Code Vulnerability Analyzer Checks

peterbarker · ‎01-19-2017

The purpose of this blog

This blog lists the checks that SAP Code Vulnerability Analyzer provides.
The checks are made available with specific releases of SAP NetWeaver. For information as to which checks are available with which releases, please read note 1921820.

Background about Code Vulnerability Analyzer

The product "SAP Code Vulnerability Analyzer" is available for carrying out security checks. This is also called the code vulnerability analyzer (CVA). The CVA carries out a static analysis of the ABAP source code and reports possible security risks.
The CVA is a product in its own right and is subject to separate remuneration. If you enable the execution of the security checks, additional license costs are incurred.
You can allow the execution of system-wide security checks with the report RSLIN_SEC_LICENSE_SETUP. To carry out this step, you require authorization to make changes to global ATC check variants. Before activating the checks, make sure that you possess a valid license for the product. If in doubt, contact your sales representative at SAP.

Once the security checks are enabled, you can execute them in the ABAP Test Cockpit (ATC), the Code Inspector (SCI), and the extended program check. In the system, the security checks are sometimes called "Security Analyses in Extended Program Check (SLIN_SEC)". We recommend that you execute the security checks via the ATC only. This is possible for automatic mass runs and in the ABAP development environment for individual objects.
SAP Note 1921820 describes the releases and Support Packages with which the code vulnerability analyzer is available. SAP Note 1949276 describes restrictions pertaining to the functional scope. The documentation for the report RSLIN_SEC_LICENSE_SETUP describes the individual security checks in more detail, among other things.

General points about security common to some of all of the checks below

Security problems can occur wherever external data (such as user input) is processed further without being checked.

Sometimes external data is used within a dynamic clause of an OPEN SQL statement. This could enable potential attackers to gain unauthorized access to the SAP database of the system by making unexpected input. This is known as an SQL injection.

Sometimes external data is used as a file name to open or delete files on the application server. This can give potential attackers access to the file system of the application server, so enabling them to access confidential information, modify file contents, and change the way the system behaves. This is known as directory traversal.

For information about a specific check, click on the appropriate link below:

Manipulation of dynamic Open SQL (Open SQL Injection)

Potential manipulation of the dynamic WHERE condition - 1101

Potential manipulation of the dynamic WHERE condition of a wrapped SQL statement - 110A

Potential read performed on an illegal database table in a wrapped SELECT statement - 110B

Potential manipulation of the SET clause in the statement UPDATE - 1112

Potential read performed on invalid table columns - 1114

Potential use of illegal columns in a dynamic GROUP BY clause - 1116

Potential use of illegal columns in a dynamic HAVING clause - 1117

Potential read performed on an illegal database table in a SELECT statement - 1118

Potential read performed on an illegal database table in a modifying OpenSQL statement- 1120

Potential read performed using an invalid secondary database connection in an Open SQL statement - 1...

Potential manipulation of a dynamic WHERE condition using the parameter I_FILTER of the object servi...

Manipulation of SQL statements (Native SQL Injection)

Potential injection of harmful SQL statements or clauses in execution of DDL statements in ADBC - 11...

Potential injection of harmful SQL statements or clauses in execution of DML statements in ADBC - 1...

Potential injection of malicious SQL statements or clauses when calling an appropriate API - 11D1

Manipulation of dynamically generated ABAP code (ABAP Command Injections)

Potential injection of harmful code in the statements INSERT REPORT and GENERATE SUBROUTINE POOL - 1...

Potential injection of harmful code when the RFC-enabled function module RFC_ABAP_INSTALL_AND_RUN w...

Potential manipulation of the dynamic WHERE condition in an internal table - 1190

Potentially important programs deleted from the ABAP Repository - 1110

Replacement of potentially important programs from the ABAP Repository by the statement INSERT REPOR...

Manipulation in dynamic calls (Call Injections)

User-controlled dynamic CALL FUNCTION via RFC - 1140

User-controlled dynamic program unit call - 1141

User-controlled dynamic CALL TRANSACTION - 1142

Dynamic CALL TRANSACTION without authorization check - 114E

Dynamic CALL TRANSACTION without authorization check and without check on valid transaction names - ...

Dynamic CALL TRANSACTION without potentially incomplete authorization check - 114G

Dynamic CALL TRANSACTION without authorization check - 114H

Dynamic CALL TRANSACTION without potentially incomplete authorization check - 114I

User-controlled dynamic LEAVE TO TRANSACTION - 1143

Dynamic function module call controllable from UI or via RFC - 1144

System function call with potential user input on FIELD - 1171

Injections of operating system commands

Potential manipulation in the FILTER addition of the statement OPEN DATASET - 1106

FILTER addition of the statement OPEN DATASET used - 1107

Statement CALL “SYSTEM” used - 1170

Potential unauthorized access to directories and files (Directory Traversal)

Potential manipulation of the file name in the statement OPEN DATASET or DELETE DATASET - 1104

Potential manipulation of the file name in the method CREATE_UTF8_FILE_WITH_BOM of the class CL_ABAP...

Non-secure parameter of the function module FILE_GET_NAME used - 1126

Insufficient authorization checks or user administration bypassed

User-controlled dynamic CALL TRANSACTION - 1142

Static CALL TRANSACTION without check on authorization from the transaction editor - 114A

Static CALL TRANSACTION without check on authorization object S_TCODE - 114B

Static CALL TRANSACTION without authorization check - 114C

Static CALL TRANSACTION without authorization check in the case of restricted functions - 114D

Dynamic CALL TRANSACTION without authorization check - 114E

Dynamic CALL TRANSACTION with data flow and without authorization check - 114F

Dynamic CALL TRANSACTION with data flow, authorization check of S_TCODE - 114G

SY-SUBRC not evaluated after the statement AUTHORITY-CHECK - 1160

Return value (for example, SY-SUBRC) not evaluated after a security-relevant method was called - 11...

Return value (for example, SY-SUBRC) not evaluated after a security-relevant subroutine was called -...

Potentially security-relevant procedure without registration - 1163

Return value (for example, SY-SUBRC) not evaluated after a security-relevant local procedure was cal...

Return value (for example, SY-SUBRC) not evaluated after a security-relevant function was called - 1...

AUTHORITY-CHECK with explicitly specified user name - 1180

AUTHORITY-CHECK for SY-UNAME - 1181

Potentially missing authorization check in a report - 11A1

Potentially missing authorization check in an RFC function module - 11A2

Potentially missing authorization check in a BOR object - 11A3

The BSP application is not protected against XSRF - 11RF

Potential back doors

Hard-coded user name possibly from undeleted test code or an indication of a back door- 0821

Procedure call with hard-coded password - 11K1

Field with hard-coded password - 11K2

Field with Base64-encoded password - 11K3

Hard-coded host name sy-host, possibly from undeleted test code or an indication of a back door- 11S...

Hard-coded system ID sy-sysid, possibly from undeleted test code or an indication of a back door - 1...

Hard-coded client sy-mandt, possibly from undeleted test code or an indication of a back door- 11S3

System variable sy- compared with a hard-coded value from forgotten test code or that could indicate...

Potential back doors - 11SP

Possible attacks using Web technologies

Potential risk of cross-site scripting - 1132

Potential reflected cross-site scripting - 1134

Potentially manipulated HTML page in HTML control - 1135

Obsolete escape method - 1150

forceEncode="not specified" for htmlb:content - 1151

In tag htmlb:content an obsolete design is specified or none at all - 1152

Missing Content Check During HTTP Upload - 11F1

Potential reverse tabnabbing - 11R1

Potential unvalidated URL redirect - 11P1

The BSP application is not protected against XSRF - 11RF

Further checks

Potentially important reports deleted from the ABAP repository - 1110

Statement COMMUNICATION used - 11C1

Read performed on sensitive database table - 11G0

Write performed on sensitive database table - 11G1

Potential invalid validation using the class CL_ABAP_DYN_PRG - 11N1

Potential invalid validation (tautological value check) with class CL_ABAP_DYN_PRG - 11N3

Here is a list by check number in ascending order:

Hard-coded user name - 0821

Possible SQL injection (WHERE condition) - 1101

Possible directory traversal - 1104

Possible system command injection (addition FILTER) - 1106

Possible ABAP command injection - 1108

Possible ABAP command injection via RFC call - 1109

Potential manipulation of the dynamic WHERE condition of a wrapped SQL statement - 110A

Potential read performed on an illegal database table in a wrapped SELECT statement - 110B

Potentially important reports deleted from the ABAP repository - 1110

Replacement of potentially important programs from the ABAP Repository by the statement INSERT REPOR...

Possible SQL injection (SET clause) - 1112

Possible SQL injection (column names) - 1114

Dynamic CALL TRANSACTION without authorization check - 1114E

Possible SQL injection (GROUP BY clause) - 1116

Possible SQL injection (HAVING clause) - 1117

Possible SQL injection (table name when reading) - 1118

Possible SQL injection (table name when writing) - 1120

Potential read performed using an invalid secondary database connection in an Open SQL statement - 1...

Possible SQL injection via object services - 1122

Possible Directory Traversal via file utilities class - 1124

Potential directory traversal due to insecure parameters - 1126

Possible SQL injection via ADBC (DDL) - 1128

Possible SQL injection via ADBC (DML) - 1130

Possible cross-site scripting - 1132

Potential reflected cross-site scripting - 1134

Potentially manipulated HTML page in HTML control - 1135

User-controlled dynamic CALL FUNCTION via RFC - 1140

User-controlled dynamic program unit call - 1141

User-controlled dynamic CALL TRANSACTION - 1142

User-controlled dynamic LEAVE TO TRANSACTION - 1143

Dynamic function module call controllable from UI or via RFC - 1144

Static CALL TRANSACTION without check of authorization object from SE93 - 114A

Static CALL TRANSACTION without check of authorization object S_TCODE - 114B

Static CALL TRANSACTION without authorization check - 114C

Static CALL TRANSACTION without authorization check (restricted function) - 114D

Dynamic CALL TRANSACTION without authorization check - 114E

Dynamic CALL TRANSACTION with data flow and without authorization check - 114F

Dynamic CALL TRANSACTION with data flow, authorization check of S_TCODE - 114G

Dynamic CALL TRANSACTION without authorization check - 114H

Usage of an obsolete escaping method - 1150

forceEncode="not specified" for htmlb:content - 1151

In tag htmlb:content an obsolete design is specified or none at all - 1152

AUTHORITY-CHECK without processing or sy-subrc - 1160

Call of a security-relevant method without handling the return value - 1161

Return value (for example, SY-SUBRC) not evaluated after a security-relevant subroutine was called -...

Potentially security-relevant procedure without registration - 1163

Return value (for example, SY-SUBRC) not evaluated after a security-relevant local procedure was cal...

Call of a security-relevant function without processing sy-subrc - 1165

Call of system function CALL "SYSTEM" - 1170

System function call with potential user input on FIELD - 1171

AUTHORITY-CHECK for specified user - 1180

AUTHORITY-CHECK for SY-UNAME - 1181

The dynamic WHERE condition allows a potential code injection - 1190

Potentially missing authorization check in a Report - 11A1

Potentially missing authorization check in an RFC function module - 11A2

Use of command COMMUNICATION - 11C1

Potential SQL injection - 11D1

Missing Content Check During HTTP Upload - 11F1

Direct read access to critical database tables - 11G0

Write access to sensitive database tables - 11G1

Hard-coded password - 11K1

Field with hard-coded password - 11K2

Field with Base64-encoded password - 11K3

Invalid validation with class CL_ABAP_DYN_PRG - 11N1

Invalid validation (tautological value check) with class CL_ABAP_DYN_PRG - 11N3

Open URL redirect - 11P1

The BSP application is not protected against XSRF - 11RF

Hard-coded host name - 11S1

Hard-coded system ID - 11S2

Hard-coded client - 11S3

Comparison of a specific registered system variable with a fixed value - 11S4

Potential back doors - 11SP

Hard-coded user name - 0821

User name queries in ABAP indicate security problems. User-specific code often presents a back door for attackers.

Procedure

Check if the user name query could possibly indicate a back door. This can be the case, for example, if authorization checks are performed that depend on the user name. Remove these back doors.
Remove any user-dependent code that is not required to run the program.
Some applications cases require user-specific code. However, there is currently no method of detecting these code sections and excluding them from the checks.
The check runs in all places where the current user name (taken directly or indirectly from the system fields SY-UNAME or SYST-UNAME) is compared with a fixed value (taken directly or indirectly from a string literal). To do this, it views the logical condition of the predefined functions BOOLC or BOOLX and the following statements:

IF, ELSEIF

CASE, WHEN

CHECK

ASSERT

Some predefined user accounts delivered by SAP have special functions. Since the system must respond to these special user names in certain ways at particular times, comparisons made with these values are permitted and do not produce warnings. The following are some of the user names relevant here:

CSMREG

DDIC

EARLYWATCH

GOINGLIVE

SAP

SAP*

SAPCPIC

SAPSYS

SAPTERM

TMSADM

If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.

Possible SQL injection (WHERE condition) - 1101

Potential manipulation of the dynamic where condition

The dynamic WHERE clause makes it possible for attackers to inject additional OR conditions that increase the volume of data selected in unexpected ways.

Procedure

First check whether it is necessary to use dynamic Open SQL. Switching to static OPEN SQL provides a full solution to the security problem. If this is not possible, the input data must be checked appropriately before being used in dynamic clauses.

The class CL_ABAP_DYN_PRG can be used to implement input checks as described in Validation by Methods of CL_ABAP_DYN_PRG. (The individual methods in the class CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note 1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing):

ESCAPE_QUOTES

ESCAPE_QUOTES_STR

QUOTE

QUOTE_STR

CHECK_CHAR_LITERAL

CHECK_STRING_LITERAL

CHECK_INT_VALUE

CHECK_VARIABLE_NAME

CHECK_COLUMN_NAME

CHECK_WHITELIST_STR

CHECK_WHITELIST_TAB

Secure data sources can also be displayed using the report RSLIN_SEC_DISPLAY_BADIS.

Ranges tables in a WHERE clause are not at risk of SQL injections. However, if technical reasons require ranges tables in WHERE conditions to be converted and then used in a dynamic WHERE clause, it is best to use the function module FREE_SELECTIONS_RANGE_2_WHERE. This module is identified as a secure data source; this is not usually the case in self-programmed conversions.

SAP discourages the use of literals with backquotes (`) in Open SQL statements, even though this is allowed by the syntax. Literals of this type look like string literals in ABAP, but do not have the same attributes. Literals in Open SQL statements are passed to the database, but any blanks at the end of the literals are ignored, which is not the case in ABAP string literals. This is why the use of literals with backquotes (`) can be confusing.

Performs a local data flow analysis.

If a source code position is flagged and does not present a security problem and an input check or escape action (for example, using a method from CL_ABAP_DYN_PRG) is not appropriate, an exemption should be requested in ATC.

Possible directory traversal - 1104

Potential manipulation of the file name in the statement OPEN DATASET or DELETE DATASET

Procedure

Externally defined file names must be validated before a file is opened or deleted. This is done by the function module FILE_VALIDATE_NAME. This function module was made available with the Support Packages or correction instructions listed in SAP Note 1497003. The ABAP keyword documentation contains an example of file name validation.

Another option is to call the function module FILE_GET_NAME_AND_VALIDATE or FILE_GET_NAME. No unchecked data can be included in the parameter LOGICAL_FILENAME here. This means the automated check currently requires LOGICAL_FILENAME to be a constant. In the case of the function module FILE_GET_NAME, no unchecked data can be included in the parameters PARAMETER_1, PARAMETER_2, and PARAMETER_3 either.

The function module FILE_GET_NAME_AND_VALIDATE was made available with SAP Note 1957910.

Secure data sources can also be displayed using the report RSLIN_SEC_DISPLAY_BADIS.

A local data flow analysis is performed.

If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.

