Upload
punit-bafna
View
714
Download
3
Embed Size (px)
Citation preview
1
SCI202
Secure ABAP Programming
Selvaraj K, Quality Governance & Production
Frank Buchholz, Active Global Support
October 2010
© 2010 SAP AG. All rights reserved. / Page 2
Disclaimer
This presentation outlines our general product direction and should not be relied on in making a
purchase decision. This presentation is not subject to your license agreement or any other
agreement with SAP. SAP has no obligation to pursue any course of business outlined in this
presentation or to develop or release any functionality mentioned in this presentation. This
presentation and SAP's strategy and possible future developments are subject to change and
may be changed by SAP at any time for any reason without notice. This document is provided
without a warranty of any kind, either express or implied, including but not limited to, the implied
warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP
assumes no responsibility for errors or omissions in this document, except if such damages
were caused by SAP intentionally or grossly negligent.
2
© 2010 SAP AG. All rights reserved. / Page 3
Learning Objectives
As a result of this workshop, you will be able to:
Learn common security vulnerabilities in ABAP applications
Understand secure ABAP programming methodologies
Realize the responsibilities of a developer
© 2010 SAP AG. All rights reserved. / Page 4
Agenda
1. Security
Why?
Security @ SAP
2. Secure ABAP
Secure Programming & Secure User Interface
3. Common Vulnerabilities in ABAP Applications
Cross Site Scripting
Backdoors
Path Traversals
Dangerous ABAP Commands
4. Developer Responsibilities
3
© 2010 SAP AG. All rights reserved. / Page 5
Security – Why?
Why security is needed in every software application?
Appropriate security is that which protects the organization from undue operational risks in a
cost-effective manner
Cyber attacks are becoming more stealthy and sophisticated, creating a complex and
dynamic risk environment for IT-based operations
To address these concerns significant efforts are taken to reduce vulnerabilities, improve
resistance to attack, protect integrity, business compliance, intellectual properties and trust
relations with partners
Open standards & networks create new business opportunities, but also new dangers
© 2010 SAP AG. All rights reserved. / Page 6
Security – Law of Weakest Link
Law of Weakest Link
To SECURE an application, all of its components, functions, infrastructure and
the related threats must be understood & implemented!
To BREAK an application, only one flaw in any of its components, functions
or the infrastructure may be enough!
4
© 2010 SAP AG. All rights reserved. / Page 7
Agenda
1. Security
Why?
Security @ SAP
2. Secure ABAP
Secure Programming & Secure User Interface
3. Common Vulnerabilities in ABAP Applications
Cross Site Scripting
Backdoors
Path Traversals
Dangerous ABAP Commands
4. Developer Responsibilities
© 2010 SAP AG. All rights reserved. / Page 8
Software Security @ SAP
SAP development projects have to adhere to PIL
The Product Innovation Lifecycle (PIL) is the SAP approach to product quality.
PIL consists of process and product standards. The product standards define common
requirements to all SAP products
The PIL Security Standard defines
security requirements targeting:Vulnerability
Prevention
TCO
Reduction
Legal
Compliance
Requirements are
included in the planning phase
fulfilled in development
checked in the test phase
Organization
Standard Owner
Expert Network
– multiplication and reporting over all development units
Production Unit
– enforces compliance of SAP product development
5
© 2010 SAP AG. All rights reserved. / Page 9
Security Solution Map
ComplianceRegulatory
ComplianceAuditing
SAP Solutions for
Governance, Risk
and Compliance
Security Targets
Secure
CollaborationWeb Services Security Content Security Security Interoperability
Identity and
Access
Management
Identity ManagementAuthorization Concepts
and Management
Authentication and Single
Sign-On
Infrastructure
Security
Network and
Communications Security
Operating System and
Database SecurityFront-End Security
Software
Lifecycle
Security
Secure Product
DevelopmentSecure Delivery
Secure
Configuration
Secure Change
Management
Security
Governance
© 2010 SAP AG. All rights reserved. / Page 10
Agenda
1. Security
Why?
