EP: Portal – ESS/MSS Applications & Cross Site Forgery Vulnerabilities
In the modern world of computing, IT Security is perhaps one of the important aspects of assured business practices and conformance to business practices. Without necessary security measures and protection mechanisms as we know the consequences can be consequential in all walks of life and the Enterprise Portal is no different.
In my experience with the Enterprise Portal I’ve dealt with many different scenarios in which customers have been performed security scans and updates in a bid to identify vulnerabilities and make correction measures were necessary
The Enterprise Portal as we know serves as a central conduit channel through which we can access essential information, business applications and all associated business data. Within an organizational environment a Portal environment is built upon the NW platform which in turn is utilized by large end-users bases meaning system flow can on occasion be heavy & process-complex.
Applications & Security Breaches
Now as we mentioned above the Portal in itself serves as a centralized means of access to a multitude of application types. In terms of the applications themselves in the past external security audits have revealed possible security threats and vulnerabilities.
- Application Example: Let us imagine that we have a scenario in which you are utilizing the Portal in your organization and have integrated alongside an ECC Setup for ESS or MSS (Self-Service) scenarios. A working example of this may be an organizational setup for additional payments or leave requests e.g. CATS. Security testing or external auditing software may reveal potential causes for concerns in terms of concern.
CSS (Cross-Site-Forgery) is often a highlighted finding in some audit reports.
- “Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users”.
I’ve identified a CSS vulnerability, what should I do?
Firstly in terms of the NW Java Setup & the Enterprise Portal the core points of reference in terms of security setup and deterring threats is the documentation outlined below: Both documents below offer insight and guidance surrounding the correct property setup (in terms of security)
- Portal Security Guide: https://help.sap.com/saphelp_nw70ehp1/helpdata/en/5c/429f00a14aa54195b1c63ae1512d10/frameset.htm
- Portal Security Guide (2): http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/d0a3e93c-7f16-2a10-7781-dcf70b83d1f3?overridelayout=true
Secondly in terms of specifics surrounding Cross-Site Forgery highlights. You will see in the documentation below cross-site framing issues and identified weaknesses alongside a comprehensive overview on protection measures and configurations:
A few lines on cross site scripting issues: http://scn.sap.com/community/enterprise-portal/blog/2014/10/07/an-approach-to-web-security-issues-on-customized-portal-applications
More Information About Preventing Cross-Site Scripting: http://help.sap.com/saphelp_nw73ehp1/helpdata/en/4f/99e4d0269a4b21e10000000a42189b/content.htm?frameset=/en/25/cf8df3ae17450fb903c49 f38b9901b/frameset.htm
Cross-Site Scripting (XSS): http://help.sap.com/saphelp_nw73ehp1/helpdata/en/e8/5ccb6270f145faaecc7a163da16d5a/content.htm
Lastly just a few additional points of reference here to keep in mind. If you are using self-developed or custom ITS Services I would recommend ensuring that it is XSRF protected. For more details about XSRF protection please read the attached SAP Note carefully: #1481392 (Cross Site Request Forgery Protection for ITS). Especially the section “How to enable the XSRF protection?” and “How does the XSRF protection works?”.
Additionally one way to ensure all protection enhancements are in place is to ensure that you are operating on the latest SP & Patch Level Release.
In terms of the Employee Self Service Application specifically and if this is the sole area affected then you will need to follow the documentation below in accordance to the reporting:
- SAP Note: 2191528 – Third-party report showing security vulnerabilities.
Thanks for pointing this out in a blog.
Made me feel a bit nostalgic about XSS experience in my early days as portal consultant some 8 years back for a major FMCG client in India. Just weeks before go-live E&Y audit team had found several vernabilities in portal related to KM folders. And, we had not touched upon any KM related things as we did not have any KM related work in the project (Webdynpro Java applications). It is much later I found out that SAP ships some default folder with anonymous access. These KM folders posed the threats. We had to change the security settings for KM folders for compliance.
Many thanks for the response and I hope you are keeping well.
In relation to you're feedback, many thanks and indeed it is truly my pleasure. I believe it is indeed of vital importance to cover security topics from both the standpoint of the Portal and integrated application setups. As newer versioning continues to be rolled out there are bound to be underlying functional changes and as a result of this different "security highlights" may come under the limelight with customers. I will continue to cover these topics in the hope that it provides some insight for our customers.
Once again I would like to thank you very much for your feedback as it is greatly appreciated. If you ever have any queries or seek blog content on a particular Portal topic, please reach out to me as I would be more than happy to help out.
Many thanks again and have a fantastic day.
Troy - Enterprise Portal Support Engineer