Professional Documents
Culture Documents
SEC261 Exercises
SEC261 Exercises
SEC261 Exercises
Exercises / Solutions
Jrgen Adolf, Shinto K Anto, Georg Becker, Poornima C,
Holger Janz, Vaibhav Raina / SAP SE
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
TABLE OF CONTENTS
2.3 Exercise 1.3 Inspect the coding and find the security bug ..............................................................10
2.5 Exercise 1.5 Fix the program by using the external commands .....................................................20
3.2 Exercise 2.2 Fix the check function modules by using the logical file names .................................32
4.1 Exercise 3.1 Get acquainted with the BSP application ...................................................................38
2
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Due to time constraints during the hands-on session, it is recommended that you take a look
at all the different exercises and then decide which ones you want to work through first.
This is a session on intermediate level. We expect that you know the basic handling of the
tools of the ABAP Development Workbench like the ABAP Editor (transaction SE38),
the Data Browser (transaction SE16), the ABAP Dictionary (transaction SE11) and the
Object Navigator (SE80).
In the exercises you will learn about some typical security breaches in ABAP programs and
BSP applications, and how to avoid or fix them.
System access
You can find our system TDI in the SAP Logon system overview. We use a system based on
SAP NetWeaver 7.50 SP 03. Please log into client 001 with your user name SEC261 and
language EN. The password is welcome.
Tool usage
In this document we use the classic SAP GUI-based development tools (transactions SE38,
SE80, SE16 and the like). If you are familiar with the Eclipse-based ABAP Development
Tools (ADT) and prefer to use them, feel free to do so:
Click Start -> All Programs -> SAP -> SAP NetWeaver -> ABAP Development Tools
Choose our workspace ABAP in Eclipse - SEC261
Open the project TDI_001_sec261_en. In your Favorite Packages you find the
exercises in subpackages of package TEST_SEC261.
3
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Overview
Estimated time: 15 minutes
Objective
In the presentation we showed you what an OS command injection is and how it works. In
this exercise you will learn how to avoid this kind of attack.
Exercise Description
In this part of the exercise you execute the program, inspect one of the invoices and accept it
with a change of the filename.
Whenever you run out of invoices in this exercise 1 and exercise 2 you can restore the
original state by executing program Z_SEC261_SETUP_FILES.
4
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
1. Click
Student (local)
and navigate to folder
D:\Files\Session\SEC261.
Step 2
Step 3
2. Double-click
in your
SAPGUI window.
Step 4
3. Navigate to package
TEST_SEC261 Subpackage
TEST_SEC261_INJECTIONS
Program
Z_SEC261_INJECTION and
press F8 to execute it.
Step 5
5
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
Step 6
5. Click .
Step 7
6. Change the filename to
D:\Files\Session\SEC261\Acce
pt\Invoice1954.txt, i.e. remove
the leading zeroes before
1954.
7. Click to move the file into
Step 8
the Accept directory.
Step 9
6
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
Step 10
Step 11
7
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
1. Double-click
on to see
the invoice.
Step 2
Step 3
3. Add " | echo Hello!"
behind the filename (without
the double quotes).
4. Click .
Step 4
8
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
An echo command is of course
not a very dangerous command.
We are sure that you can think of
very dangerous commands at this
point. It might be tempting, but
please do not try such commands
here.
5. Press ESC to close the
popup window.
9
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
Step 3
Step 4
Step 5
Step 6
10
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
1. Click on
with the
right mouse button, navigate to
Check and then to ABAP Test
Cockpit (ATC). This will invoke
the Code Vulnerability Analyzer
(CVA) under the control of the
ABAP Test Cockpit.
Step 7
Step 9
4. After browsing through this
list click to close the
Performance Assistant window.
Step 10
11
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
5. Click
Step 11
6. Click .
Step 12
Step 13
Step 14
12
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
You might wonder why we are not creating one generic external command for moving files.
Here's the reason: Moving a file can be a dangerous operation. If such dangerous operations
are generic then they are even more dangerous. Therefore we create two specialized
external commands. This way the probability that they can be used for an attack is
significantly reduced.
Explanation Screenshot
1. Double-click
Step 2
Step 3
13
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
3. Enter Z_MOVE_FILE_ACC
in the Command Name field.
4. Enter cmd /c move in the
Operating System
Command field.
There is no single "move"
command in Windows (in the
sense of a single program that
does the move). This
functionality is part of the
command shell cmd. This is
why we must involve a
shell here. The /c specifies that
the move shall be executed
and that the the shell shall
terminate after that.