Possible system command injection (addition FILTER) - 1106

Potential manipulation in the FILTER addition of the statement OPEN DATASET

The addition FILTER of the statement OPEN DATASET can be used to pass statements to the operating system. If this addition is filled from input data, potential attackers can inject further statements and modify the behavior of the application server in unexpected ways. These are known as system command injections.

Procedure

First check whether it is absolutely necessary to use the addition FILTER. If this is the case, an input check must be performed. The addition FILTER should not be used to send operating system commands.

If an operating system command call is absolutely necessary, however, the SAPXPG mechanism must be used. This offers increased security due to the following characteristics:

Abstraction from different operating systems

Predefined operating system commands

Stricter handling of parameters

Allows check modules (such as allow lists) to be defined

Predefined authorization check

New operating system commands must first be defined using transaction SM69. If possible, omit input values because these can also cause a security problem. The function module SXPG_CALL_SYSTEM can be used to make calls. See System Command Injections for more information.

In some cases, the class CL_ABAP_DYN_PRG can be used to perform an allow list check. Here, the following methods are sufficient for the machine check in question (if the RETURNING parameter of the method in question is used in further processing):

CHECK_WHITELIST_STR

CHECK_WHITELIST_TAB

The individual methods in the class CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note 1852318 provides an overview of these methods.

The escape methods of the class CL_ABAP_DYN_PRG are not suitable for operating system commands (or their parameters).

Secure data sources can also be displayed using the report RSLIN_SEC_DISPLAY_BADIS.

A local data flow analysis is performed.

If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.

Possible ABAP command injection - 1108

Potential injection of harmful code in the statements INSERT REPORT and GENERATE SUBROUTINE POOL

The statements INSERT REPORT and GENERATE SUBROUTINE POOL are used to generate ABAP programs dynamically, which can then be executed. If user input is entered directly in the source code of these generated programs, an attacker could potentially execute any of the operations in the system. These are known as ABAP command injections.

Procedure

Dynamic generation of ABAP code always carries a high level of risk to security. First, always check whether other dynamic programming methods can be used instead. If dynamic generations are absolutely necessary, all input data must be checked separately and appropriately.

The class CL_ABAP_DYN_PRG can be used to implement input checks as described in Validation by Methods of CL_ABAP_DYN_PRG. (The individual methods in the class CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note 1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing):

ESCAPE_QUOTES

ESCAPE_QUOTES_STR

QUOTE

QUOTE_STR

CHECK_CHAR_LITERAL

CHECK_STRING_LITERAL

CHECK_INT_VALUE

CHECK_VARIABLE_NAME

CHECK_COLUMN_NAME

CHECK_TABLE_OR_VIEW_NAME_STR

CHECK_TABLE_OR_VIEW_NAME_TAB

CHECK_TABLE_NAME_STR

CHECK_TABLE_NAME_TAB

CHECK_WHITELIST_STR

CHECK_WHITELIST_TAB

Checks on the merged ABAP code passed to the statements INSERT REPORT or GENERATE SUBROUTINE POOL are not feasible.

Secure data sources can also be displayed using the report RSLIN_SEC_DISPLAY_BADIS.

Performs a local data flow analysis.

If a source code position is flagged and does not present a security problem and an input check or escape action (for example, using a method from CL_ABAP_DYN_PRG) is not appropriate, an exemption should be requested in ATC.

Possible ABAP command injection via RFC Call - 1109

Potential injection of harmful code when the RFC-enabled function module RFC_ABAP_INSTALL_AND_RUN was called

Calling the RFC-enabled function module RFC_ABAP_INSTALL_AND_RUN allows dynamic ABAP programs (in remote systems) to be generated, which can then be executed. If user input is entered directly in the source code of these generated programs, an attacker could potentially execute any of the operations in the system. These are known as ABAP command injections.

Procedure

Dynamic generation of ABAP code always carries a high level of risk to security. First, always check whether other dynamic programming methods can be used instead. If dynamic generations are absolutely necessary, all input data must be checked separately and appropriately.

The class CL_ABAP_DYN_PRG can be used to implement input checks as described in Validation by Methods of CL_ABAP_DYN_PRG. (The individual methods in the class CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note 1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing):

1. 1. 1. ESCAPE_QUOTES
    2. ESCAPE_QUOTES_STR
    3. QUOTE
    4. QUOTE_STR
    5. CHECK_CHAR_LITERAL
    6. CHECK_STRING_LITERAL
    7. CHECK_INT_VALUE
    8. CHECK_VARIABLE_NAME
    9. CHECK_COLUMN_NAME
    10. CHECK_TABLE_OR_VIEW_NAME_STR
    11. CHECK_TABLE_OR_VIEW_NAME_TAB
    12. CHECK_TABLE_NAME_STR
    13. CHECK_TABLE_NAME_TAB
    14. CHECK_WHITELIST_STR
    15. CHECK_WHITELIST_TAB

Checks on the merged ABAP code passed to the function module RFC_ABAP_INSTALL_AND_RUN are not feasible.

Secure data sources can also be displayed using the report RSLIN_SEC_DISPLAY_BADIS.

Performs a local data flow analysis.

If a source code position is flagged and does not present a security problem and an input check or escape action (for example, using a method from CL_ABAP_DYN_PRG) is not appropriate, an exemption should be requested in ATC.

Potential manipulation of the dynamic WHERE condition of a wrapped SQL statement 110A

Security problems can occur wherever external data (such as user input) is processed further without being checked.

In the case in question, external data is passed to a procedure (for example, the function module RFC_READ_TABLE), which itself uses the data within a dynamic clause of an OpenSQL statement. This could enable potential attackers to gain unauthorized access to the SAP database of the system by making unexpected input. This is known as an SQL injection.

The dynamic WHERE clause makes it possible for attackers to inject additional OR conditions that increase the volume of data selected in unexpected ways. If fewer than 11 characters can be injected in the dynamic WHERE clause, no meaningful attack can take place and no message appears.

If an attacker can inject at least 50 characters in the dynamic WHERE clause, they may contain a subquery enabling any number of further tables to be accessed.

Further procedures that wrap vulnerable statements can themselves be registered as vulnerable using the BAdI SLIN_BADI_VULN_PROCEDURES. All registered vulnerable procedures can be displayed using the report RSLIN_SEC_DISPLAY_VULN_PROC.

Procedure

First check whether it is necessary to use dynamic Open SQL. Switching to static OPEN SQL provides a full solution to the security problem. If this is not possible, the input data must be checked appropriately before being used in dynamic clauses.

The class CL_ABAP_DYN_PRG can be used to implement input checks as described in Validation by Methods of CL_ABAP_DYN_PRG. (The individual methods in the class CL_ABAP_DYN_PRG became available in different support packages or SAP Notes. SAP Note 1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing instead of the original input value):

ESCAPE_QUOTES

ESCAPE_QUOTES_STR

QUOTE

QUOTE_STR

CHECK_CHAR_LITERAL

CHECK_STRING_LITERAL

CHECK_INT_VALUE

CHECK_VARIABLE_NAME

CHECK_COLUMN_NAME

CHECK_TABLE_OR_VIEW_NAME_STR

CHECK_TABLE_OR_VIEW_NAME_TAB

CHECK_TABLE_NAME_STR

CHECK_TABLE_NAME_TAB

Secure data sources can also be displayed using the report RSLIN_SEC_DISPLAY_BADIS.

Ranges tables in a WHERE clause are not at risk of SQL injections. However, if technical reasons require ranges tables in WHERE conditions to be converted and then used in a dynamic WHERE clause, it is best to use the function module FREE_SELECTIONS_RANGE_2_WHERE. This module is identified as a secure data source; this is not usually the case in self-programmed conversions.

SAP discourages the use of literals with backquotes (`) in Open SQL statements, even though this is allowed by the syntax. Literals of this type look like string literals in ABAP, but do not have the same attributes. Literals in Open SQL statements are passed to the database, but any blanks at the end of the literals are ignored, which is not the case in ABAP string literals. This is why the use of literals with backquotes (`) can be confusing.

If a source code position is flagged and does not present a security problem and an input check or escape action (for example, using a method from CL_ABAP_DYN_PRG) is not appropriate, an exemption should be requested in ATC.

How is the check done?

A local data flow analysis is performed.

Potential read performed on an illegal database table in a wrapped SELECT statement 110B

Security problems can occur wherever external data (such as user input) is processed further without being checked.

In the case in question, external data is passed to a procedure (for example, the function module RFC_READ_TABLE), which itself uses the data within a dynamic clause of an OpenSQL statement. This could enable potential attackers to gain unauthorized access to the SAP database of the system by making unexpected input. This is known as an SQL injection.

Potential attackers can specify tables dynamically and by doing this run operations on database tables other than those intended.

Further procedures that wrap vulnerable statements can themselves be registered as vulnerable using the BAdI SLIN_BADI_VULN_PROCEDURES. All registered vulnerable procedures can be displayed using the report RSLIN_SEC_DISPLAY_VULN_PROC.

Procedure

First check whether it is necessary to use dynamic Open SQL. Switching to static OPEN SQL provides a full solution to the security problem. If this is not possible, the input data must be checked appropriately before being used in dynamic clauses.

The class CL_ABAP_DYN_PRG can be used to implement input checks as described in Validation by Methods of CL_ABAP_DYN_PRG. (The individual methods in the class CL_ABAP_DYN_PRG became available in different support packages or SAP Notes. SAP Note 1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing instead of the original input value):

CHECK_TABLE_OR_VIEW_NAME_STR

CHECK_TABLE_OR_VIEW_NAME_TAB

CHECK_TABLE_NAME_STR

CHECK_TABLE_NAME_TAB

CHECK_WHITELIST_STR

CHECK_WHITELIST_TAB

Secure data sources can also be displayed using the report RSLIN_SEC_DISPLAY_BADIS.

If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.

How is the check done?

A local data flow analysis is performed.

FILTER addition of the statement OPEN DATASET used 1107

The addition FILTER of the statement OPEN DATASET can be used to pass commands to the operating system. For security reasons, this addition can no longer be used.

Procedure

Do not use the addition FILTER.
If an operating system command call is absolutely necessary, however, the SAPXPG mechanism must be used. This offers increased security due to the following characteristics:

Abstraction from different operating systems

Predefined operating system commands

Stricter handling of parameters

Permits the definition of check modules, for example for checking for valid values

Predefined authorization check

New operating system commands must first be defined using transaction SM69. If possible, omit input values because these can also cause a security problem. The function module SXPG_CALL_SYSTEM can be used to make calls. See System Command Injections for more information.
If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.

How is the check done?

All uses of the addition FILTER of the statement OPEN DATASET are reported.

Potentially important reports deleted from the ABAP repository 1110

Potentially important reports deleted from the ABAP repository

Security problems can occur wherever external data (such as user input) is processed further without being checked.
The statement DELETE REPORT or the function module RS_DELETE_PROGRAM and various other procedures can be used to delete or overwrite programs from the ABAP repository. If the name of the deleted or overwritten program is derived from user input, an attacker can potentially delete or overwrite ABAP programs required by the application or the system and hence impair system functions.

Procedure

If at all possible, the names of deleted or overwritten programs should not be derived from user input for security reasons. If this is absolutely necessary, the input data must be checked first accordingly.
The class CL_ABAP_DYN_PRG can be used to implement input checks as described in Validation by Methods of CL_ABAP_DYN_PRG. (The individual methods in the class CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note 1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing):

1. CHECK_WHITELIST_STR

2. CHECK_WHITELIST_TAB

Secure data sources can also be displayed using the report RSLIN_SEC_DISPLAY_BADIS.
Performs a local data flow analysis.
If a source code position is flagged and does not present a security problem and an input check or escape action (for example, using a method from CL_ABAP_DYN_PRG) is not appropriate, an exemption should be requested in ATC.

How is the check done?

All those DELETE REPORT statements are checked where it is not possible to know statically that only the inactive version of a program is deleted using the addition STATE = 'I'. Furthermore, calls of the function module RS_DELETE_PROGRAM are checked, plus a range of other procedures that delete or overwrite programs.
A local data flow analysis is performed.

Replacement of potentially important reports deleted from the ABAP repository by the statement INSERT REPORT 1111

Security problems can occur wherever external data (such as user input) is processed further without being checked.
The statement INSERT REPORT can be used to overwrite programs from the ABAP repository. If the name of the overwritten program is derived from user input, an attacker can potentially overwrite ABAP programs required by the application or the system and hence impair system functions.

Procedure

If at all possible, the names of overwritten programs should not be derived from user input for security reasons. If this is absolutely necessary, the input data must be verified using suitable checks first.
The class CL_ABAP_DYN_PRG can be used to implement input checks as described in Validation by Methods of CL_ABAP_DYN_PRG. (The individual methods in the class CL_ABAP_DYN_PRG became available in different support packages or SAP Notes. SAP Note 1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing instead of the original input value):

1. CHECK_WHITELIST_STR

2. CHECK_WHITELIST_TAB

Secure data sources can also be displayed using the report RSLIN_SEC_DISPLAY_BADIS.
Performs a local data flow analysis.
If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.

How is the check done?

For all INSERT REPORT statements, the system checks whether the specified program name contains dynamic parts that are taken from external data without being checked.
A local data flow analysis is performed.

Possible SQL injection (SET clause) 1112

Potential manipulation of the SET clause in the statement UPDATE

Potential attackers can use the dynamic SET clause to inject additional modifying expressions into the statement UPDATE, and so make unexpected database changes.

Procedure

First check whether it is necessary to use dynamic Open SQL. Switching to static OPEN SQL provides a full solution to the security problem. If this is not possible, the input data must be checked appropriately before being used in dynamic clauses.

The class CL_ABAP_DYN_PRG can be used to implement input checks as described in Validation by Methods of CL_ABAP_DYN_PRG. (The individual methods in the class CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note 1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing):

1. 1. 1. ESCAPE_QUOTES
    2. ESCAPE_QUOTES_STR
    3. QUOTE
    4. QUOTE_STR
    5. CHECK_CHAR_LITERAL
    6. CHECK_STRING_LITERAL
    7. CHECK_INT_VALUE
    8. CHECK_VARIABLE_NAME
    9. CHECK_COLUMN_NAME
    10. CHECK_WHITELIST_STR
    11. CHECK_WHITELIST_TAB

Secure data sources can also be displayed using the report RSLIN_SEC_DISPLAY_BADIS.

SAP discourages the use of literals with backquotes (`) in Open SQL statements, even though this is allowed by the syntax. Literals of this type look like string literals in ABAP, but do not have the same attributes. Literals in Open SQL statements are passed to the database, but any blanks at the end of the literals are ignored, which is not the case in ABAP string literals. This is why the use of literals with backquotes (`) can be confusing.

Performs a local data flow analysis.

If a source code position is flagged and does not present a security problem and an input check or escape action (for example, using a method from CL_ABAP_DYN_PRG) is not appropriate, an exemption should be requested in ATC.

Possible SQL injection (column names) 1114

Potential read performed on invalid table columns

An attacker may be able to access forbidden columns by specifying the selected columns dynamically. Furthermore, in certain contexts (in INTO CORRESPONDING FIELDS) the attacker could attempt to manipulate the application by renaming columns ("COL1 AS COL2").

Procedure

First check whether it is necessary to use dynamic Open SQL. Switching to static OPEN SQL provides a full solution to the security problem. If this is not possible, the input data must be checked appropriately before being used in dynamic clauses.

If table columns exist that must not be read in the context in question, an allow list check is a good idea (see below). In other case, this message is a false alarm.

The class CL_ABAP_DYN_PRG can be used to implement input checks as described in Validation by Methods of CL_ABAP_DYN_PRG. (The individual methods in the class CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note 1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing):

1. 1. 1. CHECK_WHITELIST_STR
    2. CHECK_WHITELIST_TAB

Secure data sources can also be displayed using the report RSLIN_SEC_DISPLAY_BADIS.

Performs a local data flow analysis.

If a source code position is flagged and does not present a security problem and an input check or escape action (for example, using a method from CL_ABAP_DYN_PRG) is not appropriate, an exemption should be requested in ATC.