Security @ SAP
2. Secure ABAP
Secure Programming & Secure User Interface
3. Common Vulnerabilities in ABAP Applications
Cross Site Scripting
Backdoors
Path Traversals
Dangerous ABAP Commands
4. Developer Responsibilities
6
© 2010 SAP AG. All rights reserved. / Page 11
Secure ABAP – Secure Programming
Following security categories is mandatory for a secure program development.
Password Security
Passwords as an authentication credential should be protected and never be visible e.g.
by display in plain text, hardcoded in programs, recorded in logs, etc.
Secure Data Storage (ABAP/DB)
Functionality for storing sensitive data such as passwords or credit card numbers that are
stored in encrypted form using crypto algorithms to be safe against data manipulations
Security Logging
Audits and logs are important for monitoring the security of your system and to track
events in case of problems.
SAP Virus Scan Interface
Virus scanning should be performed every time potentially polluted data is imported via
input channels into the SAP system.
Secure Store and Forward Mechanism (SSF)
SSF functions "wrap" data and digital documents in secure formats using digital
signatures and encryption before they are saved on data carriers or transmitted over
(potentially) insecure communication lines.
© 2010 SAP AG. All rights reserved. / Page 12
Secure ABAP – Secure User Interface
Secure user interface development is possible only when the following security
categories are fulfilled
Cross-Site Scripting (XSS)
XSS attacks are set out to manipulate HTML pages by injection of malicious script code or
by other indirect techniques, such as redirection to another server, logical attacks.
SQL Injection
SQL injection attacks arise from direct integration of user input into SQL statements
without appropriate validation or filtering.
Input Validation
Make sure that the input is in expected form to prevent unexpected data from altering the
intended execution of the program.
Canonicalization
Input variable’s content is transformed into its simplest and shortest representation for
successful filter mechanisms to avoid polymorph attacks.
7
© 2010 SAP AG. All rights reserved. / Page 13
Secure ABAP – Secure User Interface
Directory Traversal
URL is manipulated such that the web server reveals the content of a file anywhere on
the server, residing outside web server's root directory. These attacks take advantage of
special-character sequences in URL input parameters, cookies, etc.
Cookie Manipulation
The cookie contains information used by web applications to persist and pass variables
back and forth between the browser and the web application. The risk of tampering with
data and even information disclosure is very high.
© 2010 SAP AG. All rights reserved. / Page 14
Agenda
1. Security
Why?
Security @ SAP
2. Secure ABAP
Secure Programming & Secure User Interface
3. Common Vulnerabilities in ABAP Applications
Cross Site Scripting
Backdoors
Path Traversals
Dangerous ABAP Commands
4. Developer Responsibilities
8
© 2010 SAP AG. All rights reserved. / Page 15
Common Vulnerabilities in ABAP Applications
Cross Site Scripting
Description
The unfiltered / invalidated user input provided as a markup to generate dynamic content
in an application for redirection of servers and logical attacks.
A Cross Site Scripting (XSS) vulnerability exists, if a web application displays user input
without filtering HTML tags appropriately.
Business Risks
Allows the attacker to steal the form input & user session (Identity theft)
Remotely access client file system through embedded ActiveX controls and also perform
key logging.
Best Practices
Validate or filter the user input for special command sequences and ensure that output
returned to the end user is properly encoded.
Escape undesired tags from the dynamically generated pages.
© 2010 SAP AG. All rights reserved. / Page 16
ABAP Vulnerabilities
Cross Site Scripting (XSS)
ABAP Code with XSS vulnerability
DATA: request TYPE REF TO IF_HTTP_REQUEST.
DATA: html TYPE STRING.
DATA: out TYPE REF TO if_bsp_writer.
out = me->get_previous_out( ).
html = request->get_form_field( 'user_input' ).
out->print_string( `<input type="text" name="data" value="` ).
out->print_string( html ).
out->print_string( `">` ).