5. Enter
Z_SEC261_CHECK_PARAMS
_ACC in the Check
Module field.
This is the name of a function
module that is called when the
external command shall be
executed. In this function
module you can check the
parameters that are about to be
passed to the external
command.
6. Click to save your
specification of the external Step 4
command.
7. Click .
Step 5
14
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
9. Enter Z_MOVE_FILE_REJ
in the Command Name field.
10. Enter cmd /c move in the
Operating System
Command field.
11. Enter Z_SEC261_CHECK_
PARAMS_REJ in the Check
Module field.
12. Click .
13. Click .
Step 6
14. Click .
Step 7
15. Double-click
Step 8
15
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
16. Enter SXPG_DUMMY_CO
MMAND_CHECK in the
Function Module field.
17. Click to copy this
function module.
Step 9
18. Enter Z_SEC261_CHECK_
PARAMS_ACC in the To
Function module field.
19. Enter Z_SEC261 in the
Function group field.
20. Click .
Step 10
21. Click .
Step 11
22. Remove the marked
comments. We don't need
them any more. They originate
from the copied function
module
SXPG_DUMMY_COMMAND_
CHECK.
Step 12
16
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
23. Enter the following source
code:
Step 14
17
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
26. Enter SXPG_DUMMY_CO
MMAND_CHECK in the
Function Module field.
27. Click to copy it.
Step 15
28. Enter Z_SEC261_CHECK_
PARAMS_REJ in the To
Function Module field.
29. Enter Z_SEC261 in the
Function Group field.
30. Click .
Step 16
31. Click .
Step 17
32. Remove the marked
comments. We don't need
them any more. They originate
from the copied function
module
SXPG_DUMMY_COMMAND_
CHECK.
Step 18
18
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
33. Enter the following source
code:
Step 20
36. Click .
Step 21
19
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
1. Click .
Step 2
2. Enter
Z_SEC261_INJECTION in the
Program field.
3. Click Change.
Step 3
4. Scroll to the form routine
move_file (about line 150).
Step 4
5. Add ucomm TYPE sy-
ucomm as the first parameter.
20
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
6. Remove the type definition
of result_line.
commandname TYPE
sxpgcolist-name,
params TYPE btcxpgpar,
IF ucomm = 'ACCEPT'.
commandname =
'Z_MOVE_FILE_ACCEPT'.
ELSE.
commandname =
'Z_MOVE_FILE_REJECT'.
ENDIF.
Step 7
* Do the move.
21
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
8. But how do we do the move?
How do we use our external
commands? Here's the answer:
Step 8
9. In the popup enter
SXPG_CALL_SYSTEM in the
field after CALL FUNCTION.
Step 9
10. Click .
Step 10
11. For the sake of simplicity in
this exercise change the
function call such that it looks
like this:
CALL FUNCTION
'SXPG_CALL_SYSTEM'
EXPORTING
commandname =
commandname
additional_parameters =
params
TABLES
exec_protocol =
result
EXCEPTIONS
no_permission = 1
OTHERS = 2.
22
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
12. Add the following code for a
minimum error handling:
CASE sy-subrc.
WHEN 0.
* Fine! Nothing to
do. Continue below.
WHEN 1.
MESSAGE 'No
permission to move the
file.' TYPE 'E'.
WHEN OTHERS.
MESSAGE
'Unspecified error when
moving the file.' TYPE
'E'.
ENDCASE. Step 12
Step 14
23
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Remember: in case you run out of invoice files you can reset the files by running report
Z_SEC261_SETUP_FILES.
Explanation Screenshot
Step 2
2. Double-click
(or any
other file name).
Step 3
3. Click .
Step 4
4. Enter | echo Hello! behind
the filename.
5. Click .
Step 5
24
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
6. Click .
Step 7
7. Append && echo Hello! to
the file name.
8. Click .
Step 8
Step 10
10. Change from the suggested
Accept folder to the Reject
folder.
11. Click .
Step 11
Step 12
Summary
You have completed the exercise!
25
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Overview
Estimated time: 15 minutes
Objective
In the previous exercise on command injection you saw how to get rid of the possibility to
have the system execute arbitrary OS commands. In the end of that exercise we saw that it
is still possible to move invoice files to arbitrary directories. In this exercise we will take care
of this directory traversal problem.
Exercise Description
Explanation Screenshot
1. Click
Step 2
2. Click to acknowlegde
this.