Dynamic CALL TRANSACTION without authorization check 1114E

What is checked?

When a transaction is started from the user interface or by executing the ABAP statement LEAVE TO TRANSACTION, an authorization check is performed automatically. The check is always made using the authorization object S_TCODE. In the transaction code editor (transaction SE93), developers can specify an authorization object with authorization values. If an entry of this type is found, the authorization specified there is checked.
These authorization checks are not usually made when the ABAP statement CALL TRANSACTION is executed. The developer of the program in question must decide whether the transaction start authorization is checked.
In the dynamic CALL TRANSACTION in question, none of the authorization checks above were found in the source code. This could present a security risk.
A check on valid transaction names restricts the set of potential transactions called, which means that the security risk is already reduced. Depending on the context, this restriction may be enough.

Procedure

If the authorization checks are missing by accident, they can implemented in full by simply calling the function module AUTHORITY_CHECK_TCODE . From SAP_BASIS 7.40 SP 02, the addition WITH AUTHORITY-CHECK in CALL TRANSACTION can also be used to do this. It works in the same way as the function module call. Both methods check the authorization object S_TCODE and the authorization from the transaction editor (SE93). However, it should be noted that the table TCDCOUPLES is respected for the function module AUTHORITY_CHECK_TCODE.
In a few situations, it is intentional that no authorizations are checked in CALL TRANSACTION (or only the authorization for the authorization S_TCODE). In these cases, the addition WITHOUT AUTHORITY-CHECK can be used in CALL TRANSACTION from SAP_BASIS 7.40 SP 02. In systems with older releases, the message must be suppressed using an exemption. In dynamic CALL TRANSACTIONS, it is only acceptable to skip the authorization check if the set of callable transactions is restricted (usually by using a check on valid values).
SAP recommends that the entries in the table TCDCOUPLES (transaction SE97) are no longer used to control the behavior.
If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.

How is the check done?

For each dynamic CALL TRANSACTION, a search is made for the a suitable call of the function module AUTHORITY_CHECK_TCODE within the same procedure (event, method, function, form routine). In called procedures, a search is also performed for these authorization checks up to a restricted nesting depth. The message is displayed if none of the authorization checks above are found.

Dynamic CALL TRANSACTION without authorization check and without check on valid transaction names 1114F

What is checked?

Security problems can occur wherever external data (such as user input) is processed further without being checked.
In the case in question, external data is used within a dynamic transaction call. This enables potential attackers to call unexpected transactions by making unexpected input, and thereby illegally modify the running of the program.
When a transaction is started from the user interface or by executing the ABAP statement LEAVE TO TRANSACTION, an authorization check is performed automatically. The check is always made using the authorization object S_TCODE. In the transaction code editor (transaction SE93), developers can specify an authorization object with authorization values. If an entry of this type is found, the authorization specified there is checked.
These authorization checks are not usually made when the ABAP statement CALL TRANSACTION is executed. The developer of the program in question must decide whether the transaction start authorization is checked.
In this dynamic CALL TRANSACTION, the potential influence of the user input on the called transaction was identified and, additionally, none of the authorization checks mentioned above were found in the source code. This could present a security risk.

Procedure

Both the authorization check aspect and the aspect of dynamics in the name of the called transaction must be considered. In most situations, an authorization check is the best choice for removing the security problem.
Authorization Check
If the authorization checks are missing by accident, they can implemented in full by simply calling the function module AUTHORITY_CHECK_TCODE . From SAP_BASIS 7.40 SP 02, the addition WITH AUTHORITY-CHECK in CALL TRANSACTION can also be used to do this. It works in the same way as the function module call. Both methods check the authorization object S_TCODE and the authorization from the transaction editor (SE93). However, it should be noted that the table TCDCOUPLES is respected for the function module AUTHORITY_CHECK_TCODE.
In a few situations, it is intentional that no authorizations are checked in CALL TRANSACTION (or only the authorization for the authorization S_TCODE). In these cases, the addition WITHOUT AUTHORITY-CHECK can be used in CALL TRANSACTION from SAP_BASIS 7.40 SP 02. In systems with older releases, the message must be suppressed using an exemption. In dynamic CALL TRANSACTIONS, it is only acceptable to skip the authorization check if the set of callable transactions is restricted (usually by using a check on valid values).
SAP recommends that the entries in the table TCDCOUPLES (transaction SE97) are no longer used to control the behavior.

Possible SQL injection (GROUP BY clause) 1116

Potential use of illegal columns in a dynamic GROUP BY clause

Potential attackers can use the dynamic GROUP BY clause to modify the selection in unexpected ways.

Procedure

First check whether it is necessary to use dynamic Open SQL. Switching to static OPEN SQL provides a full solution to the security problem. If this is not possible, the input data must be checked appropriately before being used in dynamic clauses.

The class CL_ABAP_DYN_PRG can be used to implement input checks as described in Validation by Methods of CL_ABAP_DYN_PRG. (The individual methods in the class CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note 1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing):

1. 1. 1. CHECK_COLUMN_NAME
    2. CHECK_WHITELIST_STR
    3. CHECK_WHITELIST_TAB

Secure data sources can also be displayed using the report RSLIN_SEC_DISPLAY_BADIS.

Performs a local data flow analysis.

If a source code position is flagged and does not present a security problem and an input check or escape action (for example, using a method from CL_ABAP_DYN_PRG) is not appropriate, an exemption should be requested in ATC.

Possible SQL injection (HAVING clause) - 1117

Potential use of illegal columns in a dynamic HAVING clause

Potential attackers can use the dynamic HAVING clause to modify the selection in unexpected ways.

Procedure

First check whether it is necessary to use dynamic Open SQL. Switching to static OPEN SQL provides a full solution to the security problem. If this is not possible, the input data must be checked appropriately before being used in dynamic clauses.

The class CL_ABAP_DYN_PRG can be used to implement input checks as described in Validation by Methods of CL_ABAP_DYN_PRG. (The individual methods in the class CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note 1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing):

1. 1. 1. ESCAPE_QUOTES
    2. ESCAPE_QUOTES_STR
    3. QUOTE
    4. QUOTE_STR
    5. CHECK_CHAR_LITERAL
    6. CHECK_STRING_LITERAL
    7. CHECK_INT_VALUE
    8. CHECK_VARIABLE_NAME
    9. CHECK_COLUMN_NAME
    10. CHECK_WHITELIST_STR
    11. CHECK_WHITELIST_TAB

Secure data sources can also be displayed using the report RSLIN_SEC_DISPLAY_BADIS.

SAP discourages the use of literals with backquotes (`) in Open SQL statements, even though this is allowed by the syntax. Literals of this type look like string literals in ABAP, but do not have the same attributes. Literals in Open SQL statements are passed to the database, but any blanks at the end of the literals are ignored, which is not the case in ABAP string literals. This is why the use of literals with backquotes (`) can be confusing.

Performs a local data flow analysis.

If a source code position is flagged and does not present a security problem and an input check or escape action (for example, using a method from CL_ABAP_DYN_PRG) is not appropriate, an exemption should be requested in ATC.

Possible SQL injection (table name when reading) - 1118

Potential read performed on an illegal database table in a SELECT statement

Potential attackers can specify tables dynamically and by doing this run operations on database tables other than those intended.

Procedure

First check whether it is necessary to use dynamic Open SQL. Switching to static OPEN SQL provides a full solution to the security problem. If this is not possible, the input data must be checked appropriately before being used in dynamic clauses.

The class CL_ABAP_DYN_PRG can be used to implement input checks as described in Validation by Methods of CL_ABAP_DYN_PRG. (The individual methods in the class CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note 1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing):

1. 1. 1. CHECK_TABLE_OR_VIEW_NAME_STR
    2. CHECK_TABLE_OR_VIEW_NAME_TAB
    3. CHECK_TABLE_NAME_STR
    4. CHECK_TABLE_NAME_TAB
    5. CHECK_WHITELIST_STR
    6. CHECK_WHITELIST_TAB

Secure data sources can also be displayed using the report RSLIN_SEC_DISPLAY_BADIS.

Performs a local data flow analysis.

If a source code position is flagged and does not present a security problem and an input check or escape action (for example, using a method from CL_ABAP_DYN_PRG) is not appropriate, an exemption should be requested in ATC.

Possible SQL injection (table name when writing) - 1120

Potential read performed on an illegal database table in a modifying OpenSQL statement

Potential attackers can specify tables dynamically and by doing this run operations on database tables other than those intended.

Procedure

First check whether it is necessary to use dynamic Open SQL. Switching to static OPEN SQL provides a full solution to the security problem. If this is not possible, the input data must be checked appropriately before being used in dynamic clauses.

The class CL_ABAP_DYN_PRG can be used to implement input checks as described in Validation by Methods of CL_ABAP_DYN_PRG. (The individual methods in the class CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note 1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing):

1. 1. 1. CHECK_TABLE_OR_VIEW_NAME_STR
    2. CHECK_TABLE_OR_VIEW_NAME_TAB
    3. CHECK_TABLE_NAME_STR
    4. CHECK_TABLE_NAME_TAB
    5. CHECK_WHITELIST_STR
    6. CHECK_WHITELIST_TAB

Secure data sources can also be displayed using the report RSLIN_SEC_DISPLAY_BADIS.

Performs a local data flow analysis.

If a source code position is flagged and does not present a security problem and an input check or escape action (for example, using a method from CL_ABAP_DYN_PRG) is not appropriate, an exemption should be requested in ATC.

Potential read performed using an invalid secondary database connection in an Open SQL statement - 1121

Security problems can occur wherever external data (such as user input) is processed further without being checked.
Here, external data is used within a dynamic clause of an OPEN SQL statement. This could enable potential attackers to gain unauthorized access to the SAP database of the system by making unexpected input. This is known as an SQL injection.
Attackers can potentially use dynamically specified connections to execute operations using a secondary database connection.

Procedure

First check whether it is necessary to use dynamic Open SQL. Switching to static OPEN SQL provides a full solution to the security problem. If this is not possible, the input data must be checked appropriately before being used in dynamic clauses.

CHECK_WHITELIST_STR

CHECK_WHITELIST_TAB

Secure data sources can also be displayed using the report RSLIN_SEC_DISPLAY_BADIS.
If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.
A local data flow analysis is performed.

Possible SQL injection via object services - 1122

Potential manipulation of a dynamic WHERE condition using the parameter I_FILTER of the object services method CREATE_QUERY

In the present case, external data is passed to the method CREATE_QUERY of an object services class. This class handles the data like a dynamic WHERE clause. This makes it possible for attackers to inject additional OR conditions that increase the volume of data selected in unexpected ways. This is known as an SQL injection.

Procedure

The input values for the parameter I_FILTER of the object services method CREATE_QUERY must be made subject to an input check.

The class CL_ABAP_DYN_PRG can be used to implement input checks as described in Validation by Methods of CL_ABAP_DYN_PRG. (The individual methods in the class CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note 1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing):

1. 1. 1. ESCAPE_QUOTES
    2. ESCAPE_QUOTES_STR
    3. QUOTE
    4. QUOTE_STR
    5. CHECK_CHAR_LITERAL
    6. CHECK_STRING_LITERAL
    7. CHECK_INT_VALUE
    8. CHECK_VARIABLE_NAME
    9. CHECK_COLUMN_NAME
    10. CHECK_WHITELIST_STR
    11. CHECK_WHITELIST_TAB

Furthermore, the function module FREE_SELECTIONS_RANGE_2_WHERE is also accepted as a suitable input check.

Secure data sources can also be displayed using the report RSLIN_SEC_DISPLAY_BADIS.

SAP discourages the use of literals with backquotes (`) in Open SQL statements, even though this is allowed by the syntax. Literals of this type look like string literals in ABAP, but do not have the same attributes. Literals in Open SQL statements are passed to the database, but any blanks at the end of the literals are ignored, which is not the case in ABAP string literals. This is why the use of literals with backquotes (`) can be confusing.

Performs a local data flow analysis.

If a source code position is flagged and does not present a security problem and an input check or escape action (for example, using a method from CL_ABAP_DYN_PRG) is not appropriate, an exemption should be requested in ATC.

Possible Directory Traversal via file utilities class - 1124

Potential manipulation of the file name in the method CREATE_UTF8_FILE_WITH_BOM of the class CL_ABAP_FILE_UTILITIES

Procedure

Externally defined file names must be validated before a file is opened or deleted. This is done by the function module FILE_VALIDATE_NAME. This function module was made available with the Support Packages or correction instructions listed in SAP Note 1497003. The ABAP keyword documentation contains an example of file name validation.

Another option is to call the function module FILE_GET_NAME_AND_VALIDATE or FILE_GET_NAME. No unchecked data can be included in the parameter LOGICAL_FILENAME here. This means the automated check currently requires LOGICAL_FILENAME to be a constant. In the case of the function module FILE_GET_NAME, no unchecked data can be included in the parameters PARAMETER_1, PARAMETER_2, and PARAMETER_3 either.

The function module FILE_GET_NAME_AND_VALIDATE was made available with SAP Note 1957910.

Secure data sources can also be displayed using the report RSLIN_SEC_DISPLAY_BADIS.

A local data flow analysis is performed.

If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.

Potential directory traversal due to insecure parameters - 1126

Non-secure parameter of the function module FILE_GET_NAME used

In this case, the external data is passed to the non-secure parameters of function module FILE_GET_NAME. If this data is part of the file name, users might be able to access data for which they have no authorization and read or even overwrite this data. This is also known as directory traversal.

Procedure

It is advisable to use the function module FILE_GET_NAME_AND_VALIDATE. This function module was made available with SAP Note 1957910.

If the function module FILE_GET_NAME still needs to be used:

In some cases, the class CL_ABAP_DYN_PRG can be used to perform an allow list check. Here, the following methods are sufficient for the machine check in question (if the RETURNING parameter of the method in question is used in further processing):

1. 1. 1. CHECK_WHITELIST_STR
    2. CHECK_WHITELIST_TAB

The individual methods in the class CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note 1852318 provides an overview of these methods.

Secure data sources can also be displayed using the report RSLIN_SEC_DISPLAY_BADIS.

A local data flow analysis is performed. Here the parameters PARAMETER_1, PARAMETER_2, PARAMETER_3 of the function module FILE_GET_NAME are regarded as critical.

If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.

Possible SQL injection via ADBC (DDL) - 1128

Potential injection of harmful SQL statements or clauses in execution of DDL statements in ADBC

In the present case, external data is injected into an SQL statement that is passed for execution by the ADBC API of the database. This could enable potential attackers to gain unauthorized access to the SAP database of the system by making unexpected input. This is known as an SQL injection.

Unlike using Open SQL with dynamic clauses, ADBC is used to specify complete SQL statements. This increases the level of risk.

Procedure

First check whether it is necessary to use dynamic ADBC. Switching to static OPEN SQL provides a full solution to the security problem. If this is not possible, consider a switch to dynamic Open SQL. This reduces the opportunities for attacks considerably.

If it is absolutely essential that you use ADBC, make sure that no user input is entered directly into the SQL statement. Use ? placeholders for dynamic components of the statement. The relevant ABAP data objects can then be connected to these placeholders by using the method SET_PARAM of class CL_SQL_STATEMENT.

In exceptional cases, it may still be necessary to create the SQL statement based on user entries. These entries must be thoroughly checked beforehand.

The class CL_ABAP_DYN_PRG can be used to implement input checks as described in Validation by Methods of CL_ABAP_DYN_PRG. (The individual methods in the class CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note 1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing):

1. 1. 1. CHECK_WHITELIST_STR
    2. CHECK_WHITELIST_TAB

Secure data sources can also be displayed using the report RSLIN_SEC_DISPLAY_BADIS.

Performs a local data flow analysis.

If a source code position is flagged and does not present a security problem and an input check or escape action (for example, using a method from CL_ABAP_DYN_PRG) is not appropriate, an exemption should be requested in ATC.

