scripting (XSS)

Safe ABAP Code

DATA: request TYPE REF TO IF_HTTP_REQUEST.

DATA: html TYPE STRING.

DATA: out TYPE REF TO if_bsp_writer.

out = me->get_previous_out( ).

html = request->get_form_field( 'user_input' ).

* Removal of HTML Tags

html = cl_http_utility=>escape_html ( html ).


Agenda

1. Security

Why?

Security @ SAP

2. Secure ABAP




Backdoors

Path Traversals



10



Backdoors

Description

The undocumented personal test hacks used by the developers for gaining unauthorized

access. After a compromise the attacker will use the easier access to get around the

compromised system for any security mechanisms.

Business Risks

Can potentially lead to a user gaining unauthorized access to privileged data within your

SAP database.

They allow malicious developers to secretly access extra-functionality by feeding certain

triggers to the program.

Very likely to violate regulatory compliance and Increase user privileges.

Best Practices

Avoid the usage of backdoors/hard coded usernames used for developer hacks inside any

productive version of an application.



Hardcoded User Names (Backdoor)

ABAP Code with Backdoor vulnerability

IF sy-uname = 'JOHNDOE'.

* perform restricted / special actions

ENDIF.

IF sy-uname = 'JOHNDOE'.

* Enable debugger

BREAK-POINT.

ENDIF.

Check SY-UNAME eq ‘JOHNDOE’.

* Code to perform Special Functions

11



Command Injection (Backdoor)

ABAP Code with Backdoor vulnerability

DATA: itab TYPE STANDARD TABLE OF string.

DATA: request TYPE REF TO if_http_request.

DATA: prog TYPE string. DATA: mymsg TYPE string.

DATA: mytext TYPE string. DATA: myline TYPE string.

mytext = request->get_form_field( 'mytext' ).

CONCATENATE `WRITE '` mytext `'.` INTO myline.

APPEND 'PROGRAM mypool.' TO itab.

APPEND `FORM myform.` TO itab.

APPEND myline TO itab.

APPEND `ENDFORM.` TO itab.

GENERATE SUBROUTINE POOL itab NAME prog

MESSAGE mymsg.

IF sy-subrc = 0.

PERFORM ('MYFORM') IN PROGRAM (prog) IF FOUND.

ENDIF.


Agenda

1. Security

Why?

Security @ SAP

2. Secure ABAP




Backdoors

Path Traversals



12



Path Traversals

Description

Path traversal attacks work by manipulating file name or path information by feeding

special characters into a string that represents a file locator.

When such a string is used to access a file, an application can be tricked into opening files

the user should have no access to.

Business Risks

Violation of regulatory compliance, as this vulnerability allows for unprivileged access to

critical business data.

Denial of service.

Information disclosure.

Best Practices

Use a white list filter for file extensions, use fixed path i.e., profile parameters and check

for typical authorization based on application context.

Also restrict the usage of the generic file access characters like .., \\, // during the dataset

operations.



Directory Traversals

ABAP Code with Path Traversal Vulnerability

FUNCTION DEL_DBA_FILE_SDB.

*”----------------------------------------------------

*” IMPORTING

*” VALUE(dset) TYPE SADA_NAM.

*” EXCEPTIONS

*” DEL_DATASET_ERROR

*”----------------------------------------------------

IF dset CP ‘*.exe’ or dset CP ‘*.err’.

* perform deletion of dataset

DELETE DATASET dset.

IF SY-SUBRC <> 0.

RAISE DEL_DATASET_ERROR.

ENDIF>

ENDFUNCTION.

13



Directory Traversals

Safe ABAP Code

FUNCTION DEL_DBA_FILE_SDB.

*”----------------------------------------------------

*” IMPORTING

*” VALUE(dset) TYPE SADA_NAM.

*”----------------------------------------------------

* Provide white list filter for File Extensions

* User input should be validated for escape characters like .., //

REPLACE ALL OCCURRENCES OF '..' IN dset WITH ''.

* Perform Authority check

AUTHORITY-CHECK OBJECT 'S_DATASET'

ID 'PROGRAM' FIELD SY-REPID

ID 'ACTVT' FIELD ’33'

ID 'FILENAME' FIELD ’DSET'.

IF SY-SUBRC EQ 0.

DELETE DATASET dset.

ENDIF.


Agenda

1. Security

Why?

Security @ SAP

2. Secure ABAP




Backdoors

Path Traversals



14




Description

ABAP commands which are used to generate dynamic source code are classified as

dangerous and thus forbidden for developers.

Business Risks

Read and write access to all data in the database.

Violation of regulatory compliance as execution of arbitrary business logic is possible.

Best Practices

Implement the right authorization checks for the above ABAP commands.

Use proper input validations / filters and right options such that the dynamic code is

restricted for minimal usage by developers.




ABAP Code with Dangerous / Forbidden ABAP commands

REPORT ZTECH_1.

DATA: CODE(72) OCCURS 10.