Step 3
26
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
Step 4
5. Enter
Z_SEC261_NEW_INVOICES
in the Logical File Path field.
6. Enter New Invoices in the
Name field.
Step 5
7. Enter
Z_SEC261_ACC_INVOICES in
the Logical File Path field.
8. Enter Accepted Invoices in
the Name field.
Step 6
9. Enter
Z_SEC261_REJ_INVOICES in
the Logical File Path field.
10. Enter Rejected Invoices in
the Name field.
11. Click to save the logical
file path definitions.
Step 7
Step 8
27
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
13. Mark the first entry
(Z_SEC261_NEW_INVOICES).
14. Click
to assign the physical path.
Step 9
15. Click .
Step 10
16. Click for a value help on
the Syntax group.
Step 11
17. Click since
our application server is
running on a Windows
machine.
Step 12
18. Enter D:\Files\Session\SE
C261\<FILENAME> in
the Physical path field.
19. Click several times until
you get back to the Overview of
Added Entries.
Step 13
20. Mark the second entry
(Z_SEC261_ACC_INVOICES).
21. Click
.
Step 14
28
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
22. Click .
Step 15
23. Select WINDOWS NT
again for the Syntax group.
24. Enter
D:\Files\Session\SEC261\Acc
ept\<FILENAME> in the
Physical path field.
25. Click several times until
you get back to the Overview of
Added Entries.
Step 16
26. Mark the third entry
(Z_SEC261_REJ_INVOICES).
27. Click
.
Step 17
28. Click .
Step 18
29. Select WINDOWS NT
again for the Syntax group.
30. Enter
D:\Files\Session\SEC261\Rej
ect\<FILENAME> in
the Physical path field.
31. Click .
Step 19
29
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
Step 21
34. Enter
Z_SEC261_NEW_INVOICES
in the Log. File field.
35. Enter New Invoices in
the Name field.
36. Enter DIR in the Data
format field.
37. Enter BC in
the Applicat.area field.
38. Enter
Z_SEC261_NEW_INVOICES
Step 22
in the Logical path field.
39. Click .
Step 23
40. Click .
Step 24
41. Enter
Z_SEC261_ACC_INVOICES in
the Log. File field.
42. Enter Accepted Invoices
in the Name field.
43. Enter DIR in the Data
format field.
44. Enter BC in
the Applicat.area field.
45. Enter
Z_SEC261_ACC_INVOICES in
the Logical path field. Step 25
46. Click .
Step 26
30
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
47. Click .
Step 27
48. Enter
Z_SEC261_REJ_INVOICES in
the Log. File field.
49. Enter Rejected Invoices in
the Name field.
50. Enter DIR in the text field.
51. Enter BC in the text field.
52. Enter
Z_SEC261_REJ_INVOICES in Step 28
the text field.
53. Click .
54. Click .
Step 29
31
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
1. Click
.
Step 2
2. Enter
Z_SEC261_CHECK_PARAMS
_ACC in the Function Module
field.
3. Click .
Step 3
4. Insert the following code
after the SPLIT command:
logical_filename_not_fo
und = 1
validation_failed = 2
OTHERS = 3.
IF sy-subrc <> 0.
RAISE
no_permission.
ENDIF.
32
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
5. Insert another call of
FILE_VALIDATE_NAME after
the first IF/ENDIF statement
that checks for
allowed_characters:
logical_filename_not_fo
und = 1
validation_failed
= 2
OTHERS = 3.
IF sy-subrc <> 0.
RAISE
no_permission.
ENDIF. Step 5
Step 6
8. Enter Z_SEC261_CHECK_P
ARAMS_REJ in the Function
Module field.
9. Click .
Step 7
33
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
10. Insert the following code
after the SPLIT command:
logical_filename_not_foun
d = 1
validation_failed =
2
OTHERS = 3.
IF sy-subrc <> 0.
RAISE no_permission.
ENDIF.
Step 8
11. Insert another call of
FILE_VALIDATE_NAME after
the first IF/ENDIF statement
that checks for
allowed_characters:
logical_filename_not_foun
d = 1
validation_failed =
2
OTHERS = 3.
IF sy-subrc <> 0.
RAISE no_permission.
ENDIF.
Step 9
34
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
Step 10
Explanation Screenshot
1. Double-click
.
Step 2
2. Enter Z_SEC261_INJECTIO
N in the Program field.