9
© 2010 SAP AG. All rights reserved. / Page 17
ABAP Vulnerabilities
Cross Site Scripting (XSS)
Safe ABAP Code
DATA: request TYPE REF TO IF_HTTP_REQUEST.
DATA: html TYPE STRING.
DATA: out TYPE REF TO if_bsp_writer.
out = me->get_previous_out( ).
html = request->get_form_field( 'user_input' ).
* Removal of HTML Tags
html = cl_http_utility=>escape_html ( html ).
© 2010 SAP AG. All rights reserved. / Page 18
Agenda
1. Security
Why?
Security @ SAP
2. Secure ABAP
Secure Programming & Secure User Interface
3. Common Vulnerabilities in ABAP Applications
Cross Site Scripting
Backdoors
Path Traversals
Dangerous ABAP Commands
4. Developer Responsibilities
10
© 2010 SAP AG. All rights reserved. / Page 19
Common Vulnerabilities in ABAP Applications
Backdoors
Description
The undocumented personal test hacks used by the developers for gaining unauthorized
access. After a compromise the attacker will use the easier access to get around the
compromised system for any security mechanisms.
Business Risks
Can potentially lead to a user gaining unauthorized access to privileged data within your
SAP database.
They allow malicious developers to secretly access extra-functionality by feeding certain
triggers to the program.
Very likely to violate regulatory compliance and Increase user privileges.
Best Practices
Avoid the usage of backdoors/hard coded usernames used for developer hacks inside any
productive version of an application.
© 2010 SAP AG. All rights reserved. / Page 20
ABAP Vulnerabilities
Hardcoded User Names (Backdoor)
ABAP Code with Backdoor vulnerability
IF sy-uname = 'JOHNDOE'.
* perform restricted / special actions
ENDIF.
IF sy-uname = 'JOHNDOE'.
* Enable debugger
BREAK-POINT.
ENDIF.
Check SY-UNAME eq ‘JOHNDOE’.
* Code to perform Special Functions
11
© 2010 SAP AG. All rights reserved. / Page 21
ABAP Vulnerabilities
Command Injection (Backdoor)
ABAP Code with Backdoor vulnerability
DATA: itab TYPE STANDARD TABLE OF string.
DATA: request TYPE REF TO if_http_request.
DATA: prog TYPE string. DATA: mymsg TYPE string.
DATA: mytext TYPE string. DATA: myline TYPE string.
mytext = request->get_form_field( 'mytext' ).
CONCATENATE `WRITE '` mytext `'.` INTO myline.
APPEND 'PROGRAM mypool.' TO itab.
APPEND `FORM myform.` TO itab.
APPEND myline TO itab.
APPEND `ENDFORM.` TO itab.
GENERATE SUBROUTINE POOL itab NAME prog
MESSAGE mymsg.
IF sy-subrc = 0.
PERFORM ('MYFORM') IN PROGRAM (prog) IF FOUND.
ENDIF.
© 2010 SAP AG. All rights reserved. / Page 22
Agenda
1. Security
Why?
Security @ SAP
2. Secure ABAP
Secure Programming & Secure User Interface
3. Common Vulnerabilities in ABAP Applications
Cross Site Scripting
Backdoors
Path Traversals
Dangerous ABAP Commands
4. Developer Responsibilities
12
© 2010 SAP AG. All rights reserved. / Page 23
Common Vulnerabilities in ABAP Applications
Path Traversals
Description
Path traversal attacks work by manipulating file name or path information by feeding
special characters into a string that represents a file locator.
When such a string is used to access a file, an application can be tricked into opening files
the user should have no access to.
Business Risks
Violation of regulatory compliance, as this vulnerability allows for unprivileged access to
critical business data.
Denial of service.
Information disclosure.
Best Practices
Use a white list filter for file extensions, use fixed path i.e., profile parameters and check
for typical authorization based on application context.
Also restrict the usage of the generic file access characters like .., \\, // during the dataset
operations.
