Cross-Site-Scripting (XSS) in SAP Web Application Server

Just read this German article about XSS vulnerability in SAP Web Application Server (Web AS) and put the links to the OSS Notes together.

Security Advisorys

Security Advisory by Cybsec regarding HTTP-Response-Splitting

Security Advisory by Cybsec regarding possible Phishing-Attacks

Security Advisory by Cybsec regarding several Cross-Site-Scripting-Holes

Whitepaper about HTTP-Response-Splitting by Packetstorm</li>
</ul>

OSS Notes

853878: HTTP WhiteList Check (security)

887322: Whitelist checks of sap-exit URL

887164: BSP Test Applications in Production Systems

<a href=”http://service.sap.com/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=887168″ target=”_blank”>887168: BSP Page Directive <%@page forceEncode=”html”%> & <%hmlt=.%></a></li>
</ul>

2 Comments

You must be Logged on to comment or reply to a post.

Former Member

November 10, 2005 at 1:18 pm

Thanks Gregor, I talked with my colleague during lunch about the heise article but I had not the time to get in touch with our administrators (it is not critical in our situation). But I know which link I will sent them, tomorrow 😉
regards
Thomas

Mark Finnern

November 10, 2005 at 1:34 pm

Hi Gregor,

Thanks a million. You really helped out here. I hate to delete an SDN comment, but I did this morning because it only pointed to the article without mentioning that there are SAP notes that solve these problems.

Andreas Wiegenstein's post A short story about Cross Site Scripting also gives some great background to Cross Site Scripting and how to protect against it.

Thanks again, Mark.

Cross-Site-Scripting (XSS) in SAP Web Application Server

Security Advisorys

OSS Notes

Assigned Tags