3. Click .
Step 3
4. Double-click
(or any
other invoice file name).
Step 4
35
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
5. Click .
Step 5
6. Change the filename from
D:\Files\Session\SEC261\Acce
pt\Invoice002381.txt to
D:\Files\Session\SEC261\Reje
ct\Invoice002381.txt, thus
trying a directory traversal
attack. Step 6
7. Click .
8. Click .
Step 8
9. Change the filename:
remove the leading zeroes from
the number in the filename.
10. Click .
Step 9
36
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
Step 11
13. Click .
Step 12
14. Change the file name from
D:\Files\Session\SEC261\Reje
ct\Invoice006911.txt to
D:\Files\Session\SEC261\Acce
pt\Invoice006911.txt
15. Click . Step 13
Summary
You have completed the exercise!
37
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Overview
Estimated time: 20 minutes
Objective
In this exercise we will deal with the BSP application which you saw in the demo. There is an
XSRF (Cross site request forgery) and an XSS (Cross site scripting) problem in it.
Exercise Description
Explanation Screenshot
1. Click
.
Step 2
2. Navigate: Package
TEST_SEC261 Subpackage
TEST_SEC261_BSP BSP
Application Z_SEC261_DEMO
Page demo.htm . Double-
click .
38
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
Step 4
Step 5
5. Enter sec261 aus your user
name and welcome as your
password. Then click
.
Step 6
39
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
7. Since this is a new
application the system asks
you to login again. Use sec261
as your user name and
welcome as your password
again. Step 8
8. Click to inspect
invoice number 001954.
Step 9
Step 10
Step 11
10. Click .
Step 12
40
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
Step 13
12. Click .
Step 14
Step 15
Step 17
41
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
16. Don't enter any selection
criteria. Just click to see all
the records. (Don't worry.
There are only five records in
the table.)
Step 18
42
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
1. In your browser window click
43
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
Step 5
4. Click without entering any
selection criteria.
Step 6
44
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
Step 2
2. Click
. That's the URL below the text
"You can also add HTML
coding to the URL ...". It ends
with
input=006911<script>ale
rt('Hello
Step 3
World!')</script> .
3. Click .
Step 4
4. Now click the URL below
"Got a 403 error? ...". It is
essentially the same URL as
the last one, except that Step 5
sap_params with the base64-
encoded value is used.
45
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
Do you remember the OS
command injection in exercise 1?
There we also did a harmless
operation with the echo
command. And we asked you not
to try more dangerous operations.
The same applies here: With
Javascript you can do nasty
things. Please only use your
imagination, but please don't try
them here.
5. Click .
6. Click .
Step 7
46
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
1. Click on
with the right mouse button and
navigate to Check and then to
ABAP Test Cockpit (ATC).
2. Click
to
launch CVA. Step 2
entry.
Step 3
Step 4
47
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
5. This is the place where the
XSS attack is possible. The
"unfiltered" contents of the BSP
parameter input is written into
the HTML page at this point. If
an attacker includes some
Javascript code in the contents
of the parameter input then
this code is executed at
runtime.
6. Click .
Step 5
Step 6
Step 8
48
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
The solution for this is escaping. That means that a couple of characters that have a special
meaning in HTML must be treated in a special way. The most obvious character here is
the < character. In cases in which it shall not have a special meaning it must be escaped, i.
e. it must be coded as < (the "lt" stands for "less than") or in one of a few other alternative
ways. For an HTML parser (which is part of a browser) this means that the character < shall
be displayed on the screen (or printed into a hardcopy). It shall not have the special meaning
"introduction of an HTML tag". If such escaping is done for the data from the outside (in our
case a parameter in the URL) this will not result in an XSS vulnerability.
In most cases this is very easy. Each BSP page has an introductory directive which starts
with <%@page . Just add an attribute forceEncode="html" to this directive. Then -
whenever text from an ABAP variable shall be written to the page - this text will be escaped
automacially. This is very easy to implement and covers the requirements in most cases.
In some cases you explicitly don't want this automatic escaping, e. g. when the data that
shall be displayed has already been escaped at some place for some reason. Then the
forceEncode attribute can't be used because multiple escaping leads to unwanted results.
Without the forceEncode attribute for each variable whose content shall be written to the
HTML page the developer must decide whether the content shall be escaped or not. If it shall
be escaped then there are various ways to it. You will see them in the next part of the
exercise.
Explanation Screenshot
1. Click
.
