Skip to Content

In workshop SIS261 at this years TechEds you will learn about possible vulnerabilities in ABAP code and you will also learn a new way of finding and fixing them.

ABAP and Security

Security issues in ABAP?  Isn’t that handled by SAP, so nothing to worry about as an ABAP developer? Unfortunately this is not the case. As pointed out in a blog and more detailed in the documentation code injections and insufficient authority checks can become serious security risks also in ABAP programs. The following code snippet shows a prominent example:

DATA customers TYPE TABLE OF scustom WITH EMPTY KEY.

DATA name TYPE string.
cl_demo_input=>request( CHANGING field = name ).

DATA(cond) = `country = ‘DE’ AND name = ‘` && name && `’`.

TRY.
    SELECT * FROM scustom
             INTO TABLE customers
             WHERE (cond).
    cl_demo_output=>display( customers ).
  CATCH cx_sy_dynamic_osql_syntax.
    cl_demo_output=>display( ‘Wrong input’ ).
ENDTRY.

A field name that is delivered from the outside of a program is directly concatenated into a dynamic token of Open SQL.The vulnerability is a potential SQL Injection. If x’ OR name <> ‘” is entered for name, all the data from the SCUSTOM table is displayed.

Fixing Programs

The workshop will show you ways how to fix your programs. In the above example you can replace

DATA(cond) = `country = ‘DE’ AND name = ‘` && name && `’`.

with

DATA(cond) = `country = ‘DE’ AND name = ‘` &&

             cl_abap_dyn_prg=>escape_quotes( name ) && `’`.

to prevent a potential SQL Injection.

But how to find potential security risks?

Scanning and Analyzing programs

  

With Releases 7.0, EhP2, SP14, Release 7.3, EhP1, SP09 and Release 7.40, SP05 SAP plans to deliver a SAP NetWeaver Application Server, add-on for code vulnerability analysis that can be purchased as a separate product. This tool will be embedded in the well known Extended Program Check (SLIN) and herewith in the ABAP Test Cockpit (ATC) that also becomes available for customers.

/wp-content/uploads/2013/07/slin_sec_254636.jpg

These Security Tests carry out a static data flow analysis and will find such vulnerabilities as shown above.

/wp-content/uploads/2013/07/slin_sec_254636.jpg

/wp-content/uploads/2013/07/slin_sec_254636.jpg

The integration into ATC looks as follows:

/wp-content/uploads/2013/07/slin_sec_254636.jpg

/wp-content/uploads/2013/07/slin_sec_254636.jpg

Checks can be carried out during development and findings can be analyzed by the developer. Each message is accompanied by a long text with further information that points out how to fix a problem.

/wp-content/uploads/2013/07/slin_sec_254636.jpg

You can setup your system in such a way that transports cannot be realeased as long as security risks are found in programs to be transported.

Want to learn more?  Hope to see you at TechEd in workshop SIS261!

To report this post you need to login first.

5 Comments

You must be Logged on to comment or reply to a post.

  1. Shreya Tagra

    Ho Horst,

    Thanks for sharing. It is pretty interesting.

    6 years in ABAP, but honestly never thought on this perspective. I am not attending teched but would follow your blogs regarding this. Thanks again!

    Cheers,

    Shreya

    (0) 
  2. Steven King

    Greetings.

    We are on 7.31 EHP6 SP5 yet we do not appear to have these new security checks in the ATC.  To what level must we be in order to have them?

    Thanks.

    (0) 
    1. Horst Keller Post author

      See SAP Note s 1865277 and 1855773.

      The security checks are available in the following Support Packages:

      • SAP_BASIS 702 Support Package 14
      • SAP_BASIS 731 Support Package 09
      • SAP_BASIS 740 Support Package 05
      (0) 

Leave a Reply