Possible SQL injection via ADBC (DML) - 1130

Potential injection of harmful SQL statements of clauses in execution of DML statements in ADBC

In the present case, external data is injected into an SQL statement that is passed for execution by the ADBC API of the database. This could enable potential attackers to gain unauthorized access to the SAP database of the system by making unexpected input. This is known as an SQL injection.

Unlike using Open SQL with dynamic clauses, ADBC is used to specify complete SQL statements. This increases the level of risk.

Procedure

First check whether it is necessary to use dynamic ADBC. Switching to static OPEN SQL provides a full solution to the security problem. If this is not possible, consider a switch to dynamic Open SQL. This reduces the opportunities for attacks considerably.

If it is absolutely essential that you use ADBC, make sure that no user input is entered directly into the SQL statement. Use ? placeholders for dynamic components of the statement. The relevant ABAP data objects can then be connected to these placeholders by using the method SET_PARAM of class CL_SQL_STATEMENT.

In exceptional cases, it may still be necessary to create the SQL statement based on user entries. These entries must be thoroughly checked beforehand.

The class CL_ABAP_DYN_PRG can be used to implement input checks as described in Validation by Methods of CL_ABAP_DYN_PRG. (The individual methods in the class CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note 1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing):

1. 1. 1. ESCAPE_QUOTES
    2. QUOTE
    3. CHECK_CHAR_LITERAL
    4. CHECK_INT_VALUE
    5. CHECK_VARIABLE_NAME
    6. CHECK_COLUMN_NAME
    7. CHECK_TABLE_OR_VIEW_NAME_STR
    8. CHECK_TABLE_OR_VIEW_NAME_TAB
    9. CHECK_TABLE_NAME_STR
    10. CHECK_TABLE_NAME_TAB
    11. CHECK_WHITELIST_STR
    12. CHECK_WHITELIST_TAB

Secure data sources can also be displayed using the report RSLIN_SEC_DISPLAY_BADIS.

Performs a local data flow analysis.

If a source code position is flagged and does not present a security problem and an input check or escape action (for example, using a method from CL_ABAP_DYN_PRG) is not appropriate, an exemption should be requested in ATC.

Possible cross-site scripting - 1132

Potential risk of cross-site scripting

In the case in question, external data is used without encoding to generate a dynamic HTML page and then forwarded to the browser. This makes it possible for an attacker to send unwanted scripts to the browser of the victim (using unwanted input) and execute malicious code there. In this case, this is known as reflected cross-site scripting (XSS).

Procedure

The first check should verify whether modern Web frameworks can be used with automatic XSS protection, for example Web Dynpro or BSP with HTMLB extension, where encoding is activated globally (using the attribute forceEncode="ENABLED" of the HTMLB:CONTENT tag). If this is not possible, the external data must be encoded before being used in the dynamic HTML page.

For BSP pages, global encoding can be set using the global page attribute forceEncode:

<%@page language="abap" forceEncode="html|url|javascript|css"%>

If necessary, global encoding can be overwritten by local encoding:

1. 1. - <%html=.........%> - HTML encoding
    - <%url=..........%> - URL encoding for parameter names or parameter values of URLs
    - <%javascript=...%> - JavaScript encoding
    - <%css=..........%> - CSS encoding
    - <%raw=..........%> - No encoding

More information can be found in SAP Note 887168.

An encoding API should be used for generic Web applications. From Release SAP_BASIS 731, the built-in function ESCAPE:

1. 1. - out = escape(val = val format = cl_abap_format=>e_xss_ml)
    - out = escape(val = val format = cl_abap_format=>e_xss_js)
    - out = escape(val = val format = cl_abap_format=>e_xss_url)
    - out = escape(val = val format = cl_abap_format=>e_xss_css)

In lower releases, methods of the class CL_ABAP_DYN_PRG:

1. 1. - CL_ABAP_DYN_PRG=>ESCAPE_XSS_XML_HTML
    - CL_ABAP_DYN_PRG=>ESCAPE_XSS_JAVASCRIPT
    - CL_ABAP_DYN_PRG=>ESCAPE_XSS_CSS
    - CL_ABAP_DYN_PRG=>ESCAPE_XSS_URL

The individual methods in the class CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note 1852318 provides an overview of these methods.

For more information, see "XSS Secure Programming Guide". SAP Note 1714836.

Secure data sources can also be displayed using the report RSLIN_SEC_DISPLAY_BADIS.

Performs a local data flow analysis.

If a source code position is flagged and does not present a security problem and an input check or escape action (for example, using a method from CL_ABAP_DYN_PRG) is not appropriate, an exemption should be requested in ATC.

Potential reflected cross-site scripting - 1134

Potential reflected cross-site scripting

In the case in question, external data from a HTTP request (such as URL parameters and HTML form fields) are used without encoding to generate a dynamic HTML page and then forwarded to the browser. This makes it possible for an attacker to send unwanted scripts to the browser of the victim (using unwanted input) and execute malicious code there. In this case, this is known as reflected cross-site scripting (XSS).

Procedure

The first check should verify whether modern Web frameworks can be used with automatic XSS protection, for example Web Dynpro or BSP with HTMLB extension, where encoding is activated globally (using the attribute forceEncode="ENABLED" of the HTMLB:CONTENT tag). If this is not possible, the external data must be encoded before being used in the dynamic HTML page.

For BSP pages, global encoding can be set using the global page attribute forceEncode:

<%@page language="abap" forceEncode="html|url|javascript|css"%>

If necessary, global encoding can be overwritten by local encoding:

1. 1. - <%html=.........%> - HTML encoding
    - <%url=..........%> - URL encoding for parameter names or parameter values of URLs
    - <%javascript=...%> - JavaScript encoding
    - <%css=..........%> - CSS encoding
    - <%raw=..........%> - No encoding

More information can be found in SAP Note 887168.

An encoding API should be used for generic Web applications. From Release SAP_BASIS 731, the built-in function ESCAPE:

1. 1. - out = escape(val = val format = cl_abap_format=>e_xss_ml)
    - out = escape(val = val format = cl_abap_format=>e_xss_js)
    - out = escape(val = val format = cl_abap_format=>e_xss_url)
    - out = escape(val = val format = cl_abap_format=>e_xss_css)

In lower releases, methods of the class CL_ABAP_DYN_PRG:

1. 1. - CL_ABAP_DYN_PRG=>ESCAPE_XSS_XML_HTML
    - CL_ABAP_DYN_PRG=>ESCAPE_XSS_JAVASCRIPT
    - CL_ABAP_DYN_PRG=>ESCAPE_XSS_CSS
    - CL_ABAP_DYN_PRG=>ESCAPE_XSS_URL

The individual methods in the class CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note 1852318 provides an overview of these methods.

For more information, see "XSS Secure Programming Guide". SAP Note 1714836.

Secure data sources can also be displayed using the report RSLIN_SEC_DISPLAY_BADIS.

Performs a local data flow analysis.

If a source code position is flagged and does not present a security problem and an input check or escape action (for example, using a method from CL_ABAP_DYN_PRG) is not appropriate, an exemption should be requested in ATC.

Potentially manipulated HTML page in HTML control - 1135

Security problems can occur wherever external data (such as user input) is processed further without being checked.
In some cases, external data is used without encoding to generate a dynamic HTML page and then sent to the front end (browser). This makes it possible for an attacker to send unwanted scripts to the front end (browser) of the victim (using unwanted input) and execute malicious code there. In this case, this is known as cross-site scripting (XSS).
In the case in question, it is possible that a manipulated HTML page was sent to a HTML control (CL_GUI_HTML_VIEWER).

Procedure

The first check should verify whether modern Web frameworks can be used with automatic XSS protection, for example Web Dynpro or BSP with HTMLB extension, where encoding is activated globally (using the attribute forceEncode="ENABLED" of the HTMLB:CONTENT tag). If this is not possible, the external data must be encoded before being used in the dynamic HTML page.
For BSP pages, global encoding can be set using the global page attribute forceEncode:

<%@page language="abap" forceEncode="html|url|javascript|css"%>

If necessary, global encoding can be overwritten by local encoding:

<%html=.........%> - HTML encoding

<%url=..........%> - URL encoding for parameter names or parameter values of URLs

<%javascript=...%> - JavaScript encoding

<%css=..........%> - CSS encoding

<%raw=..........%> - No encoding

More information can be found in SAP Note 887168.

An encoding API should be used for generic Web applications. From Release SAP_BASIS 731, the built-in function ESCAPE:

out = escape(val = val format = cl_abap_format=>e_xss_ml)

out = escape(val = val format = cl_abap_format=>e_xss_js)

out = escape(val = val format = cl_abap_format=>e_xss_url)

out = escape(val = val format = cl_abap_format=>e_xss_css)

In lower releases, methods of the class CL_ABAP_DYN_PRG:

CL_ABAP_DYN_PRG=>ESCAPE_XSS_XML_HTML

CL_ABAP_DYN_PRG=>ESCAPE_XSS_JAVASCRIPT

CL_ABAP_DYN_PRG=>ESCAPE_XSS_CSS

CL_ABAP_DYN_PRG=>ESCAPE_XSS_URL

The individual methods in the class CL_ABAP_DYN_PRG became available in different support packages or SAP Notes. SAP Note 1852318 provides an overview of these methods.

For more information, see "XSS Secure Programming Guide", SAP Note 1714836.

Internal SAP link: https://wiki.wdf.sap.corp/wiki/display/NWCUIAMSIM/XSS+Secure+Programming+Guide

Secure data sources can also be displayed using the report RSLIN_SEC_DISPLAY_BADIS.

If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.

How is the check done?

INCLUDE CHAPBC_SLINSEC_DATAFLOW OBJECT DOKU ID HY

User-controlled dynamic CALL FUNCTION via RFC - 1140

Potential call of invalid function module using RFC

In the case in question, external data is used as the name of a function modules that is called using RFC. An attacker might be able to call forbidden function modules in other systems by entering unexpected data in this location. The problem is made worse because function parameters with incorrect names at runtime are ignored in this case and character-like parameters with incorrect lengths are truncated if necessary. This is also the case if 'NONE' was specified as DESTINATION.

Procedure

First check whether it is necessary to use dynamic procedure calls. Switching to static calls provides a full solution to the security problem presented here. If this is not possible, the input data must be checked accordingly before being used as function module names.

The class CL_ABAP_DYN_PRG can be used to implement input checks as described in Validation by Methods of CL_ABAP_DYN_PRG. (The individual methods in the class CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note 1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing):

1. 1. 1. CHECK_WHITELIST_STR
    2. CHECK_WHITELIST_TAB

Secure data sources can also be displayed using the report RSLIN_SEC_DISPLAY_BADIS.

Performs a local data flow analysis.

If a source code position is flagged and does not present a security problem and an input check or escape action (for example, using a method from CL_ABAP_DYN_PRG) is not appropriate, an exemption should be requested in ATC.

Note

The message in questions is only produced for RFC calls, i.e. calls with the addition DESTINATION. In other dynamic function module calls, SLIN_SEC 1144 is produced if necessary.

User-controlled dynamic program unit call - 1141

Potential call of an illegal program using the statement SUBMIT

In the case in question, external data is used within a dynamic program call (meaning a dynamic call of a report or transaction). This enables potential attackers to call unexpected program units by making unexpected input, and thereby illegally modify the running of the program.

Procedure

First check whether it is necessary to use dynamic program calls. Switching to static calls provides a full solution to the security problem presented here. If this is not possible, the input data must be checked accordingly before being used as report names or transaction names.

The class CL_ABAP_DYN_PRG can be used to implement input checks as described in Validation by Methods of CL_ABAP_DYN_PRG. (The individual methods in the class CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note 1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing):

1. 1. 1. CHECK_WHITELIST_STR
    2. CHECK_WHITELIST_TAB

Secure data sources can also be displayed using the report RSLIN_SEC_DISPLAY_BADIS.

Performs a local data flow analysis.

If a source code position is flagged and does not present a security problem and an input check or escape action (for example, using a method from CL_ABAP_DYN_PRG) is not appropriate, an exemption should be requested in ATC.

User-controlled dynamic CALL TRANSACTION - 1142

Dynamic CALL TRANSACTION without allow list check

When a transaction is started from the user interface or by executing the ABAP command LEAVE TO TRANSACTION, an authorization check is performed automatically. The check is always made using the authorization object S_TCODE . In the transaction code editor (transaction SE93), developers can specify an authorization object with authorization values. If an entry of this type is found, the authorization specified there is checked.

These authorization checks are not usually made when the ABAP command CALL TRANSACTION is executed. The developer of the program in question must decide whether the transaction start authorization is checked.

A corresponding authorization check was found in the dynamic CALL TRANSACTION in question. This authorization check is usually enough to secure the dynamic CALL TRANSACTION statement in question. In special cases, it may be appropriate to have an additional allow list check (see the following explanation).

In the case in question, external data is used within a dynamic program call (meaning a dynamic call of a report or transaction). This enables potential attackers to call unexpected program units by making unexpected input, and thereby illegally modify the running of the program.

Procedure

First check whether it is necessary to use dynamic program calls. Switching to static calls provides a full solution to the security problem presented here. If this is not possible, the input data must be checked accordingly before being used as report names or transaction names.

The class CL_ABAP_DYN_PRG can be used to implement input checks as described in Validation by Methods of CL_ABAP_DYN_PRG. (The individual methods in the class CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note 1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing):

1. 1. 1. CHECK_WHITELIST_STR
    2. CHECK_WHITELIST_TAB

Secure data sources can also be displayed using the report RSLIN_SEC_DISPLAY_BADIS.

Performs a local data flow analysis.

If a source code position is flagged and does not present a security problem and an input check or escape action (for example, using a method from CL_ABAP_DYN_PRG) is not appropriate, an exemption should be requested in ATC.

User-controlled dynamic LEAVE TO TRANSACTION - 1143

Potential call of an unwanted transaction using the statement LEAVE TO TRANSACTION

In the case in question, external data is used within a dynamic program call (meaning a dynamic call of a report or transaction). This enables potential attackers to call unexpected program units by making unexpected input, and thereby illegally modify the running of the program.

Procedure

First check whether it is necessary to use dynamic program calls. Switching to static calls provides a full solution to the security problem presented here. If this is not possible, the input data must be checked accordingly before being used as report names or transaction names.

The class CL_ABAP_DYN_PRG can be used to implement input checks as described in Validation by Methods of CL_ABAP_DYN_PRG. (The individual methods in the class CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note 1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing):

1. 1. 1. CHECK_WHITELIST_STR
    2. CHECK_WHITELIST_TAB

Secure data sources can also be displayed using the report RSLIN_SEC_DISPLAY_BADIS.

Performs a local data flow analysis.

If a source code position is flagged and does not present a security problem and an input check or escape action (for example, using a method from CL_ABAP_DYN_PRG) is not appropriate, an exemption should be requested in ATC.

Dynamic function module call controllable from UI or via RFC - 1144

UI-driven or RFC-driven dynamic call of a function module

Here, the name of a called function module can be controlled using either the user interface or a parameter of an RFC-enabled function module.

An attacker might be able to call forbidden function modules by entering unexpected data in this location.

Procedure

First check whether it is necessary to use dynamic function module calls. Switching to static calls provides a full solution to the security problem presented here. If this is not possible, the input data must be checked accordingly before being used as function module names.

The class CL_ABAP_DYN_PRG can be used to implement input checks as described in Validation by Methods of CL_ABAP_DYN_PRG. (The individual methods in the class CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note 1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing):

1. 1. 1. CHECK_WHITELIST_STR
    2. CHECK_WHITELIST_TAB

Secure data sources can also be displayed using the report RSLIN_SEC_DISPLAY_BADIS.

Dynamic function module calls are frequent, which means that only those calls are registered here for which some or all of the function module name can be controlled meaningfully using the user interface or RFC. To do this, a local data flow analysis is performed.

If a source code position is flagged and does not present a security problem and an input check (for example, using a method from CL_ABAP_DYN_PRG) is not appropriate, an exemption should be requested in ATC.

