Unbreakable ABAP? Vulnerabilities in custom ABAP Code Markus Schumacher, Co-Founder Virtual Forge GmbH 10.- 12. März 2010 Print Media Academy, Heidelberg Virtual Forge GmbH - http://virtualforge.de  „GmbH“ since 1.1.2006, headquarters in Heidelberg  Long-lasting consulting experience  Application security, focus SAP from day 1  Code Profiler, http://www.codeprofilers.com  SAP audits and code reviews  Book: „Sichere ABAP-Programmierung“, http://sap-press.de/2037  Trainings 2 e g a P UnbreakableABAP –Markus Schumacher –Virtual Forge GmbH Agenda  ABAP development - risks in Web applications (example) ABAP/BSP vs. OWASP Top 10   Examples of vulnerabilities in custom coding Business Server Pages  Inline ABAP in HTML HTMLB-Tag-Library Open SQL  Dynamic Open SQL SQL-Injection  Conclusion 3 e g a P UnbreakableABAP –Markus Schumacher –Virtual Forge GmbH ABAP in a Nutshell  Exists since ~30 years  COBOL-like syntax  “grown language” → several programming paradigms at the same time → very context sensitive, no reserved keywords  DB-independent SQL-dialect built in  Code is stored in DB  Development environment developed in ABAP Code stored on server  Access via transaction SE80  Transport management  4 e g a P UnbreakableABAP –Markus Schumacher –Virtual Forge GmbH ABAP and Open Source (but not free!)  Sourcecode is completely available in a SAP installation „SAP standard“ code plus custom coding   Customers can change code Copy, rename, and modify code  Change SAP standard code („modification“)   ABAP allows several development frameworks Customers write their own code in order to adapt the  standard to their needs („customizing“) Custom development for non-standard business  processes 3rd party add-ons  5 e g a P UnbreakableABAP –Markus Schumacher –Virtual Forge GmbH Frontend-Technologies  Dynpro Written in ABAP  Requires proprietary UI (SAP GUI)  Similar to X11 paradigm   Internet Transaction Server (ITS) 1st Web-Technologie of SAP  Development almost stopped, but widely used  6 e g a P UnbreakableABAP –Markus Schumacher –Virtual Forge GmbH Frontend-Technologies  Business Server Pages (BSP) HTML with embedded ABAP (similar to JSP)  Several programming paradigms incl. MVC  Widely used, customers still build new applications   Web Dynpro (ABAP | Java) UI-independent framework, „point & click“ programming for  UI design Developer can„t embed his own HTML/JavaScript  Developer can„t cause a vulnerability. But he also can„t  avoid them 7 e g a P UnbreakableABAP –Markus Schumacher –Virtual Forge GmbH Frontend-Technologies  Web GUI HTML-version of regular Dynpros (SAP GUI)  Earlier version on top of Internet Transaction Server  Today as plugin of SAP Web Application Server  … external systems (via JCo or RFC), Adobe Flash, Microsoft Silverlight, PHP, Phython, etc. 8 e g a P UnbreakableABAP –Markus Schumacher –Virtual Forge GmbH Further Technologies  File access  Database access (OpenSQL, Native SQL)  Remote access HTTP, FTP, Email, …  Messaging (PI/XI)  Web Services (SOAP)  RFC - Remote Function Call   Whatever you need – SAP has it, but be aware of the little differences 9 e g a P UnbreakableABAP –Markus Schumacher –Virtual Forge GmbH SAP Web Technology SAP NetWeaver Web Application Server (Web AS):  Supports Single Sign On (SSO)  SSO-ticket stored in cookie (MYSAPSSO2) By default issued for path / and domain.tld  By default neither httpOnly, nor secure   Development of your own HTTP-Handler possible BSP, Web Dynpro, WebGUI are HTTP-Handler   Configuration via profile parameter (report RZ11) and transaction SICF  Blacklist implementation filters <script, %00 and other patterns 0 1 e g a P UnbreakableABAP –Markus Schumacher –Virtual Forge GmbH