Step 2
2. Navigate: Package
TEST_SEC261 Subpackage
TEST_SEC261_BSP BSP
Application
Z_SEC261_Approv
. Double-click
. Step 3
Step 4
49
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
4. Add forceEncode="html"
to the page directive. Since this
is hard to read on the right
side, here is the whole resulting
directive:
<%@page language="abap"
forceEncode="html"%> Step 5
5. Activate your change: Click
.
Step 6
6. Let's try the escaping in a
different way now. Click
.
Step 7
7. On this page we want to
treat writing of the input
parameter to the page by
changing the tag from <%= to
<%html= . Do this here...
8. ... and here ...
9. ... and here.
Step 8
10. This is the fourth place a
few lines before the end of the
coding. Do the change here,
too.
Step 9
50
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
11. Activate your corrections by
a click on .
Step 10
12. Switch to
page .
Step 11
13. On this page we want to
use method
cl_abap_dyn_prg=>escape
_xss_xml_html( ).
Use it here...
14. ... and here...
15. ...and finally here.
Step 12
16. Activate the page.
Step 13
51
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
17. Now switch to page
.
Step 14
18. The last way of escaping
for this exercise is the ABAP
built-in function escape( val
= input format =
cl_abap_format=>e_xss_m
l ).
Use it here...
19. ... and here ...
20. ... and finally here.
Step 15
Step 16
52
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
1. Go to the demo application
again. Double-click
.
Step 2
2. Launch it by clicking .
Step 3
Step 4
4. As before: enter sec261 as
the user name if you are asked
to logon again.
5. Enter welcome as the
password.
6. Click to logon.
Step 5
7. Click the very first link (the
one that ends with init.htm)
to restore all invoices to their
initial state.
Step 6
53
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
8. If requested logon
to the z_sec261_Approv
application with user name
sec261 and password
welcome, then click
.
Step 7
Step 8
10. Click the link below "Got a
403 error? ..." again.
54
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
parameter, e. g. check for the
maximum length of 6 characters
plus check whether all characters
are numeric. But let's stop this
example at this point. There's
some more work to do.
11. Click .
55
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
It is important to make sure that BSP pages which cause changes on the database can only
be reached from pages which make you aware of this fact, e.g. by offering you pushbuttons
"Accept" or "Reject". (You will see how to do this in this part of the exercise. It's easy!)
By the way, this problem is not limited to BSPs. Other technologies (be it SAP technologies,
be it technologies of other vendors) can have such problems, too.
Explanation Screenshot
1. Click
.
Step 2
2. Navigate: Package
TEST_SEC261 Subpackage
TEST_SEC261_BSP BSP
Application
Z_SEC261_Approv. Double-
click .
Step 3
3. Switch to the
tab.
Step 4
Step 5
56
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
5. Mark the XSRF Protection
checkbox.
Step 6
6. Click .
Step 7
57
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
8. Switch to the
tab.
Step 9
9. Mark the Start BSP
checkbox. This means that this
page can be called without an
XSRF token. This makes sense
because it is the initial page of
this BSP application.
Step 10
Step 11
11. Navigate to the
page.
Step 12
12. Mark the Start BSP
checkbox. Thus, this page can
be called without an XSRF
token, too.
Step 13
Step 14
58
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
59
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
1. Navigate to the demo
application again. Double-click
.
Step 2
Step 3
3. If this popup comes click
.
Step 4
4. If you are requested to logon
use sec261 as your uer name
and welcome as your
password. Click to
logon to the demo application.
Step 5
5. Just to make sure we have
enough invoices and to check
whether the init page is not
XSRF protected click the very
first link again (the URL ends
with init.htm .). Step 6
60
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
6. If you have to logon use
sec261 as your user name and
welcome as your password,
then click to logon to
the z_sec261_Approv
application.
Step 7
7. Click .
Step 8
8. Locate the fourth link. It ends
with
approved.htm?input=0087
26 . Should it work? No,
because the approved.htm
page is not one of our start
pages. Now click on the link. Step 9
Step 10
61
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
9. As a last step let's see
whether CVA "likes" our
application now. In your
SAPGUI window click on
with the right
mouse button and navigate to
Check and then ABAP Test
Cockpit (ATC).
10. Click
Step 11
.
Step 12
Summary
You have completed the exercise!
62
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Overview
Estimated time: 15 minutes
Objective
This exercise deals with a special characteristic of the CALL TRANSACTION statement.