Note:

1. 1. - This message (SLIN_SEC 1144) is not raised for dynamic function module calls that represent an RFC call. In dynamic RFC calls like this, SLIN_SEC 1140 is produced if necessary. For this reason, the checks SLIN_SEC 1140 and 1144
    - must always be performed together (neither of the checks should be suppressed using its priority) or
    - must always be suppressed together using their priorities.
    - A local data flow analysis is performed, which means that exactly those occurrences are registered in which the function module name can be controlled using the user interface of the wrapper program or in which dynamic calls within a function group can be controlled using the parameter of an RFC-enabled function module of this function group.

Static CALL TRANSACTION without check of authorization object from SE93 – 114A

Static CALL TRANSACTION without check on authorization from the transaction editor

When a transaction is started from the user interface or by executing the ABAP command LEAVE TO TRANSACTION, an authorization check is performed automatically. The check is always made using the authorization object S_TCODE . In the transaction code editor (transaction SE93), developers can specify an authorization object with authorization values. If an entry of this type is found, the authorization specified there is checked.

These authorization checks are not usually made when the ABAP command CALL TRANSACTION is executed. The developer of the program in question must decide whether the transaction start authorization is checked.

Here, a check on the authorization object S_TCODE was found. The additional check was specified in the transaction editor, but no check on this authorization was found in the code. This could present a security risk.

Procedure

If the authorization check is missing by accident, it can implemented in full by simply calling the function module AUTHORITY_CHECK_TCODE . From SAP_BASIS 7.40 SP 02, the addition WITH AUTHORITY-CHECK in CALL TRANSACTION can also be used to do this. It works in the same way as the function module call. Both methods check the authorization object S_TCODE. It may be a good idea to remove the explicit AUTHORITY-CHECK on S_TCODE.

If the check on the authorization object from the transaction editor in CALL TRANSACTION was skipped intentionally, the addition WITHOUT AUTHORITY-CHECK in CALL TRANSACTION can be used from SAP_BASIS 7.40 SP 02. In systems with older releases, the message must be suppressed using an exemption.

For each CALL TRANSACTION, a search is made for the AUTHORITY-CHECKs or a suitable call of the function module AUTHORITY_CHECK_TCODE within the same procedure (event, method, function, form routine). In called procedures, a search is also performed for these authorization checks up to a nesting depth of five. If an AUTHORITY-CHECK on the authorization object S_TCODE is found, but no AUTHORITY-CHECK that matches the entry from the transaction editor, the message is displayed.

Static CALL TRANSACTION without check of authorization object S_TCODE – 114B

Static CALL TRANSACTION without check on authorization object S_TCODE.

When a transaction is started from the user interface or by executing the ABAP command LEAVE TO TRANSACTION, an authorization check is performed automatically. The check is always made using the authorization object S_TCODE . In the transaction code editor (transaction SE93), developers can specify an authorization object with authorization values. If an entry of this type is found, the authorization specified there is checked.

These authorization checks are not usually made when the ABAP command CALL TRANSACTION is executed. The developer of the program in question must decide whether the transaction start authorization is checked.

Here, a check on the authorization object from the transaction editor (SE93) was found. The code, however, did not contain a check on the authorization object S_TCODE for the called transaction. This could present a security risk.

Procedure

If the authorization check is missing by accident, it can implemented in full by simply calling the function module AUTHORITY_CHECK_TCODE . From SAP_BASIS 7.40 SP 02, the addition WITH AUTHORITY-CHECK in CALL TRANSACTION can also be used to do this. It works in the same way as the function module call. Both methods check the authorization from the transaction editor (SE93) and the authorization object S_TCODE. It may be a good idea to remove the explicit AUTHORITY-CHECK on the authorization from the transaction editor (SE93).

If the check on the authorization object S_TCODE in CALL TRANSACTION was skipped intentionally, the addition WITHOUT AUTHORITY-CHECK in CALL TRANSACTION can be used from SAP_BASIS 7.40 SP 02. In systems with older releases, the message must be suppressed using an exemption.

For each CALL TRANSACTION, a search is made for the AUTHORITY-CHECKs or a suitable call of the function module AUTHORITY_CHECK_TCODE within the same procedure (event, method, function, form routine). In called procedures, a search is also performed for these authorization checks up to a nesting depth of five. If an AUTHORITY-CHECK on the authorization from the transaction editor (SE93) is found, but no AUTHORITY-CHECK on S_TCODE, the message is displayed.

Static CALL TRANSACTION without authorization check – 114C

Static CALL TRANSACTION without authorization check

When a transaction is started from the user interface or by executing the ABAP command LEAVE TO TRANSACTION, an authorization check is performed automatically. The check is always made using the authorization object S_TCODE . In the transaction code editor (transaction SE93), developers can specify an authorization object with authorization values. If an entry of this type is found, the authorization specified there is checked.

These authorization checks are not usually made when the ABAP command CALL TRANSACTION is executed. The developer of the program in question must decide whether the transaction start authorization is checked.

Here, none of the authorization checks above were found in the code. This could present a security risk.

Procedure

If the authorization checks are missing by accident, they can implemented in full by simply calling the function module AUTHORITY_CHECK_TCODE . From SAP_BASIS 7.40 SP 02, the addition WITH AUTHORITY-CHECK in CALL TRANSACTION can also be used to do this. It works in the same way as the function module call. Both methods check the authorization object S_TCODE and the authorization from the transaction editor (SE93). However, you should note that table TCDCOUPLES is taken into account for function module AUTHORITY_CHECK_TCODE.

In a few situations, it is intentional that no authorizations are checked in CALL TRANSACTION (or only the authorization for the authorization S_TCODE). In these cases, the addition WITHOUT AUTHORITY-CHECK can be used in CALL TRANSACTION from SAP_BASIS 7.40 SP 02. In systems with older releases, the message must be suppressed using an exemption. In dynamic CALL TRANSACTIONS, it is only acceptable to skip the authorization check if the set of callable transactions is restricted (usually by using a allow list check).

SAP recommends that the entries in table TCDCOUPLES (transaction SE97) are no longer used to control the behavior.

For each CALL TRANSACTION, a search is made for the AUTHORITY-CHECKs or a suitable call of the function module AUTHORITY_CHECK_TCODE within the same procedure (event, method, function, form routine). In called procedures, a search is also performed for these authorization checks up to a restricted nesting depth. The message is displayed if none of the authorization checks above are found.

Static CALL TRANSACTION without authorization check (restricted function) – 114D

Static CALL TRANSACTION without authorization check in the case of restricted functions

When a transaction is started from the user interface or by executing the ABAP command LEAVE TO TRANSACTION, an authorization check is performed automatically. The check is always made using the authorization object S_TCODE . In the transaction code editor (transaction SE93), developers can specify an authorization object with authorization values. If an entry of this type is found, the authorization specified there is checked.

These authorization checks are not usually made when the ABAP command CALL TRANSACTION is executed. The developer of the program in question must decide whether the transaction start authorization is checked.

Here, none of the authorization checks above were found in the code. This could present a security risk. The security risk becomes slightly less severe because a restriction to a specific context (AND SKIP FIRST SCREEN or USING bdc_tab) was found in the statement CALL TRANSACTION .

Procedure

If the authorization checks are missing by accident, they can implemented in full by simply calling the function module AUTHORITY_CHECK_TCODE . From SAP_BASIS 7.40 SP 02, the addition WITH AUTHORITY-CHECK in CALL TRANSACTION can also be used to do this. It works in the same way as the function module call. Both methods check the authorization object S_TCODE and the authorization from the transaction editor (SE93). However, you should note that table TCDCOUPLES is taken into account for function module AUTHORITY_CHECK_TCODE.

In a few situations, it is intentional that no authorizations are checked in CALL TRANSACTION (or only the authorization for the authorization S_TCODE). In these cases, the addition WITHOUT AUTHORITY-CHECK can be used in CALL TRANSACTION from SAP_BASIS 7.40 SP 02. In systems with older releases, the message must be suppressed using an exemption. In dynamic CALL TRANSACTIONS, it is only acceptable to skip the authorization check if the set of callable transactions is restricted (usually by using an allow list check).

SAP recommends that the entries in table TCDCOUPLES (transaction SE97) are no longer used to control the behavior.

For each CALL TRANSACTION, a search is made for the AUTHORITY-CHECKs or a suitable call of the function module AUTHORITY_CHECK_TCODE within the same procedure (event, method, function, form routine). In called procedures, a search is also performed for these authorization checks up to a restricted nesting depth. The message is displayed if none of the authorization checks above are found.

Dynamic CALL TRANSACTION without authorization check - 114E

Dynamic CALL TRANSACTION without authorization check

When a transaction is started from the user interface or by executing the ABAP command LEAVE TO TRANSACTION, an authorization check is performed automatically. The check is always made using the authorization object S_TCODE . In the transaction code editor (transaction SE93), developers can specify an authorization object with authorization values. If an entry of this type is found, the authorization specified there is checked.

These authorization checks are not usually made when the ABAP command CALL TRANSACTION is executed. The developer of the program in question must decide whether the transaction start authorization is checked.

In the dynamic CALL TRANSACTION in question, none of the authorization checks above were found in the code. This could present a security risk.

An allow list check restricts the set of potential transactions called, which means that the security risk is already reduced. Depending on the context, this restriction may be enough.

Procedure

If the authorization checks are missing by accident, they can implemented in full by simply calling the function module AUTHORITY_CHECK_TCODE . From SAP_BASIS 7.40 SP 02, the addition WITH AUTHORITY-CHECK in CALL TRANSACTION can also be used to do this. It works in the same way as the function module call. Both methods check the authorization object S_TCODE and the authorization from the transaction editor (SE93). However, you should note that table TCDCOUPLES is taken into account for function module AUTHORITY_CHECK_TCODE.

In a few situations, it is intentional that no authorizations are checked in CALL TRANSACTION (or only the authorization for the authorization S_TCODE). In these cases, the addition WITHOUT AUTHORITY-CHECK can be used in CALL TRANSACTION from SAP_BASIS 7.40 SP 02. In systems with older releases, the message must be suppressed using an exemption. In dynamic CALL TRANSACTIONS, it is only acceptable to skip the authorization check if the set of callable transactions is restricted (usually by using an allow list check).

SAP recommends that the entries in table TCDCOUPLES (transaction SE97) are no longer used to control the behavior.

For each dynamic CALL TRANSACTION, a search is made for the a suitable call of the function module AUTHORITY_CHECK_TCODE within the same procedure (event, method, function, form routine). In called procedures, a search is also performed for these authorization checks up to a restricted nesting depth. The message is displayed if none of the authorization checks above are found.

Dynamic CALL TRANSACTION without authorization check and without check on valid transaction names – 114F

What is checked

Dynamic CALL TRANSACTION without authorization check and without an allow list check

In the case in question, external data is used within a dynamic transaction call. This enables potential attackers to call unexpected transactions by making unexpected input, and thereby illegally modify the running of the program.

When a transaction is started from the user interface or by executing the ABAP command LEAVE TO TRANSACTION, an authorization check is performed automatically. The check is always made using the authorization object S_TCODE . In the transaction code editor (transaction SE93), developers can specify an authorization object with authorization values. If an entry of this type is found, the authorization specified there is checked.

These authorization checks are not usually made when the ABAP command CALL TRANSACTION is executed. The developer of the program in question must decide whether the transaction start authorization is checked.

In this dynamic CALL TRANSACTION, the potential influence of the user input on the called transaction was identified and, additionally, none of the authorization checks mentioned above were found in the source code. This could present a security risk.

Procedure

Both the authorization check aspect and the aspect of dynamics in the name of the called transaction must be considered. In most situations, an authorization check is the best choice for removing the security problem.

Authorization check

If the authorization checks are missing by accident, they can implemented in full by simply calling the function module AUTHORITY_CHECK_TCODE . From SAP_BASIS 7.40 SP 02, the addition WITH AUTHORITY-CHECK in CALL TRANSACTION can also be used to do this. It works in the same way as the function module call. Both methods check the authorization object S_TCODE and the authorization from the transaction editor (SE93). However, you should note that table TCDCOUPLES is taken into account for function module AUTHORITY_CHECK_TCODE.

In a few situations, it is intentional that no authorizations are checked in CALL TRANSACTION (or only the authorization for the authorization S_TCODE). In these cases, the addition WITHOUT AUTHORITY-CHECK can be used in CALL TRANSACTION from SAP_BASIS 7.40 SP 02. In systems with older releases, the message must be suppressed using an exemption. In dynamic CALL TRANSACTIONS, it is only acceptable to skip the authorization check if the set of callable transactions is restricted (usually by using an allow list check).

SAP recommends that the entries in table TCDCOUPLES (transaction SE97) are no longer used to control the behavior.

Dynamics in the name of the called transaction

First check whether it is necessary to use dynamic transaction calls. Switching to static calls provides a solution to the security problem presented here at least. If this is not possible, the input data must be checked accordingly before being used as transaction names.

The class CL_ABAP_DYN_PRG can be used to implement input checks as described in Validation by Methods of CL_ABAP_DYN_PRG. (The individual methods in the class CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note 1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing):

1. 1. 1. CHECK_WHITELIST_STR
    2. CHECK_WHITELIST_TAB

Secure data sources can also be displayed using the report RSLIN_SEC_DISPLAY_BADIS.

If an authorization check is not predefined, an error message stating that the authorization check is missing might be raised the next time the program is checked.

A local data flow analysis is performed.

For each dynamic CALL TRANSACTION, a search is made for the a suitable call of the function module AUTHORITY_CHECK_TCODE within the same procedure (event, method, function, form routine). In called procedures, a search is also performed for these authorization checks up to a restricted nesting depth. The message is displayed if none of the authorization checks above are found.

Dynamic CALL TRANSACTION with potentially incomplete authorization check – 114G

What is checked?

Security problems can occur wherever external data (such as user input) is processed further without being checked.
In the case in question, external data is used within a dynamic transaction call. This enables potential attackers to call unexpected transactions by making unexpected input, and thereby illegally modify the running of the program.
When a transaction is started from the user interface or by executing the ABAP statement LEAVE TO TRANSACTION, an authorization check is performed automatically. The check is always made using the authorization object S_TCODE. In the transaction code editor (transaction SE93), developers can specify an authorization object with authorization values. If an entry of this type is found, the authorization specified there is checked.
These authorization checks are not usually made when the ABAP statement CALL TRANSACTION is executed. The developer of the program in question must decide whether the transaction start authorization is checked.
In this dynamic CALL TRANSACTION, the potential influence of the user input on the called transaction was identified and, additionally, only one authorization check on the authorization object S_TCODE was found in the source code. The authorization check might be incomplete, since the system analysis cannot decide whether a check was made on the authorization from the transaction editor (transaction SE93). This could present a security risk.

Procedure

Both the authorization check aspect and the aspect of dynamics in the name of the called transaction must be considered. In most situations, an authorization check is the best choice for removing the security problem.

Authorization Check

If the authorization checks are missing by accident, they can implemented in full by simply calling the function module AUTHORITY_CHECK_TCODE . From SAP_BASIS 7.40 SP 02, the addition WITH AUTHORITY-CHECK in CALL TRANSACTION can also be used to do this. It works in the same way as the function module call. Both methods check the authorization object S_TCODE and the authorization from the transaction editor (SE93). However, it should be noted that the table TCDCOUPLES is respected for the function module AUTHORITY_CHECK_TCODE.
In a few situations, it is intentional that no authorizations are checked in CALL TRANSACTION (or only the authorization for the authorization S_TCODE). In these cases, the addition WITHOUT AUTHORITY-CHECK can be used in CALL TRANSACTION from SAP_BASIS 7.40 SP 02. In systems with older releases, the message must be suppressed using an exemption. In dynamic CALL TRANSACTIONS, it is only acceptable to skip the authorization check if the set of callable transactions is restricted (usually by using a check on valid values).
SAP recommends that the entries in the table TCDCOUPLES (transaction SE97) are no longer used to control the behavior.