© 2010 SAP AG. All rights reserved. / Page 24
ABAP Vulnerabilities
Directory Traversals
ABAP Code with Path Traversal Vulnerability
FUNCTION DEL_DBA_FILE_SDB.
*”----------------------------------------------------
*” IMPORTING
*” VALUE(dset) TYPE SADA_NAM.
*” EXCEPTIONS
*” DEL_DATASET_ERROR
*”----------------------------------------------------
IF dset CP ‘*.exe’ or dset CP ‘*.err’.
* perform deletion of dataset
DELETE DATASET dset.
IF SY-SUBRC <> 0.
RAISE DEL_DATASET_ERROR.
ENDIF>
ENDFUNCTION.
13
© 2010 SAP AG. All rights reserved. / Page 25
ABAP Vulnerabilities
Directory Traversals
Safe ABAP Code
FUNCTION DEL_DBA_FILE_SDB.
*”----------------------------------------------------
*” IMPORTING
*” VALUE(dset) TYPE SADA_NAM.
*”----------------------------------------------------
* Provide white list filter for File Extensions
* User input should be validated for escape characters like .., //
REPLACE ALL OCCURRENCES OF '..' IN dset WITH ''.
* Perform Authority check
AUTHORITY-CHECK OBJECT 'S_DATASET'
ID 'PROGRAM' FIELD SY-REPID
ID 'ACTVT' FIELD ’33'
ID 'FILENAME' FIELD ’DSET'.
IF SY-SUBRC EQ 0.
DELETE DATASET dset.
ENDIF.
© 2010 SAP AG. All rights reserved. / Page 26
Agenda
1. Security
Why?
Security @ SAP
2. Secure ABAP
Secure Programming & Secure User Interface
3. Common Vulnerabilities in ABAP Applications
Cross Site Scripting
Backdoors
Path Traversals
Dangerous ABAP Commands
4. Developer Responsibilities
14
© 2010 SAP AG. All rights reserved. / Page 27
Common Vulnerabilities in ABAP Applications
Dangerous ABAP Commands
Description
ABAP commands which are used to generate dynamic source code are classified as
dangerous and thus forbidden for developers.
Business Risks
Read and write access to all data in the database.
Violation of regulatory compliance as execution of arbitrary business logic is possible.
Best Practices
Implement the right authorization checks for the above ABAP commands.
Use proper input validations / filters and right options such that the dynamic code is
restricted for minimal usage by developers.
© 2010 SAP AG. All rights reserved. / Page 28
ABAP Vulnerabilities
Dangerous ABAP Commands
ABAP Code with Dangerous / Forbidden ABAP commands
REPORT ZTECH_1.
DATA: CODE(72) OCCURS 10.
* Appending source code
APPEND 'REPORT ZDYN_1.' TO CODE.
APPEND 'WRITE / ''Hello, I am dynamically created!''. ' TO CODE.
APPEND 'DELETE * FROM ZTAB‘ TO CODE.
* Dynamic Report program creation
INSERT REPORT 'ZDYN_1' FROM CODE.
* Execution of Dynamically created report program
SUBMIT ZDYN_1 AND RETURN.
15
© 2010 SAP AG. All rights reserved. / Page 29
ABAP Vulnerabilities
Dangerous ABAP Commands
Safe ABAP Code
REPORT ZTECH_1.
DATA: CODE(72) OCCURS 10.
APPEND 'DELETE * FROM ZTAB‘ TO CODE.
* Check for ABAP Statements inside internal table
REPLACE ALL OCCURRENCES OF REGEX '\b(DELETE)\b'
IN TABLE itab WITH ‘*DELETE‘ IGNORING CASE.
* Authority check for S_DEVELOP
AUTHORITY-CHECK OBJECT 'S_DEVELOP'
ID 'OBJTYPE' FIELD 'PROG'
ID 'OBJNAME' FIELD 'ZDYN_1' ID 'ACTVT' FIELD ‘01‘.
IF SY-SUBRC EQ 0.
INSERT REPORT 'ZDYN_1' FROM CODE.
