706 secure programming abap

Secure ABAP Programming

Peter McNultySAP NetWeaver Solution Management

May 2011

2011 SAP AG. All rights reserved. / Page 2

Disclaimer

This presentation outlines our general product direction and should not be relied on in making a purchase decision. This presentation is not subject to your license agreement or any other agreement with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or to develop or release any functionality mentioned in this presentation. This presentation and SAP's strategy and possible future developments are subject to change and may be changed by SAP at any time for any reason without notice. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in this document, except if such damages were caused by SAP intentionally or grossly negligent.


Learning Objectives

As a result of this workshop, you will be able to:

Learn common security vulnerabilities in ABAP applications Understand secure ABAP programming methodologies Realize the responsibilities of a developer


Agenda

1. Security Why? Security @ SAP

2. Secure ABAP Secure Programming & Secure User Interface

3. Common Vulnerabilities in ABAP Applications Cross Site Scripting Backdoors Path Traversals Dangerous ABAP Commands

4. Developer Responsibilities


Security Why?

Why security is needed in every software application?

Appropriate security is that which protects the organization from undue operational risks in a cost-effective manner

Cyber attacks are becoming more stealthy and sophisticated, creating a complex and dynamic risk environment for IT-based operations

To address these concerns significant efforts are taken to reduce vulnerabilities, improve resistance to attack, protect integrity, business compliance, intellectual properties and trust relations with partners

Open standards & networks create new business opportunities, but also new dangers


Security Law of Weakest Link

Law of Weakest Link

To SECURE an application, all of its components, functions, infrastructure andthe related threats must be understood & implemented!

To BREAK an application, only one flaw in any of its components, functionsor the infrastructure may be enough!


Agenda






SAP

At the heart of the PIL Product Security Standard:Security Requirements

The PIL Security Standard defines a common set of security requirements for all SAP products, belonging to 3 areas:

5 of these requirements are corporate requirements They are all typical, well-known vulnerabilities related to secure programming Deviations or non-compliance MUST be explicitly approved by the CEO

SEC-102 SQL INJECTION vulnerabilities shall be avoided. SEC-111 BUFFER OVERFLOW vulnerabilities shall be prevented. SEC-133 CROSS-SITE SCRIPTING vulnerabilities shall be prevented. SEC-136 DIRECTORY TRAVERSAL vulnerabilities shall be prevented. SEC-139 SAP applications shall be free of BACKDOORS.

Vulnerability Prevention

TCO/TCD Reduction

Legal Compliance


SAP Security Standard vs. Industry Standards

Requirements of the PIL Product Standard Security are strongly aligned with the requirements and problems identified by the IT security community, e.g.,

Common Weaknesses Enumeration (CWE)

CWE provides a unified, measurable set of software weaknesses that is enabling more effective discussion, description, selection, and use of software security tools and services that can find these weaknesses in source code and operational systems

Open Web Application Security Project (OWASP Top10)

The Open Web Application Security Project (OWASP) is a not-for-profit worldwide charitable organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks.

The OWASP Top 10 is a risk focused list of the Top 10 Most Critical Web Application Security Risks.

Common Vulnerabilities and Exposures (CVE)

CVE is a dictionary of publicly known information security vulnerabilities and exposures , i.e., vulnerabilities in shipped software products


SAP

[14] 156 CWE-129 Improper Validation of Array Index

[15] 155 CWE-754 Improper Check for Unusual or Exceptional Conditions

[16] 154 CWE-209 Information Exposure Through an Error Message

[17] 154 CWE-190 Integer Overflow or Wraparound

[18] 153 CWE-131 Incorrect Calculation of Buffer Size

[19] 147 CWE-306 Missing Authentication for Critical Function

[20] 146 CWE-494 Download of Code Without Integrity Check

[21] 145 CWE-732 Incorrect Permission Assignment for Critical Resource

[22] 145 CWE-770 Allocation of Resources Without Limits or Throttling

[23] 142 CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

[24] 141 CWE-327 Use of a Broken or Risky Cryptographic Algorithm

[25] 138 CWE-362 Race Condition

RaRanknk ScoreScore IDID NameName

[1][1] 346346 CWECWE--7979 Failure to Preserve Web Page Structure Failure to Preserve Web Page Structure ('Cross('Cross--site Scripting')site Scripting')