Dynamics in the name of the called transaction

First check whether it is necessary to use dynamic transaction calls. Switching to static calls provides a solution to the security problem presented here. If this is not possible, the input data must be checked appropriately before being used as transaction names.
The class CL_ABAP_DYN_PRG can be used to implement input checks as described in Validation by Methods of CL_ABAP_DYN_PRG. (The individual methods in the class CL_ABAP_DYN_PRG became available in different support packages or SAP Notes. SAP Note 1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing instead of the original input value):
1. CHECK_WHITELIST_STR
2. CHECK_WHITELIST_TAB
Secure data sources can also be displayed using the report RSLIN_SEC_DISPLAY_BADIS.
If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.

How is the check done

A local data flow analysis is performed.
For each dynamic CALL TRANSACTION, a search is made for the a suitable call of the function module AUTHORITY_CHECK_TCODE within the same procedure (event, method, function, form routine). In called procedures, a search is also performed for these authorization checks up to a restricted nesting depth. The message is displayed if none of the authorization checks above are found.

Dynamic CALL TRANSACTION without authorization check – 114H

What is checked?

When a transaction is started from the user interface or by executing the ABAP statement LEAVE TO TRANSACTION, an authorization check is performed automatically. The check is always made using the authorization object S_TCODE. In the transaction code editor (transaction SE93), developers can specify an authorization object with authorization values. If an entry of this type is found, the authorization specified there is checked.
These authorization checks are not usually made when the ABAP statement CALL TRANSACTION is executed. The developer of the program in question must decide whether the transaction start authorization is checked.
In the dynamic CALL TRANSACTION in question, none of the authorization checks above were found in the source code. This could present a security risk.
No vulnerable data source was found for the transaction name. This means that the name of the called transaction most probably cannot be manipulated from outside.

Procedure

If the authorization checks are missing by accident, they can implemented in full by simply calling the function module AUTHORITY_CHECK_TCODE. From SAP_BASIS 7.40 SP 02, the addition WITH AUTHORITY-CHECK in CALL TRANSACTION can also be used to do this. It works in the same way as the function module call. Both methods check the authorization object S_TCODE and the authorization from the transaction editor (SE93). However, it should be noted that the table TCDCOUPLES is respected for the function module AUTHORITY_CHECK_TCODE.
In a few situations, it is intentional that no authorizations are checked in CALL TRANSACTION (or only the authorization for the authorization S_TCODE). In these cases, the addition WITHOUT AUTHORITY-CHECK can be used in CALL TRANSACTION from SAP_BASIS 7.40 SP 02. In systems with older releases, the message must be suppressed using an exemption. In dynamic CALL TRANSACTIONS, it is only acceptable to skip the authorization check if the set of callable transactions is restricted (usually by using a check on valid values).
SAP recommends that the entries in the table TCDCOUPLES (transaction SE97) are no longer used to control the behavior.
If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.

How is the check done

For each dynamic CALL TRANSACTION, a search is made for the a suitable call of the function module AUTHORITY_CHECK_TCODE within the same procedure (event, method, function, form routine). In called procedures, a search is also performed for these authorization checks up to a restricted nesting depth. The message is displayed if none of the authorization checks above are found.

Dynamic CALL TRANSACTION without authorization check – 114I

What is checked?

When a transaction is started from the user interface or by executing the ABAP statement LEAVE TO TRANSACTION, an authorization check is performed automatically. The check is always made using the authorization object S_TCODE. In the transaction code editor (transaction SE93), developers can specify an authorization object with authorization values. If an entry of this type is found, the authorization specified there is checked.
These authorization checks are not usually made when the ABAP statement CALL TRANSACTION is executed. The developer of the program in question must decide whether the transaction start authorization is checked.
In the dynamic CALL TRANSACTION in question, none of the authorization checks above were found in the source code. This could present a security risk.
No vulnerable data source was found for the transaction name. This means that the name of the called transaction most probably cannot be manipulated from outside.

Procedure

If the authorization checks are missing by accident, they can implemented in full by simply calling the function module AUTHORITY_CHECK_TCODE. From SAP_BASIS 7.40 SP 02, the addition WITH AUTHORITY-CHECK in CALL TRANSACTION can also be used to do this. It works in the same way as the function module call. Both methods check the authorization object S_TCODE and the authorization from the transaction editor (SE93). However, it should be noted that the table TCDCOUPLES is respected for the function module AUTHORITY_CHECK_TCODE.
In a few situations, it is intentional that no authorizations are checked in CALL TRANSACTION (or only the authorization for the authorization S_TCODE). In these cases, the addition WITHOUT AUTHORITY-CHECK can be used in CALL TRANSACTION from SAP_BASIS 7.40 SP 02. In systems with older releases, the message must be suppressed using an exemption. In dynamic CALL TRANSACTIONS, it is only acceptable to skip the authorization check if the set of callable transactions is restricted (usually by using a check on valid values).
SAP recommends that the entries in the table TCDCOUPLES (transaction SE97) are no longer used to control the behavior.
If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.

How is the check done

For each dynamic CALL TRANSACTION, a search is made for the a suitable call of the function module AUTHORITY_CHECK_TCODE within the same procedure (event, method, function, form routine). In called procedures, a search is also performed for these authorization checks up to a restricted nesting depth. The message is displayed if none of the authorization checks above are found.

Usage of an obsolete escaping method - 1150

Obsolete escape method used

The ESCAPE methods of classes CL_HTTP_UTILITY, CL_HTTP_SERVER and CL_HTTP_CLIENT are obsolete and do not fulfill the current OWASP recommendations. They have been replaced by the predefined function ESCAPE( ).

Procedure

Calls of the obsolete escape methods must be replaced by calls of the predefined function ESCAPE( ), appropriate for the context in question. Valid formats are the values E_XSS_* from the class CL_ABAP_FORMAT. More information is available in the ABAP keyword documentation.

The specified formats are not available for the predefined function ESCAPE( ) in releases older than SAP_BASIS 731. Instead, you need to use the ESCAPE_XSS_* methods from class CL_ABAP_DYN_PRG. The individual methods in the class CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note 1852318 provides an overview of these methods.

All calls of the obsolete methods are reported. This relates to the following methods:

1. 1. - CL_HTTP_UTILITY=>ESCAPE_JAVASCRIPT
    - CL_HTTP_UTILITY=>ESCAPE_HTML
    - CL_HTTP_UTILITY=>ESCAPE_URL
    - CL_HTTP_UTILITY=>ESCAPE_WML
    - CL_HTTP_UTILITY=>ESCAPE_XML_CHAR_DATA
    - CL_HTTP_UTILITY=>ESCAPE_XML_ATTR_VALUE
    - CL_HTTP_SERVER=>ESCAPE_HTML
    - CL_HTTP_SERVER=>ESCAPE_URL
    - CL_HTTP_CLIENT=>ESCAPE_HTML
    - CL_HTTP_CLIENT=>ESCAPE_URL

forceEncode="enabled" not specified for htmlb:content - 1151

On BSP pages that use htmlb, the values of the attributes of the htmlb tags are encoded only if the attribute forceEncode in htmlb:content has the value 'enabled'. This is the only way to ensure that the encoding matches the context in which an attribute value is used in the finished HTML document.

Procedure

The attribute forceEncode of the htmlb tag htmlb:content is set to the value 'enabled'.

For more information, see "XSS Secure Programming Guide". SAP Note 1714836.

If the position in question does not have any security problems and there is no point in modifying the BSP page, an exemption should be requested in ATC.

In tag htmlb:content an obsolete design is specified or none at all - 1152

Obsolete design or no design specified for htmlb:content

Message number 1152

The designs CLASSIC and DESIGN2002 are no longer supported. This means that any XSS weaknesses in the associated BSP extensions htmlb, xhtmlb, and so on are no longer corrected.

Only the designs DESIGNS2003 and DESIGN2008 (and any later designs) encode all attributes in full and are secure with respect to cross site scripting (XSS).

Procedure

Obsolete designs can no longer be used. A design must be specified explicitly, since otherwise the obsolete design CLASSIC is used.

For more information, see "XSS Secure Programming Guide". SAP Note 1714836.

AUTHORITY-CHECK without processing of sy-subrc - 1160

SY-SUBRC not evaluated after the statement AUTHORITY-CHECK

After the statement AUTHORITY-CHECK, sy-subrc needs to be read. If SY-SUBRC is not equal to 0, the authorization check was not successful.

The check confirms whether a read is performed on SY-SUBRC directly after AUTHORITY-CHECK. Statements such as ENDIF, simple assignments (that do not modify SY-SUBRC), or comments are permitted before reads. Some declarative statements, such as DATA, are also valid. Many ABAP statements (such as REFRESH) set SY-SUBRC and are not allowed. If there is an empty IF/ENDIF block after AUTHORITY-CHECK, a problem is detected.

Procedure

Insert a sy-subrc query with a valid response (for example, cancel).

If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.

Call of a security-relevant method without handling the return value - 1161

Return value (for example, SY-SUBRC) not evaluated after a security-relevant method was called

It is necessary to evaluate the return value (for example, SY-SUBRC) after a security-relevant method such as CL_SACF=>AUTH_CHECK_SPEC( ) has been called.

From the perspective of this check, the following methods are security-relevant:

1. 1. - CL_SACF=>AUTH_CHECK_SPEC( )
    - CL_SACF=>AUTH_CHECK_SPEC_USER( )

Further procedures can be registered as security-relevant using the BAdI SLIN_BADI_SEC_PROCEDURES. All registered security-relevant function modules and methods can be displayed using the report RSLIN_SEC_DISPLAY_SECREL_PROC.

This check checks whether the return value (for example, SY-SUBRC) is read immediately after the procedure call. Statements such as ENDIF, simple assignments (that do not modify the return value), or comments are permitted before reads. Some declarative statements, such as DATA, are also valid. If there is an empty IF/ENDIF block after the method call, a problem is registered.

Procedure

Insert an evaluation of the return value (for example, SY-SUBRC) with an appropriate response (for example, error message or cancel).

If the message is caused by an inconsistent BAdI implementation, contact the person responsible for the BAdI implementation classes specified in the message details.

If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.

Return value (for example, SY-SUBRC) not evaluated after a security-relevant subroutine was called. - 1162

Return value (for example, SY-SUBRC) not evaluated after a security-relevant subroutine was called.

Once the security-relevant subroutine (FORM routine) has been called, a check must be run to verify that execution was successful. In general this is an evaluation of the corresponding output parameter or a check of system field SY-SUBRC, if the subroutine uses this as an implicit output parameter.

Procedure

Insert an evaluation of the return value (for example, SY-SUBRC) with an appropriate response (for example, error message or cancel).

If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.

A check is run to verify if an evaluation is performed after an external security-relevant subroutine is called.

The check can be expanded by using a BAdI.

Further procedures can be registered as security-relevant using the BAdI SLIN_BADI_SEC_PROCEDURES. All registered security-relevant procedures can be displayed using the report RSLIN_SEC_DISPLAY_SECREL_PROC.

This check checks whether the return value (for example, SY-SUBRC) is read immediately after the procedure call or AUTHORITY-CHECK. Statements such as ENDIF, simple assignments (that do not modify the return value), or comments are permitted before reads. If there is an empty IF/ENDIF block after the procedure call, a problem is registered.

Potentially security-relevant procedure without registration - 1163

Potentially security-relevant procedure without registration

Directly after the call of an authorization check using the statement AUTHORITY-CHECK or after the call of a similar procedure, the result of the call in question must be checked. To do this after the statement AUTHORITY-CHECK, the system field SY-SUBRC must be queried. After a procedure is called, the corresponding output parameter must be queried.

In some cases, the authorization check is made in a procedure A and the value of SY-SUBRC (or a corresponding output parameter) returned to its own caller B. This delegates the job of responding appropriately to a failed authorization check to the the caller B. The procedure A becomes a security-relevant procedure and it must now be ensured that all callers of the procedure A check the returned result (in exactly the way they would if they had called the statement AUTHORITY-CHECK themselves).

In this case, we know that a globally visible procedure delegates the evaluation of the result of an authorization check to its calling programs. Therefore the procedure should be registered as security-relevant in CVA, so that all its calling programs can be checked, to verify that they evaluate the returned result.

Example

The function module is a global procedure, which wraps statement AUTHORITY-CHECK. The successful execution check is delegated to the calling program.
FUNCTION Z_AUTHORITY_CHECK.
...
*" EXCEPTIONS
*" NO_AUTHORITY

...

AUTHORITY-CHECK OBJECT 'S_TCODE'
ID 'TCD' FIELD I_TCODE.

IF SY-SUBRC 0.
MESSAGE eXXX(XX) RAISING NO_AUTHORITY.
ENDIF.

ENDFUNCTION.

Procedure

First check whether it is necessary to use the global procedure. Switching to a local procedure (for example, from a public to a private method) means that 1163 messages are no longer displayed.

If it is not possible to switch, you should register the procedure as security-relevant using BAdl SLIN_BADI_SEC_PROCEDURES. Once the procedure has been registered as security-relevant, 1163 messages are no longer displayed. Instead, new security messages can now be displayed in all programs that use the registered
If it is not possible to switch, you should register the procedure as security-relevant using BAdl SLIN_BADI_SEC_PROCEDURES. Once the procedure has been registered as security-relevant, 1163 messages are no longer displayed. Instead, new security messages can now be displayed in all programs that use the registered procedure.

If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.

This check verifies whether the return value (for example, SY-SUBRC) is read immediately after the procedure call or AUTHORITY-CHECK. In the case in question, this return is either reused as the return code of the current procedure or a classic exception is raised dependent on the return code (which creates a new return code). This means that the handling of the value is delegated to the caller of the current procedure.

Return value (for example, SY-SUBRC) not evaluated after a security-relevant local procedure was called - 1164

Return value (for example, SY-SUBRC) not evaluated after a security-relevant local procedure was called

Directly after the call of an authorization check using the statement AUTHORITY-CHECK or after the call of a similar procedure, the result of the call in question must be checked. To do this after the statement AUTHORITY-CHECK, the system field SY-SUBRC must be queried. After a procedure is called, the corresponding output parameter must be queried.

In some cases, the authorization check is made in a procedure A and the value of SY-SUBRC (or a corresponding output parameter) returned to its own caller B. This delegates the job of responding appropriately to a failed authorization check to the the caller B. The procedure A becomes a security-relevant procedure and it must now be ensured that all callers of the procedure A check the returned result (in exactly the way they would if they had called the statement AUTHORITY-CHECK themselves).

Procedure

After the procedure call, run the evaluation of the return value with an appropriate response (for example, error message or cancel).

If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.

This check verifies whether the return value (for example, SY-SUBRC) is read immediately after the procedure call or AUTHORITY-CHECK. In the case in question, this return is either reused as the return code of the current procedure or a classic exception is raised dependent on the return code (which creates a new return code). This means that the handling of the value is delegated to the caller of the current procedure.

Call of a security-relevant function without processing sy-subrc - 1165

After a security-relevant function module such as AUTHORITY_CHECK_TCODE or AUTHORITY_CHECK is called, the return value (for example, SY-SUBRC) must be evaluated.

From the perspective of this check, the following function modules are security-relevant:

1. 1. - AUTHORITY_CHECK
    - AUTHORITY_CHECK_TCODE
    - SU_RAUTH_CHECK_FOR_USER
    - VIEW_AUTHORITY_CHECK
    - FILE_VALIDATE_NAME
    - AUTHORITY_CHECK_DATASET
    - AUTHORITY_CHECK_RFC

Further procedures can be registered as security-relevant using the BAdI SLIN_BADI_SEC_PROCEDURES. All registered security-relevant function modules and methods can be displayed using the report RSLIN_SEC_DISPLAY_SECREL_PROC.

This check checks whether the return value (for example, SY-SUBRC) is read immediately after the procedure call. Statements such as ENDIF, simple assignments (that do not modify the return value), or comments are permitted before reads. Some declarative statements, such as DATA, are also valid. If there is an empty IF/ENDIF block after the method call, a problem is registered.

