There are good blogs regarding Cross Site Scripting ( XSS ) topic in SAP Community:
- XSS (Cross-Site Scripting) – Overview and Contexts
- XSS (Cross-Site Scripting) – Methodology and Solutions
In this blog, I just show how to build a simple XSS example in Java and then try to implement the same in ABAP as well.
I have a github repository where a simple Java Servlet is developed.
Simply clone it locally and run as Server via url: http://localhost:8080/jerrytest, and it will print out the user gent field of the current http request.
Now append the parameter ?id=Jerry,Wang to the url, and this parameter will be echoed in the output as well.
What happens if I append an executable Script tag in the parameter place?
Then I tried with this fragment below. To my surprise, I never saw the expected alert popup. The error message in Chrome development tool tells the truth.
Since I am using Tomcat as my local test server and I found from this blog Cross-site Scripting (XSS) Prevention in Apache Tomcat 7 that Cross Site Scripting protection is by default turned on.
As a result in my Servlet implementation I deactivate this protection temporarily by adding a new header field to http response.
And after restart of Tomcat, I see the expected popup in the end.
And now I try to simulate the same in ABAP.
I create a new ICF node and its handler class in tcode SICF:
The implementation of this handler class simply display the passed-in parameter with name "ID".
In normal case it works fine:
Now try XSS access:
Error message:
Go to tcode SMICM, set trace level to 3:
And repeat the XSS access, and then display trace file in tcode SMICM:
From trace file, I get to know the passed-in url "id=<script>console.log("hello");</script>" matches the filter pattern configured in ICM, so this request is filtered out and has no chance to be executed at all.
This test result just shows the fact that ABAP Netweaver acting as a Web server has its own built-in XSS protection as well.
Here below are some document about filter configuration in ICM.
Further reading
I have written a series of blogs which compare the language feature among ABAP, JavaScript and Java. You can find a list of them below:
- Lazy Loading, Singleton and Bridge design pattern in JavaScript and in ABAP
- Fibonacci Sequence in ES5, ES6 and ABAP
- Java byte code and ABAP Load
- How to write a correct program rejected by compiler: Exception handling in Java and in ABAP
- An small example to learn Garbage collection in Java and in ABAP
- String Template in ABAP, ES6, Angular and React
- Try to access static private attribute via ABAP RTTI and Java Reflection
- Local class in ABAP, Java and JavaScript
- Integer in ABAP, Java and JavaScript
- Covariance in Java and simulation in ABAP
- Various Proxy Design Pattern implementation variants in Java and ABAP
- Tag(Marker) Interface in ABAP and Java
- Bitwise operation ( OR, AND, XOR ) on ABAP Integer
- ABAP ICF handler and Java Servlet
- ADBC and JDBC
- CL_ABAP_CORRESPONDING, CL_JAVA_CORRESPONDING and CL_JS_CORRESPONDING
- Build an Cross Site Scripting example in Java and ABAP
- Play around with JSONP in nodeJS server and ABAP server
- SAP Managed Tags:
1 Comment
