EP: Portal – ESS/MSS Applications & Cross Site Forgery Vulnerabilities
In the modern world of computing, IT Security is perhaps one of the important aspects of assured business practices and conformance to business practices. Without necessary security measures and protection mechanisms as we know the consequences can be consequential in all walks of life and the Enterprise Portal is no different.
In my experience with the Enterprise Portal I’ve dealt with many different scenarios in which customers have been performed security scans and updates in a bid to identify vulnerabilities and make correction measures were necessary
The Enterprise Portal as we know serves as a central conduit channel through which we can access essential information, business applications and all associated business data. Within an organizational environment a Portal environment is built upon the NW platform which in turn is utilized by large end-users bases meaning system flow can on occasion be heavy & process-complex.
Applications & Security Breaches
Now as we mentioned above the Portal in itself serves as a centralized means of access to a multitude of application types. In terms of the applications themselves in the past external security audits have revealed possible security threats and vulnerabilities.
- Application Example: Let us imagine that we have a scenario in which you are utilizing the Portal in your organization and have integrated alongside an ECC Setup for ESS or MSS (Self-Service) scenarios. A working example of this may be an organizational setup for additional payments or leave requests e.g. CATS. Security testing or external auditing software may reveal potential causes for concerns in terms of concern.
CSS (Cross-Site-Forgery) is often a highlighted finding in some audit reports.
- “Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users”.
I’ve identified a CSS vulnerability, what should I do?
Firstly in terms of the NW Java Setup & the Enterprise Portal the core points of reference in terms of security setup and deterring threats is the documentation outlined below: Both documents below offer insight and guidance surrounding the correct property setup (in terms of security)
- Portal Security Guide: https://help.sap.com/saphelp_nw70ehp1/helpdata/en/5c/429f00a14aa54195b1c63ae1512d10/frameset.htm
- Portal Security Guide (2): http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/d0a3e93c-7f16-2a10-7781-dcf70b83d1f3?overridelayout=true
Secondly in terms of specifics surrounding Cross-Site Forgery highlights. You will see in the documentation below cross-site framing issues and identified weaknesses alongside a comprehensive overview on protection measures and configurations:
A few lines on cross site scripting issues: http://scn.sap.com/community/enterprise-portal/blog/2014/10/07/an-approach-to-web-security-issues-on-customized-portal-applications
More Information About Preventing Cross-Site Scripting: http://help.sap.com/saphelp_nw73ehp1/helpdata/en/4f/99e4d0269a4b21e10000000a42189b/content.htm?frameset=/en/25/cf8df3ae17450fb903c49 f38b9901b/frameset.htm
Cross-Site Scripting (XSS): http://help.sap.com/saphelp_nw73ehp1/helpdata/en/e8/5ccb6270f145faaecc7a163da16d5a/content.htm
Lastly just a few additional points of reference here to keep in mind. If you are using self-developed or custom ITS Services I would recommend ensuring that it is XSRF protected. For more details about XSRF protection please read the attached SAP Note carefully: #1481392 (Cross Site Request Forgery Protection for ITS). Especially the section “How to enable the XSRF protection?” and “How does the XSRF protection works?”.
Additionally one way to ensure all protection enhancements are in place is to ensure that you are operating on the latest SP & Patch Level Release.
In terms of the Employee Self Service Application specifically and if this is the sole area affected then you will need to follow the documentation below in accordance to the reporting:
- SAP Note: 2191528 – Third-party report showing security vulnerabilities.