[2][2] 330330 CWECWE--8989 Improper Sanitization of Special Elements Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection')used in an SQL Command ('SQL Injection')

[3][3] 273273 CWECWE--120120 Buffer Copy without Checking Size of Input Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')('Classic Buffer Overflow')

[4] 261 CWE-352 Cross-Site Request Forgery (CSRF)

[5] 219 CWE-285 Improper Access Control (Authorization)

[6] 202 CWE-807 Reliance on Untrusted Inputs in a Security Decision

[7][7] 197197 CWECWE--2222 Improper Limitation of a Pathname to a Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')Restricted Directory ('Path Traversal')

[8] 194 CWE-434 Unrestricted Upload of File with Dangerous Type

[9] 188 CWE-78 Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection')

[10] 188 CWE-311 Missing Encryption of Sensitive Data

[11] 176 CWE-798 Use of Hard-coded Credentials

[12] 158 CWE-805 Buffer Access with Incorrect Length Value

[13] 157 CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')

Source http://cwe.mitre.org/top25/

Common Weakness Enumeration 2010Common Weakness Enumeration 2010



SAP

[14] 156 SECSEC--111111 Improper Validation of Array Index

[15] 155 Improper Check for Unusual or Exceptional Conditions

[16] 154 SECSEC--6969SECSEC--123123Information Exposure Through an Error Message

[17] 154 SECSEC--112112 Integer Overflow or Wraparound

[18] 153 SECSEC--111111 Incorrect Calculation of Buffer Size

[19] 147 SECSEC--3939 Missing Authentication for Critical Function

[20] 146 e.g.e.g.SECSEC--155155 Download of Code Without Integrity Check

[21] 145 SECSEC--4747 Incorrect Permission Assignment for Critical Resource

[22] 145 Allocation of Resources Without Limits or Throttling

[23] 142 SECSEC--199199 URL Redirection to Untrusted Site ('Open Redirect')

[24] 141 SECSEC--143143 Use of a Broken or Risky Cryptographic Algorithm

[25] 138 Race Condition

RaRanknk ScoreScore IDID NameName

[1][1] 346346 SECSEC--133133 Failure to Preserve Web Page Structure Failure to Preserve Web Page Structure ('Cross('Cross--site Scripting')site Scripting')

[2][2] 330330 SECSEC--102102 Improper Sanitization of Special Elements Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection')used in an SQL Command ('SQL Injection')

[3][3] 273273 SECSEC--111111 Buffer Copy without Checking Size of Input Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')('Classic Buffer Overflow')

[4] 261 SECSEC--207207 Cross-Site Request Forgery (CSRF)

[5] 219 SECSEC--39, 39, SECSEC--4040 Improper Access Control (Authorization)

[6] 202 e.g. e.g. SECSEC--7070Reliance on Untrusted Inputs in a Security Decision

[7][7] 197197 SECSEC--136136 Improper Limitation of a Pathname to a Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')Restricted Directory ('Path Traversal')

[8] 194 SECSEC--2727 Unrestricted Upload of File with Dangerous Type

[9] 188 SECSEC--108108 Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection')

[10] 188 SECSEC--9797 Missing Encryption of Sensitive Data

[11] 176 SECSEC--7676 Use of Hard-coded Credentials

[12] 158 SECSEC--111111 Buffer Access with Incorrect Length Value

[13] 157 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')

Source http://cwe.mitre.org/top25/

Common Weakness Enumeration 2010Common Weakness Enumeration 2010



SAP

Information disclosureError messages

Displaying too much information in error messages is security critical Attacker provokes such errors to gather internal information about program structure Displaying erroneous SQL statement allows tailored attacks

Some real life examples:

Recommendation Create an individual error

message for your web application (via transaction SICF)

Remove all debug information Allow the adoption of error

messages


Agenda






Secure ABAP Secure Programming

Following security categories is mandatory for a secure program development.

Password Security Passwords as an authentication credential should be protected and never be visible e.g.

by display in plain text, hardcoded in programs, recorded in logs, etc. Secure Data Storage (ABAP/DB)

Functionality for storing sensitive data such as passwords or credit card numbers that are stored in encrypted form using crypto algorithms to be safe against data manipulations

Security Logging Audits and logs are important for monitoring the security of your system and to track

events in case of problems. SAP Virus Scan Interface

Virus scanning should be performed every time potentially polluted data is imported via input channels into the SAP system.

