Mitigating XSS in BSP Apps
Cross Site Scripting (XSS) is still one of the most common vulnerabilities in web applications. Unfortunately, the BSP apps do not have a good reputation. Just checking monthly security notes released by SAP will convince anyone that the BSP apps suffer from XSS. The problem is that you only forget to validate one input and you have a problem.
What can we do to mitigate risk of XSS? One solution is to use a framework that validates all inputs automatically. In ABAP world it means to use web dynpro for ABAP. You can also educate your developers about XSS and other security issues in web applications. I would suggest doing this regardless of having BSP apps. A penetration testing of your systems is also a good idea. But what if you have a legacy BSP app and you don’t want to spend money on rewriting it into web dynpro app. Could your web browser help to mitigate risk of XSS?
CSP Comes to Rescue
Content Security Policy (CSP) is a simple solution developed by Mozilla that can mitigate certain types of attacks. XSS is one of them. How does it work? It defines and uses new HTTP header field X-Content-Security-Policy. Basically, a web server can send a policy to web browser that defines allowed domains for various resources such as images or scripts. The nice thing about using HTTP header field is that it’s backward compatible. If browser does not recognize CSP header field then it will simply ignore it. Hence the users with browser without CSP support won’t be protected but it won’t break an app for them.
The simplest policy is that you allow resources only from your domain (even excluding sub-domains).
X-Content-Security-Policy: default-src ‘self’
The browser with support for CSP won’t load any resource (image or script) that does not come from same domain as web page.
More complex example could be that you want to be able to load images from separate domain images.domain.com. You can define your policy as
X-Content-Security-Policy: allow ‘self’; img-src ‘self’ images.localhost.localdomain
What do we need to do to implement CSP? Two things: a web server that returns the new HTTP header field and a browser that supports CSP. The good news is that ABAP AS can set any HTTP header field. The bad news is that not all browsers support CSP but I assume that all major browser vendors will catch up. Firefox supports CSP since version 4 (as I mentioned above CSP was developed by Mozilla). IE 10 has partial implementation and it might be back-ported to older releases. Web kit has implemented this feature as well.
Back to Your Legacy BSP App
Disclaimer: I haven’t tested this solution properly so don’t come back to me crying if it breaks your BSP applications
How can we activate CSP for BSP applications? Every BSP application uses HTTP handler implemented in class CL_HTTP_EXT_BSP. It uses class CL_BSP_RUNTIME to execute BSP app. This class has a method called ON_REQUEST_LEAVE that could be used to set HTTP header field X-Content-Security-Policy. I haven’t tested it properly but it seems like it’s called right after every request. You can easily enhance this or any other method using implicit enhancement points. Here is a simple example how to extend this method. It’s possible that you might need to extend some other methods.
method ON_REQUEST_LEAVE .
ENHANCEMENT 1 ZBC_CSP. “active version
* CSP implementation
c_response->set_header_field( name = ‘X-Content-Security-Policy’
value = ‘default-src ”self”’ ).
Other approach could be to stack multiple HTTP handlers. You could add a custom HTTP handler that would just set HTTP header field and pass execution to standard BSP handler.
Yet another approach could be to do not touch ABAP AS and put reverse proxy in front of it and set CSP header field there.
Will CSP Work for Web Dynpro?
First, I just said that web dynpro framework does input validation for developers. Then why bother with implementing CSP for web dynpro app? What if there is a bug in web dynpro framework? CSP could provide another layer of security.
What do we need to implement CSP. Again, two things: CSP enabled web server and web browser. I believe a similar trick could be used for a HTTP handler for web dynpro. For a web browser we have a problem. Most of SAP customers use IE and this feature is not available in released versions yet (I don’t have any official numbers but I haven’t seen customer using anything else than IE yet).
What Can SAP Do with CSP?
It could implement it in ABAP AS and Java AS. I think with relatively small investment (it took me 15 minutes to implement my proof of concept but I hope SAP do more rigorous testing than I do 🙂 ) it would bring additional layer of security for SAP customers.
Excellent blog, I learned the existence of the browser CSP by reading it.