Monday, 11 June 2012
Software Security and ABAP ?
« Q2 Update from HP Software Security Research | Main | PCI DSS 2.0 Support Handles Change from Best Practices to Requirement »I have recently been spending some time researching and expanding our existing support for ABAP.
What is immediately evident is that even today most of the time and money spent in securing SAP systems revolves around authorization checks, single sign-on, SSL, segregation of duties and other security features. As important as these components are, it only tells half the story. Very little is being said and done about securing these systems at the application level.
Initially, this was not as big a concern, as most of the SAP systems were internal to the enterprise. But with other software systems, as they established an online presence, ABAP applications were found to be vulnerable to the same attacks that have plagued Java and other web applications for years.
In this blog post, we will look at how some ABAP vulnerabilities parallel common Java vulnerabilities.
Cross-Site Scripting
A simple example of a cross-site scripting attack in Java would look like:
<%String eid=request.getParameter("eid");%>
...
Employee ID : <%eid%>
An equivalent cross-site scripting attack in ABAP would be for the form:
eid = request->get_form_field('eid').
...
response->append_cdata('Employee ID:').
response->append_cdata('eid').
In both these cases unvalidated input, from the web or web related sources, that could contain malicious code is reflected back to the user and will be executed by the web browser as it displays the HTTP content.
The following two vulnerabilities similarly occur when tainted data from the web or web related sources finds its way to vulnerable ABAP APIs.
Command Injection
Just as java.lang.Runtime.getRuntime().exec(cmd) is vulnerable to tainted data resulting in command injection vulnerability so is the following ABAP command.
CALL 'SYSTEM' ID 'COMMAND' FIELD cmd.
The above is a system call to the ABAP kernel to execute an operating system command. Attack vectors containing tainted data that can find dataflow path to the cmd parameter can now compromise the SAP system.Path Manipulation
An equivalent to Java's file system calls, such as java.io.File(), that are vulnerable to Path Manipulation attacks, in ABAP is:
OPEN DATASET <dsn> FOR OUTPUT.
Unvalidated input that makes it way to the <dsn> parameter allows an attacker access to modify or delete system files.
These simple examples show that SAP systems are not inherently any more secure then other web applications. And as SAP systems hosting business critical applications move online, SAP applications should be held to the same software security reviews and standards as other web applications.