When a CALL TRANSACTION is executed the ABAP runtime automatically checks the
authorizations for starting the specific transaction only in some special cases. In other cases
it is not automatically checked. The behaviour depends on settings in DB table TCDCOUPLES
and profile parameters.
SAP recommends not to rely on these complex rules any more. The developer who is
responsible for the calling program (i. e. the program in which the CALL TRANSACTION is
coded) should determine whether or not an authorization check takes place and this decision
should be visible in the coding.
Please note that it sometimes is perfectly correct not to check the transaction start
authorizations in conjunction with a CALL TRANSACTION statement. It depends upon the
context of the calling program.
We will not try to attack any transactions or programs here. We will just have a close look
at several CALL TRANSACTION statements including their environments and see what CVA
reports.
Exercise Description
63
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
1. First we want to make you
aware of possible authorization
checks that are associated with
a transaction. - In this part of
the exercise we are always
calling transaction SE38.
Let's have a look at the
definition of this transaction.
Step 3
64
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
5. Click .
Step 5
Step 7
8. Navigate: Package
TEST_SEC261 Subpackage
TEST_SEC261_CALL_TA
Program
Z_SEC261_CALL_TA_STAT.
Double-click
.
Step 8
9. Click on
65
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
11. Okay, four findings! Double-
click on the first
finding:
.
Step 10
12. In the details you can see
what it says: "The authorization
for S_TCODE is not checked
and neither is the authorization
object S_DEVELOP in
thetransaction code editor
(SE93)."
Click
Step 12
14. Click .
Step 13
15. Click .
Step 15
66
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
16. Double-click on the second
finding: .
Step 16
17. It says: "The authorization
for the authorization object
S_DEVELOP in the transaction
code editor (SE93) is
notchecked." If you want to you
can have a look at the help
text.
18. Click .
Step 19
19. Now double-click on the
third
finding: .
Step 20
20. The message is: "The
authorization for the
authorization object S_TCODE
is not checked." You might
want to look at the help text to
see the details.
67
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
Step 22
21. Click .
Step 23
22. Now let's have a look at the
last finding. This demonstrates
a special situation. Double-click
.
Step 24
23. It reads "The authorization
for S_TCODE is not checked
and neither is the authorization
object S_DEVELOP in
thetransaction code editor
(SE93).This case is not so
critical since the functions of
the transaction are restricted by
inputparameters." (Sorry about
all those missing blanks...) How
about that second sentence?
68
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
(USING and AND SKIP FIRST
SCREEN).
24. Click .
Step 27
25. In this exercise we look at
the fixed version of the program
right away. We'll present
several ways of getting rid of
the CVA messages. Click
Step 28
69
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
you want a complete authorization
check! Just use the clause WITH
AUTHORITY-CHECK. This ABAP
feature is available as of
SAP_BASIS 740 SP 02 and it is
the recommended way. In earlier
releases we recommend the use
of the function module
AUTHORITY_CHECK_TCODE.
70
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
1. Click
.
Step 2
2. Navigate: Package
TEST_SEC261 Subpackage
TEST_SEC261_CALL_TA
Program
Z_SEC261_CALL_TA_STAT.
Double-Click on
.
3. Click on
with
the right mouse button and
navigate to Check, then ABAP
Test Cockpit (ATC).
4. Click .
Step 4
71
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
5. CVA found four problems
again. Let's have a look at each
of them.
Double-click on the first
.
Step 5
Step 7
7. Click .
Step 8
8. Click to see the
CALL TRANSACTION
statement.
Step 9
72
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
9. Click .
Step 11
10. Double-click the second
finding .
Step 12
Step 13
73
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
SE93? That's why the description
of CVA says something about
"Potentially incomplete
authorization check". We just don't
know because by looking at the
source code we can't tell which
transaction will be called at
runtime.
12. Click .
Step 15
13. Double-click the
third to
see the third finding.
Step 16
Step 17
74
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
transaction over the Okcode field,
too. Yes, that's true. This check is
for those who just want to make
very, very sure. After all, the
priority is low. And you don't have
to use the check if you think this is
too strict.
15. Click .
Step 19
16. Double-click on the
fourth .
Step 20
75
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
18. Click .
Step 23
19. Let's look at the fixed
version of the program. Double-
click
.
Step 24
Step 25
Step 27
76
SEC261 - SECURE ABAP DEVELOPMENT: ONE BUG IS ENOUGH TO PUT YOUR
APPLICATION AT RISK
Explanation Screenshot
Summary
You have completed the exercise!
77