Procedure

Insert an evaluation of the return value (for example, SY-SUBRC) with an appropriate response (for example, error message or cancel).

If the message is caused by an inconsistent BAdI implementation, contact the person responsible for the BAdI implementation classes specified in the message details.

If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.

Call of system function CALL “SYSTEM” - 1170

Statement CALL “SYSTEM” used

The system function call CALL 'SYSTEM' can be used to execute operating system commands. However, calling operating system commands can be a potential security problem. This is a particular risk in cases where end users can modify or manipulate the parameters of an operating system command.

Usually all system function calls (CALL cfunc) are only allowed to be used in system programs and are not allowed to be used in application programs.

Procedure

Operating system commands should not be called from ABAP.

If an operating system command call is absolutely necessary, however, the SAPXPG mechanism must be used. This offers increased security due to the following characteristics:

1. 1. - Abstraction from different operating systems
    - Predefined operating system commands
    - Stricter handling of parameters
    - Allows check modules (such as allow lists) to be defined
    - Predefined authorization check

New operating system commands must first be defined using transaction SM69. If possible, omit input values because these can also cause a security problem. The function module SXPG_CALL_SYSTEM can be used to make calls. See System Command Injections for more information.

All uses of the system function call CALL 'SYSTEM' are registered.

If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.

System function call with potential user input on FIELD - 1171

C function call with names as potential user input

The ABAP command CALL cfunc can be used to execute specific C functions in the kernel. However, calling C functions can be a potential security problem.

Potential attackers can call unwanted kernel functions by making unexpected input, and thereby illegally modify the running of the program.

Procedure

If possible, avoid calling C functions from ABAP. You can do this by using official APIs (such as function modules and methods).

If this is not possible, check whether it is really necessary to use dynamic calls of C functions. One solution is to switch to using static calls. If this is not possible either, the input data must be checked accordingly before being used as names of C functions.

The class CL_ABAP_DYN_PRG can be used to implement input checks as described in Validation by Methods of CL_ABAP_DYN_PRG. (The individual methods in the class CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note 1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing instead of the original input value):

1. 1. 1. CHECK_WHITELIST_STR
    2. CHECK_WHITELIST_TAB

Secure data sources can also be displayed using the report RSLIN_SEC_DISPLAY_BADIS.

If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.

How is the check done?

If user input is incorporated in the names cfunc, the CALL statement is reported. To do this, a local data flow analysis is performed.

AUTHORITY-CHECK for specified User - 1180

AUTHORITY-CHECK with explicit user name

The statement AUTHORITY-CHECK is used together with the addition FOR USER to check the authorization of the user specified by FOR USER (and not for the logged on user). This is often a very sensible requirement.

Example: Data needs to be processed using a specific user in a background job. Before the job is scheduled, AUTHORITY-CHECK FOR USER checks whether the user has the required authorization. In the background job itself, however, the current user should check the authorization again.

If the user name specified using FOR USER has an external source (such as GUI input, an RFC interface, or a file), an attack can manipulate the user name in certain circumstances. In this way, this variant of the statement AUTHORITY-CHECK can be misused to gain additional authorizations that the logged on user is not allowed to have. The addition FOR USER can be used to specify a predefined/delivered user (such as DDDIC or SAP*), which can then be used in certain circumstances to gain administrative rights.

The function modules AUTHORITY_CHECK and SU_RAUTH_CHECK_FOR_USER offer similar options and can also be viewed as a potential source of hazards.

Procedure

Try to avoid using the addition FOR USER with the statement AUTHORITY-CHECK . The addition FOR USER sy-uname or FOR USER syst-uname in particular is usually not required. Instead, use the statement AUTHORITY-CHECK without the addition FOR USER. The same applies to the function modules AUTHORITY_CHECK and SU_RAUTH_CHECK_FOR_USER.

If an authorization check needs to be run for a user other than the logged on user, it is important to ensure that the user name specified for the addition FOR USER cannot be manipulated externally (by making entries on the user interface, for example). Checks against an allow list can be a good way of verifying user names entered from outside. Request an exemption for cases where the addition FOR USER is essential and not just useful.

In the example above (authorization check before scheduling a background job for the user name to be used to run the job), it is important that you perform an authorization check yourself in the background job.

If you want to query the authorization for the user currently logged on locally in RFC calls of the function modules AUTHORITY_CHECK and SU_RAUTH_CHECK_FOR_USER, you should obtain the user name using a call of the method cl_abap_syst=>get_user_name( ) and pass it to the function module. This method, however, still produces a security message (such as "Querying an authorization for a user presents a security risk."). Request an exemption in this case.

All uses of the statement AUTHORITY-CHECK with the addition FOR USER are reported. Here, the source of the user name is not checked. Any allow list checks are ignored.

The local use of the function modules AUTHORITY_CHECK and SU_RAUTH_CHECK_FOR_USER is handled in a similar way, since they offer mainly the same functions.

AUTHORITY-CHECK for SY-UNAME - 1181

AUTHORITY-CHECK with addition FOR USER sy-uname

The statement AUTHORITY-CHECK is used together with the addition FOR USER to check the authorization of the user specified by FOR USER (and not for the logged on user). This is often a very sensible requirement.

It does not make any sense, however, to specify FOR USER sy-uname or FOR USER syst-uname.

If the function modules AUTHORITY_CHECK and SU_RAUTH_CHECK_FOR_USER are called, the situation is different. Local calls of these function modules are not a good idea, since the statement AUTHORITY-CHECK is far quicker and produces the same result. In RFC calls of these functions, it is often a requirement to check the authorization for the same user ID as the logged on user in the local system. Here it is advisable to obtain the name of the user logged on locally using the method cl_abap_syst=>get_user_name( ).

Procedure

Do not use the additions FOR USER sy-uname or FOR USER syst-uname in the statement AUTHORITY-CHECK.

Replace the local calls of the function modules AUTHORITY_CHECK and SU_RAUTH_CHECK_FOR_USER by the statement AUTHORITY-CHECK without the clause FOR USER.

If you want to pass the user name of the user logged on locally for RFC calls of these function modules, use the method cl_abap_syst=>get_user_name( ) to obtain the user name. However, you should note that this user name might be assigned to a different person in the called system.

The additions FOR USER sy-uname and FOR USER syst-uname are registered in the statement AUTHORITY-CHECK.

Local calls of the function modules AUTHORITY_CHECK and SU_RAUTH_CHECK_FOR_USER produce a message when the user name sy-uname or syst-uname is specified.

The dynamic WHERE condition allows a potential code injection - 1190

Potential manipulation of the dynamic WHERE condition in an internal table

The dynamic WHERE clause makes it possible for attackers to inject additional conditions, joined using OR or AND, that modify the volume of data selected in unexpected ways. These conditions can also contain functional ABAP method calls.

Procedure

First check whether it is necessary to use the dynamic WHERE clause. Switching to a static WHERE clause provides a full solution to the security problem. If this is not possible, the input data must be checked appropriately before being used in the dynamic clause.

The documentation of the class CL_ABAP_DYN_PRG explains how input data needs to be handled when constructing a dynamic WHERE clause.

The class CL_ABAP_DYN_PRG can be used to implement input checks as described in Validation by Methods of CL_ABAP_DYN_PRG. (The individual methods in the class CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note 1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing):

1. 1. 1. ESCAPE_QUOTES
    2. ESCAPE_QUOTES_STR
    3. QUOTE
    4. QUOTE_STR
    5. CHECK_CHAR_LITERAL
    6. CHECK_STRING_LITERAL
    7. CHECK_INT_VALUE
    8. CHECK_VARIABLE_NAME
    9. CHECK_COLUMN_NAME
    10. CHECK_WHITELIST_STR
    11. CHECK_WHITELIST_TAB

Secure data sources can also be displayed using the report RSLIN_SEC_DISPLAY_BADIS.

Performs a local data flow analysis.

If a source code position is flagged and does not present a security problem and an input check or escape action (for example, using a method from CL_ABAP_DYN_PRG) is not appropriate, an exemption should be requested in ATC.

Potentially missing authorization check in a report– 11A1

Authorization checks should be used to secure reports against being called by unauthorized users.

Procedure

Check whether an authorization check exists for this report and, if necessary, add a check at the start of the report. If the report is already being used or has been delivered, a switchable authorization check should be integrated using the method call CL_SACF=>AUTH_CHECK_SPEC( ).

It is also possible to assign an authorization group to the report, in which case an authorization check does not need to be integrated and no message is displayed (if the group is entered in database table TPGP and hence valid). The authorization group can be entered in the attributes of the report.
If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.

How is the check done?

The report is scanned for certain authorization checks and risky statements (see below), which entails the report code (including form routines, dynpro modules, functions calls, and method calls) being scanned.
These calls are traced recursively up to a maximum search depth of 10 compilation units. (This means that calls within a compilation unit are ignored.) Any authorization checks at a greater depth are not found.
If a program or a procedure, which does not belong to SAP_BASIS, calls a procedure from SAP_BASIS, then this call is not traced. (Reason: From a semantic perspective, authorization checks in SAP_BASIS have nothing to do with the required authorization check in the application.)

The following authorization checks are found:

ABAP command: AUTHORITY-CHECK (without the addition FOR USER)

Function call: CALL FUNCTION 'AUTHORITY_CHECK'

Function call: CALL FUNCTION 'AUTHORITY_CHECK_TCODE'

Function call: CALL FUNCTION 'AUTH_CHECK_TCODE'

Function call CALL FUNCTION 'VIEW_AUTHORITY_CHECK'

Method call: CALL METHOD CL_SACF=>AUTH_CHECK_SPEC

Authorization checks against authorization object B_BUP_PCPT are ignored.

The system also searches for potentially dangerous statements. These include database access and file access in particular. If a statement like this is found before an authorization check, a message is displayed.

The following statements are classified as dangerous:

DELETE from a database table (Open SQL), DELETE DATASET, DELETE DYNPRO, DELETE REPORT, DELETE TEXTPOOL, DELETE FROM DATABASE, DELETE FROM SHARED MEMORY, DELETE FROM SHARED BUFFER

EXPORT TO DATABASE, EXPORT TO DATASET, EXPORT TO SHARED MEMORY, EXPORT TO SHARED BUFFER

GENERATE SUBROUTINE POOL

INSERT in a database table (Open SQL), INSERT REPORT, INSERT TEXTPOOL

MODIFY in a database table (Open SQL), MODIFY LINE, MODIFY SCREEN

SELECT from a database table not in the delivery class C, E, G, S, or W (Open SQL)

TRANSFER

TRUNCATE

UPDATE

WITH: Reads from a database table not in the delivery class C, E, G, S, or W (Open SQL)

Potentially missing authorization check in an RFC function module – 11A2

Authorization checks should be used to secure RFC function modules against being called by unauthorized users.

Procedure

Check whether an authorization check exists for this RFC function module and, if necessary, add a check at the start of the RFC function module. If the RFC function module is already being used or has been delivered, a switchable authorization check should be integrated using the method call CL_SACF=>AUTH_CHECK_SPEC( ).

If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.

How is the check done?

The RFC function module is scanned for certain authorization checks and risky statements (see below), which entails the function code (including form routines, dynpro modules, functions calls, and method calls) being scanned.
These calls are traced recursively up to a maximum search depth of 10 compilation units. (This means that calls within a compilation unit are ignored.) Any authorization checks at a greater depth are not found.
If a program or a procedure, which does not belong to SAP_BASIS, calls a procedure from SAP_BASIS, then this call is not traced. (Reason: From a semantic perspective, authorization checks in SAP_BASIS have nothing to do with the required authorization check in the application.)
The following authorization checks are found:

ABAP command: AUTHORITY-CHECK without the addition FOR USER

Function call: CALL FUNCTION 'AUTHORITY_CHECK'

Function call: CALL FUNCTION 'AUTHORITY_CHECK_TCODE'

Function call: CALL FUNCTION 'AUTH_CHECK_TCODE'

Function call: CALL FUNCTION 'VIEW AUTHORITY CHECK'

Method call: CALL METHOD CL_SACF=>AUTH_CHECK_SPEC

Authorization checks against authorization object S_RFC are not accepted here since this authorization object is checked automatically against every RFC call.
Authorization checks against authorization object B_BUP_PCPT are also not accepted.

The system also searches for potentially dangerous statements. These include database access and file access in particular. If a statement like this is found before an authorization check, a message is displayed.
The following statements are classified as dangerous:

DELETE from a database table (Open SQL), DELETE DATASET, DELETE DYNPRO, DELETE REPORT, DELETE TEXTPOOL, DELETE FROM DATABASE, DELETE FROM SHARED MEMORY, DELETE FROM SHARED BUFFER

EXPORT TO DATABASE, EXPORT TO DATASET, EXPORT TO SHARED MEMORY, EXPORT TO SHARED BUFFER

GENERATE SUBROUTINE POOL

INSERT in a database table (Open SQL), INSERT REPORT, INSERT TEXTPOOL

MODIFY in a database table (Open SQL), MODIFY LINE, MODIFY SCREEN

SELECT from a database table not in the delivery class C, E, G, S, or W (Open SQL)

TRANSFER

TRUNCATE

UPDATE

WITH: Reads from a database table not in the delivery class C, E, G, S, or W (Open SQL)

If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.

Potentially missing authorization check in a BOR object – 11A3

Authorization checks should be used to secure BOR objects (Business Object Repository) against being called by unauthorized users.

Procedure

Check whether an authorization check exists for this BOR object and, if necessary, add a check at the start of the method. If the BOR object is already being used or has been delivered, a switchable authorization check should be integrated using the method call CL_SACF=>AUTH_CHECK_SPEC( ).

If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.

How is the check done?

Non-active BOR objects are not analyzed.
The ExistenceCheck method of the BOR object is scanned for specific authorization checks, including the code of the method and its form routines, dynpro modules, function calls, and method calls.
These calls are traced recursively up to a maximum search depth of 10 compilation units. (This means that calls within a compilation unit are ignored.) Any authorization checks at a greater depth are not found.
If a program or a procedure, which does not belong to SAP_BASIS, calls a procedure from SAP_BASIS, then this call is not traced. (Reason: From a semantic perspective, authorization checks in SAP_BASIS have nothing to do with the required authorization check in the application.)

The following authorization checks are found:

ABAP command: AUTHORITY-CHECK without the addition FOR USER

Function call: CALL FUNCTION 'AUTHORITY_CHECK'

Function call: CALL FUNCTION 'AUTHORITY_CHECK_TCODE'

Function call: CALL FUNCTION 'AUTH_CHECK_TCODE'

Function call: CALL FUNCTION 'VIEW AUTHORITY CHECK'

Method call: CALL METHOD CL_SACF=>AUTH_CHECK_SPEC

Authorization checks against authorization object B_BUP_PCPT are not accepted.

Unlike other checks for missing authorization checks (for example, in reports or RFC function modules) dangerous statements are not covered by this check. This means that missing authorization checks are also registered if no dangerous statement is found.

Use of command COMMUNICATION – 11C1

Statement COMMUNICATION used

The statement COMMUNICATION is based on a non-secure communication protocol. Neither this protocol nor the statement COMMUNICATION should be used any longer.

Procedure

Use a different communication protocol, such as RFC, instead of the existing code.

All places where the statement COMMUNICATION is used are detected.

If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.

Potential SQL injection – 11D1

Potential injection of malicious SQL statements or clauses

In the case in question, external data is injected into an SQL statement that is passed for execution by the database. This could enable potential attackers to gain unauthorized access to the SAP database of the system by making unexpected input. This is known as an SQL injection.

Procedure

It is important that user input is not injected directly into the SQL statement. If it is necessary to create the SQL statement based on user input regardless of this, this input must be thoroughly checked beforehand.