* Appending source code

APPEND 'REPORT ZDYN_1.' TO CODE.

APPEND 'WRITE / ''Hello, I am dynamically created!''. ' TO CODE.

APPEND 'DELETE * FROM ZTAB‘ TO CODE.

* Dynamic Report program creation

INSERT REPORT 'ZDYN_1' FROM CODE.

* Execution of Dynamically created report program

SUBMIT ZDYN_1 AND RETURN.

15




Safe ABAP Code

REPORT ZTECH_1.

DATA: CODE(72) OCCURS 10.

APPEND 'DELETE * FROM ZTAB‘ TO CODE.

* Check for ABAP Statements inside internal table

REPLACE ALL OCCURRENCES OF REGEX '\b(DELETE)\b'

IN TABLE itab WITH ‘*DELETE‘ IGNORING CASE.

* Authority check for S_DEVELOP

AUTHORITY-CHECK OBJECT 'S_DEVELOP'

ID 'OBJTYPE' FIELD 'PROG'

ID 'OBJNAME' FIELD 'ZDYN_1' ID 'ACTVT' FIELD ‘01‘.

IF SY-SUBRC EQ 0.

INSERT REPORT 'ZDYN_1' FROM CODE.

SUBMIT ZDYN_1 AND RETURN.

ENDIF.




ABAP Code with Dangerous / Forbidden ABAP commands

REPORT ZTECH_ABA_1.

DATA: SCODE(72) OCCURS 10.

* Modification of Existing report during runtime

EDITOR-CALL FOR REPORT ZTECH_1.

16




Safe ABAP Code

REPORT ZTECH_ABA_1.

DATA: SCODE(72) OCCURS 10.

* Authority Check for Editing an existing report

AUTHORITY-CHECK OBJECT 'S_DEVELOP'

ID 'OBJTYPE' FIELD 'PROG'

ID 'OBJNAME' FIELD ‘ZTECH_ABA_1'

ID 'ACTVT' FIELD ‘03‘.

IF SY-SUBRC EQ 0.

* Editor call (only Display mode) of Existing report during runtime

EDITOR-CALL FOR REPORT ZTECH_1 DISPLAY MODE.

ENDIF.


Agenda

1. Security

Why?

Security @ SAP

2. Secure ABAP




Backdoors

Path Traversals



17


Developer Responsibilities

A MUST for Secure Development:

Security should not be an afterthought

Security is not optional

Security is not a trade-off for Functionality/Performance

Deploy only tested code

Protect your credentials

Don’t Blindly Assume Others Will Do it for You!

Application security is part of everybody's responsibility!


Get Ready for Secure ABAP Programming!

Understand Security

Software Lifecycle Security

SAP Security Solution Map

Attention while Developing!

Follow the Security Plan

Adhere to Secure ABAP Programming Guideline

Avoid Vulnerabilities listed in Security Advisories

Evaluate the Application

Security Test Tools ( ATC, Code Inspector )

Checklist for Secure Programming

18


Security Test Tools

ATC (ABAP Test Cockpit)

Menu Path: Program ->

Check -> ABAP Test

Cockpit

Code Inspector

Transaction Code: SCI

Menu Path: Program ->

Check -> Code Inspector


Secure Programming Checklist

This Checklist lists the most important issues that you should pay attention to

in order to develop secure applications.

General

No Backdoors

Safe state in case of errors

Password Security

No plain text & hardcoded password

Front-End Security/User Interface

Input Validation

No HTTP GET

No SQL Injection, XSS, Path Traversal

Access Security

No revealing of data in error messages and URLs

Hidden HTML Fields for Secrecy

ABAP Programmers only

Call Transaction with Authority Check, S_DEVELOP for ABAP command execution

19


Further Information

SAP Public Web:

General Info about Security SDN: https://www.sdn.sap.com/irj/sdn/security

SAP Security Forum: https://www.sdn.sap.com/irj/sdn/forumID=208

SAP Security Guides: https://www.service.sap.com/securityguide

SAP Security Notes: http://service.sap.com/securitynotes

Related SAP Education and Certification Opportunities

http://www.sap.com/education/

Related Workshops/Lectures at SAP TechEd 2010

SCI100, SAP Security Overview Presentation, Lecture

SCI260, The Journey from Security Optimization Service to Security

Configuration Validation, Hands-on

SCI200, Best Practices for Implementing SAP NetWeaver Identity Management,

Lecture

ContactFeedback

Please complete your session evaluation.

Be courteous — deposit your trash,

and do not take the handouts for the following session.

https://www.sdn.sap.com/irj/sdn/security

https://www.sdn.sap.com/irj/sdn/forumID=208

https://www.service.sap.com/securityguide

mailto:[email protected]

https://www.service.sap.com/securityguide

http://www.sap.com/education/

20


No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. in the United States and in other countries.

All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.

This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice.

SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.

SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence.

The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.

© 2010 SAP AG. All Rights Reserved

sci202-secure abap programming

Documents