Secure Store and Forward Mechanism (SSF) SSF functions "wrap" data and digital documents in secure formats using digital

signatures and encryption before they are saved on data carriers or transmitted over (potentially) insecure communication lines.


Secure ABAP Secure User Interface

Secure user interface development is possible only when the following security categories are fulfilled

Cross-Site Scripting (XSS) XSS attacks are set out to manipulate HTML pages by injection of malicious script code or

by other indirect techniques, such as redirection to another server, logical attacks. SQL Injection

SQL injection attacks arise from direct integration of user input into SQL statements without appropriate validation or filtering.

Input Validation Make sure that the input is in expected form to prevent unexpected data from altering the

intended execution of the program. Canonicalization

Input variables content is transformed into its simplest and shortest representation for successful filter mechanisms to avoid polymorph attacks.


Secure ABAP Secure User Interface

Directory Traversal URL is manipulated such that the web server reveals the content of a file anywhere on

the server, residing outside web server's root directory. These attacks take advantage of special-character sequences in URL input parameters, cookies, etc.

Cookie Manipulation The cookie contains information used by web applications to persist and pass variables

back and forth between the browser and the web application. The risk of tampering with data and even information disclosure is very high.


Agenda






SEC-133 Cross-Site ScriptingIntroduction

Context Web applications accept user input, which is used to create dynamic content in HTML pages

Weakness(es) Insufficient input validation Missing output filtering or encoding, when writing user input back to HTML pages

Attack / entry point An attacker supplies malicious data to inject client-side JavaScript into web pages viewed by

other users and, as such, attacks other clients

Potential results Stealing access credentials, DoS, Web page modifications, executing commands on the

attacked users system

2 Types of XSS Non-persistent / reflected (the most common type): The server receives input data and uses it

to build a result HTML page for the same user, without properly sanitizing the input Persistent: Input data from a given user is persisted by the server, and is included later on in

HTML pages returned to other users, again without proper data sanitization


SEC-133 Cross-Site ScriptingExample (stored XSS)

Post Forum Message:

Subject: GET Money for FREE !!!

Body:

attack code

1. Attacker sends malicious code as part of message2. Server stores message

Did you know this?

.....

3. User requests message4. Message is delivered by server5. Browser executes script in message (= mixture of data and code)

GET Money for FREE !!!

attack code

Get /forum.jsp?fid=122&mid=2241

Attacker

Client

Web ServerGET Money for FREE !!!

attack code

!!! attack code !!!

Re: Error message on startup

.....I found a solution!

.....Can anybody help?

.....Error message on startup

.....

The following is an example for all kinds of applications that accept, store and echo user input, a feature being part of thousands of web pages (think of SDN, news pages, bookstores, etc.)


SEC-133 Cross-Site ScriptingSusceptibility of different ABAP technologies

ABAP code can also be vulnerable to Cross-Site Scripting Plain HTML pages produced from ABAP and BSP (Business Server Pages) Pages with HTMLB taglib Pages produced with ITS BusinessHTML

BSP example

get_form_field('name').

%>

Hello

Hello Test

http://.../bsp/asdf/sample?name=Test

Hello

http://.../bsp/asdf/sample?name=


SEC-133 Cross-Site ScriptingOverview ABAP output encoding technologies

Basic technology SAP Output Encoding Framework for ABAP

To be used for non-BSP extensions and whenever plain ABAP produces HTML Dedicated encoding methods must be called in the ABAP program code Internally also used by the following web frontend frameworks

Web frontend frameworks Web Dynpro ABAP

Does not require developers do develop HTML themselves Framework generates output HTML code

Automatic output encoding No manual actions are required in the program code

BSP extensions (HTMLB, XHTMLB and PHTMLB) Dedicated encoding parameter must be enforced/used explicitly in the HTML page

ITS BusinessHTML (BHTML) Various encoding methods must be used in the HTML page


SEC-133 Cross-Site ScriptingRecommendation for non-BSP extensions

Previous example fixed by using CL_HTTP_UTILITY for output between HTML tags

SAP

get_form_field('name'). CALL METHOD CL_HTTP_UTILITY=>ESCAPE_HTML

EXPORTINGunescaped = input

IMPORTINGescaped = input_enc. %>

Hello

Hello Test

http://.../bsp/asdf/sample?name=Test

Hello

706 secure programming abap

Documents