The class CL_ABAP_DYN_PRG can be used to implement input checks as described in Validation by Methods of CL_ABAP_DYN_PRG. (The individual methods in the class CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note 1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing):

1. 1. 1. ESCAPE_QUOTES
    2. QUOTE
    3. CHECK_CHAR_LITERAL
    4. CHECK_INT_VALUE
    5. CHECK_VARIABLE_NAME
    6. CHECK_COLUMN_NAME
    7. CHECK_TABLE_OR_VIEW_NAME_STR
    8. CHECK_TABLE_OR_VIEW_NAME_TAB
    9. CHECK_TABLE_NAME_STR
    10. CHECK_TABLE_NAME_TAB
    11. CHECK_WHITELIST_STR
    12. CHECK_WHITELIST_TAB

Secure data sources can also be displayed using the report RSLIN_SEC_DISPLAY_BADIS.

Performs a local data flow analysis.

If a source code position is flagged and does not present a security problem and an input check or escape action (for example, using a method from CL_ABAP_DYN_PRG) is not appropriate, an exemption should be requested in ATC.

Missing content check during HTTP upload -11F1

Method IF_HTTP_REQUEST~GET_DATA( ) was called without parameter VSCAN_SCAN_ALWAYS.

In certain cases, this could lead to Cross-Site-Scripting (XSS) via file upload (MIME sniffing). For more information, see the "SAP NetWeaver Security Guide" ("Network Services" -> "Preventing Cross-Site Scripting From Uploads").

Procedure

Method IF_HTTP_REQUEST~GET_DATA( ) should be called with parameter VSCAN_SCAN_ALWAYS set (see Note 1883929).

If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.

Calls of methods IF_HTTP_REQUEST~GET_DATA( ) and IF_HTTP_ENTITY~GET_DATA( ) without parameter VSCAN_SCAN_ALWAYS are reported.

Direct read access to critical database tables – 11G0

Read on sensitive database tables

A sensitive database table was read in a customer system.

These can be SAP tables (if not in the list of database tables registered as harmless).

These can also be all database tables registered as sensitive tables in the list.

Database tables can be registered as sensitive or harmless using the BAdI SLIN_BADI_DBTAB_ACCESS (see the documentation).

Procedure

These database tables must not be accessed.

Write access to sensitive database tables – 11G1

Write on sensitive database tables

A write was performed on a sensitive database table in a customer system.

These can be SAP tables (if not in the list of database tables registered as harmless).

These can also be all database tables registered as sensitive tables in the list.

Database tables can be registered as sensitive or harmless using the BAdI SLIN_BADI_DBTAB_ACCESS (see the documentation).

Procedure

These database tables must not be accessed.

Hard-coded password – 11K1

A method or function was called with a hard coded password. This is a possible indication, for example, that a user or an RFC destination exists in the system with logon data from the source code.

Example

CALL FUNCTION 'BAPI_USER_CREATE1' EXPORTING USERNAME = 'USER1' PASSWORD = 'Abcd1234' ...

Procedure

Verify that the hard coded password is necessary and, if possible, stop using the hard coded value.

The check does not return a message in the following cases:

1. 1. - The password comes from user input.
    - The password is from the database.
    - The password was generated, for example using the function SUSR_GENERATE_PASSWORD. Some APIs, such as BAPI_USER_CREATE1, return a generated password when a user is created.

All method calls and function calls are logged in which a password-relevant IMPORTING CHANGING parameter has a hard coded value. A parameter is password-relevant if it follows a particular naming convention.

If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.

Field with hard coded password - 11K2

A variable or constant with a hard coded password exists. This is a possible indication, for example, that a user or an RFC destination exists in the system with logon data from the source code.

Example

FUNCTION 'GET_USER_PASSWORD'
*"--------------------------------------
*"*"Local Interface:
*" EXPORTING
*" VALUE(EV_PASSWORD) TYPE STRING
*"---------------------------------------

EV_PASSWORD = 'Abcd1234'

ENDFUNCTION.

Procedure

Verify that the hard coded password is necessary and, if possible, stop using the hard coded value.

The check does not return a message in the following cases:
•The password comes from user input.
•The password is from the database.
•The password was generated, for example using the function SUSR_GENERATE_PASSWORD.

If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.

All password-relevant fields that have a hard-coded value are reported. A field is a password-relevant field if it follows a specific naming convention or has a specific type.

Field with Base64-encoded password - 11K3

There is a variable with a Base64-encoded password. This can be an indication that the password was not sent or saved securely.

Example

L_ENCRYPTED_PASSWORD = CL_HTTP_UTILITY=>ENCODE_BASE64( I_PASSWORD ).

Procedure

Do not use Base64 as the encryption algorithm. Base64 encodes and does not encrypt. If possible, use the default methods for authentication and saving passwords.

If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.

All Base64-encoded password-relevant fields are highlighted. A field is a password-relevant field if it follows a specific naming convention or has a specific type.

The following Base64 encoding APIs are analyzed:

CL_HTTP_UTILITY=>ENCODE_BASE64

CL_HTTP_UTILITY=>ENCODE_X_BASE64

SSFC_BASE64_ENCODE

Potential valid invalidation using the class CL_ABAP_DYN_PRG - 11N1

The class CL_ABAP_DYN_PRG can be used to implement input checks as described in Validation by Methods of CL_ABAP_DYN_PRG. In this case, the validation may have no effect and may therefore be invalid.

Example

" - Incorrect validation
TRY.
tab_name =
cl_abap_dyn_prg=>check_table_or_view_name_str(
val = tab_name
packages = 'SABAPDEMOS' ).
CATCH cx_abap_not_a_table cx_abap_not_in_package.
"TODO...
ENDTRY.

SELECT SINGLE name FROM (tab_name) INTO lv_custname
WHERE id = '22'.

Procedure

Note the following notes for the selected elements:

React appropriately to validation errors by handling the corresponding exception.

Do not use the same variable as an argument for EXPORTING and RETURNING parameters. Only use the RETURNING value in further processing. This ensures that an unchecked entry cannot be processed further.

Example

TRY.
" - Correct validation
tab_name_checked
= cl_abap_dyn_prg=>check_table_or_view_name_str(
val = tab_name
packages = 'SABAPDEMOS' ).
CATCH cx_abap_not_a_table.
MESSAGE 'Table is not allowed' TYPE 'E'.
CATCH cx_abap_not_in_package.
MESSAGE 'Table is not in package' TYPE 'E'.
ENDTRY.

SELECT SINGLE name FROM (tab_name_checked) INTO lv_custname
WHERE id = '22'.

If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.

How is the check done?

All method calls of CL_ABAP_DYN_PRG are analyzed and any suspicious calls are reported.

Potential valid invalidation (tautological value check) with class CL_ABAP_DYN_PRG - 11N3

The class CL_ABAP_DYN_PRG can be used to implement input checks as described in Validation by Methods of CL_ABAP_DYN_PRG. The following methods can be used to check the input value against a list of allowed values:

CHECK_WHITELIST_STR

CHECK_WHITELIST_TAB

MASS_CHECK_WHITELIST_TAB

MASS_CHECK_WHITELIST_STR

In this case, the validation may have no effect and may therefore be invalid because the list of permitted values was probably derived from the value to be checked or is empty.

Example

" Incorrect validation (Tautological AllowList)

allow_list = tab_name.

tab_name =
cl_abap_dyn_prg=>check_whitelist_str( val = tab_name
whitelist = allow_list ).

SELECT SINGLE name FROM (tab_name) INTO lv_custname
WHERE id = '22'.

Procedure

Note the following notes for the selected elements:

The list of allowed values must not be derived from the value to be checked (tautological case).

If possible, use other validation methods from the class CL_ABAP_DYN_PRG instead of the methods CHECK_WHITELIST_STR, CHECK_WHITELIST_TAB, MASS_CHECK_WHITELIST_TAB and MASS_CHECK_WHITELIST_STR.

React appropriately to validation errors by handling the corresponding exception.

Do not use the same variable as an argument for EXPORTING and RETURNING parameters. Only use the RETURNING value in further processing. This ensures that an unchecked entry cannot be processed further. If exception handling is missing at the same time, an entry could otherwise be processed further even if the value to be checked is not contained in the list of permitted values.

Example

TRY.
" Correct validation with CHECK_WHITELIST_STR

allow_list = cl_some_class=>get_allowed_tables( ).

tab_name_checked =
cl_abap_dyn_prg=>check_whitelist_str( val = tab_name
whitelist = allow_list ).
CATCH cx_abap_not_in_whitelist.
MESSAGE 'Table not allowed' TYPE 'E'.
ENDTRY.

" Or Correct validation with another method
TRY.

tab_name_checked
= cl_abap_dyn_prg=>check_table_or_view_name_str(
val = tab_name
packages = 'SABAPDEMOS' ).

CATCH cx_abap_not_a_table.
MESSAGE 'Table is not allowed' TYPE 'E'.
CATCH cx_abap_not_in_package.
MESSAGE 'Table is not in package' TYPE 'E'.
ENDTRY.

SELECT SINGLE name FROM (tab_name_checked) INTO lv_custname
WHERE id = '22'.

If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.

How is the check done?

All method calls of CL_ABAP_DYN_PRG are analyzed and any suspicious calls are reported.

Open URL redirect – 11P1

Potential Unvalidated URL Redirect

In the case in question, external data from an HTTP request (such as URL parameters or HTML form fields) is used as a source for URL redirect, or the data is used to create an HTTP Header with dynamic field names. This makes it possible for attackers to redirect victims to other websites. These cases are known as unvalidated URL redirects.

Example

It is important to differentiate between the following two cases:

1. URL redirect API call

DATA RESPONSE TYPE REF TO IF_HTTP_RESPONSE. ... RESPONSE->REDIRECT( LV_URL ). RESPONSE->SET_HEADER_FIELD( NAME = 'LOCATION' VALUE = LV_URL ). RESPONSE->SET_HEADER_FIELD( NAME = 'REFRESH' VALUE = LV_URL ).

2. Call of IF_HTTP_RESPONSE~SET_HEADER_FIELDS or SET_HEADER_FIELD with dynamic HTTP Header field names

RESPONSE->SET_HEADER_FIELD( NAME = LV_NAME VALUE = LV_URL ). RESPONSE->SET_HEADER_FIELDS( FIELDS = LT_HTTPNVP_TAB ).

Procedure

URL redirect API call

It is first necessary to check whether URL redirects by URL destination can be avoided by user input. If this is not possible, the input data should be checked via an allow list before being used in HTTP redirects.

In this case, the automated check views the allow list method CL_HTTP_UTILITY=>CHECK_HTTP_WHITELIST, with a corresponding ENTRY_TYPE (for example, 99 – Generic Redirect), as sufficient, if the RETURNING parameter of the method is used for further processing.

This method is provided in support packages or correction instructions (see SAP Note 2189853).

SET_HEADER_FIELDS or SET_HEADER_FIELD with dynamic HTTP Header field names

In this case, the automatic check cannot estimate whether the call with dynamic field names will result in a URL redirect. Therefore, you should check whether SET_HEADER_FIELDS or SET_HEADER_FIELD with dynamic fields can be avoided. If this is not possible, you should apply for an exemption in ATC.

A local data flow analysis is performed.

If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.

Potential Reverse Tabnabbing – 11R1

Reverse tabnabbing indicates attacks in which a linked page can overwrite the original page, for example, by replacing it with a phishing page. The user saw the correct page which means that he or she may not noticed that the page was switched. If the user enters confidential data on the switched page, they are sent to the phishing page and not to the original page.

See https://owasp.org/www-community/attacks/Reverse_Tabnabbing

Example

Code on vulnerable page:

<a href="https://bad_evil.com" target="_blank">HTML Link </ a>

<button onclick="window.open('https://bad_evil.com')">
Vulnerable target using javascript
</button>

Code on malicious page:

Procedure

In the case of HTML links, add the attribute rel = "noopener noreferrer" to each link.

In the case of JavaScript, use the function window.open with 'noopener, noreferrer'

If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.

How is the check done?

The check analyzes character literals in the ABAP source code that contain 'TARGET="_BLANK"' or 'WINDOW.OPEN'. An error occurs if 'NOOPENER NOREFERRER' is not found in the same statement.

The BSP application is not protected against XSRF - 11RF

The BSP application is not protected against cross-site request forgeries (XSRF).

Procedure

Select the "XSRF protection" checkbox for the BSP application.

If the place in question is not a security risk (Public BSP, has its own XSRF protection), apply for an exemption in ATC.

Hard-coded host name – 11S1

Hard-coded host name, possibly from forgotten test code or an indication of a back door

Host name queries in ABAP indicate security problems. Host-specific code often presents a back door for attackers.

Procedure

Check whether the host name query could possibly indicate a back door. Remove these back doors.

Remove any host-specific code that is not required to run the program.

Some applications cases require host-specific code. However, there is currently no method of detecting these code sections and excluding them from the checks.

Check whether suitable customizing or a suitable API could help to apply distinct behavior to individual hosts in these cases.

All occurrences are reported in which the current host name from the system fields SY-HOST and SYST-HOST or from the call of CL_ABAP_SYST=>GET_HOST_NAME( ) is compared with a fixed value. To do this, it views the logical condition of the predefined functions BOOLC or BOOLX and the following statements:

1. 1. 1. IF, ELSEIF
    2. CASE, WHEN
    3. CHECK
    4. ASSERT

If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.

Hard-coded system ID – 11S2

Hard-coded system ID, possibly from forgotten test code or an indication of a back door

System ID queries in ABAP indicate security problems. System-specific code often presents a back door for attackers.

Procedure

Check whether the system ID query could possibly indicate a back door. Remove these back doors.

Remove any system-specific code that is not required to run the program.

Some applications cases require system-specific code. However, there is currently no method of detecting these code sections and excluding them from the checks.

Check whether suitable customizing or a suitable API could help to apply distinct behavior to individual systems in these cases.

All occurrences are reported in which the current system ID from the system fields SY-SYSID and SYST-SYSID are compared with a fixed value. To do this, it views the logical condition of the predefined functions BOOLC or BOOLX and the following statements:

IF, ELSEIF

CASE, WHEN

CHECK

ASSERT

If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.

Hard-coded client – 11S3

Hard-coded client from forgotten test Code or that could indicate a back door.

Client queries in ABAP indicate security problems. Client-specific code often presents a back door for attackers.

Procedure

Check whether the client number query could possibly indicate a back door. Remove any back doors.

Remove any client-dependent code that is not required to run the program.

Some applications cases require client-specific code. However, there is currently no method of detecting these code sections and excluding them from the checks.

Check whether suitable customizing or a suitable API could help to apply distinct behavior to individual clients in these cases.

All occurrences are reported in which the current client from the system fields SY-MANDT and SYST-MANDT or from the call of

CL_ABAP_SYST=>GET_CLIENT( ) is compared with a fixed value. To do this, it views the logical condition of the predefined functions BOOLC or BOOLX and the following statements:

IF, ELSEIF

CASE, WHEN

CHECK

ASSERT

If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.

Comparison of a specific registered system variable with a fixed value – 11S4

System variable compared with a hard-coded value from forgotten test code or that could indicate a back door

A comparison between one or more registered system variables and a hard-coded value indicates a security problem, since the code dependent on these system variables could be a back door.

Procedure

Check whether the system variable query could possibly indicate a back door. Remove these back doors.

Remove any code dependent on these system variables that is not required to run the program.

Some application cases require code dependent on these system variables. However, there is currently no method of detecting these code sections and excluding them from the checks.

Check whether suitable customizing or a suitable API could help to apply distinct behavior in these cases, depending on the registered system variables.

The system variables in question were registered using the BAdI SLIN_BADI_SEC_BACKDOOR as described in the documentation.

All occurrences are reported in which the registered system variables from the system structures SY and SYST are compared with a fixed value. To do this, it views the logical condition of the predefined functions BOOLC or BOOLX and the following statements:

IF, ELSEIF

CASE, WHEN

CHECK

ASSERT

If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.

Undocumented profile parameter used – 11SP

Using undocumented profile parameters indicates a security problem, a potential back door.

Procedure

Use only documented profile parameters.

How is the check done?

All usages of profile parameters for which there is no documentation in transaction RZ11 are reported.