SUBMIT ZDYN_1 AND RETURN.
ENDIF.
© 2010 SAP AG. All rights reserved. / Page 30
ABAP Vulnerabilities
Dangerous ABAP Commands
ABAP Code with Dangerous / Forbidden ABAP commands
REPORT ZTECH_ABA_1.
DATA: SCODE(72) OCCURS 10.
* Modification of Existing report during runtime
EDITOR-CALL FOR REPORT ZTECH_1.
16
© 2010 SAP AG. All rights reserved. / Page 31
ABAP Vulnerabilities
Dangerous ABAP Commands
Safe ABAP Code
REPORT ZTECH_ABA_1.
DATA: SCODE(72) OCCURS 10.
* Authority Check for Editing an existing report
AUTHORITY-CHECK OBJECT 'S_DEVELOP'
ID 'OBJTYPE' FIELD 'PROG'
ID 'OBJNAME' FIELD ‘ZTECH_ABA_1'
ID 'ACTVT' FIELD ‘03‘.
IF SY-SUBRC EQ 0.
* Editor call (only Display mode) of Existing report during runtime
EDITOR-CALL FOR REPORT ZTECH_1 DISPLAY MODE.
ENDIF.
© 2010 SAP AG. All rights reserved. / Page 32
Agenda
1. Security
Why?
Security @ SAP
2. Secure ABAP
Secure Programming & Secure User Interface
3. Common Vulnerabilities in ABAP Applications
Cross Site Scripting
Backdoors
Path Traversals
Dangerous ABAP Commands
4. Developer Responsibilities
17
© 2010 SAP AG. All rights reserved. / Page 33
Developer Responsibilities
A MUST for Secure Development:
Security should not be an afterthought
Security is not optional
Security is not a trade-off for Functionality/Performance
Deploy only tested code
Protect your credentials
Don’t Blindly Assume Others Will Do it for You!
Application security is part of everybody's responsibility!
© 2010 SAP AG. All rights reserved. / Page 34
Get Ready for Secure ABAP Programming!
Understand Security
Software Lifecycle Security
SAP Security Solution Map
Attention while Developing!
Follow the Security Plan
Adhere to Secure ABAP Programming Guideline
Avoid Vulnerabilities listed in Security Advisories
Evaluate the Application
Security Test Tools ( ATC, Code Inspector )
Checklist for Secure Programming
18
© 2010 SAP AG. All rights reserved. / Page 35
Security Test Tools
ATC (ABAP Test Cockpit)
Menu Path: Program ->
Check -> ABAP Test
Cockpit
Code Inspector
Transaction Code: SCI
Menu Path: Program ->
Check -> Code Inspector
© 2010 SAP AG. All rights reserved. / Page 36
Secure Programming Checklist
This Checklist lists the most important issues that you should pay attention to
in order to develop secure applications.
General
No Backdoors
Safe state in case of errors
Password Security
No plain text & hardcoded password
Front-End Security/User Interface
Input Validation
No HTTP GET
No SQL Injection, XSS, Path Traversal
Access Security
No revealing of data in error messages and URLs
Hidden HTML Fields for Secrecy
ABAP Programmers only
Call Transaction with Authority Check, S_DEVELOP for ABAP command execution
19
© 2010 SAP AG. All rights reserved. / Page 37
Further Information
SAP Public Web:
General Info about Security SDN: https://www.sdn.sap.com/irj/sdn/security
SAP Security Forum: https://www.sdn.sap.com/irj/sdn/forumID=208
SAP Security Guides: https://www.service.sap.com/securityguide
SAP Security Notes: http://service.sap.com/securitynotes
Related SAP Education and Certification Opportunities
http://www.sap.com/education/
Related Workshops/Lectures at SAP TechEd 2010
SCI100, SAP Security Overview Presentation, Lecture
SCI260, The Journey from Security Optimization Service to Security
Configuration Validation, Hands-on
SCI200, Best Practices for Implementing SAP NetWeaver Identity Management,
Lecture
ContactFeedback
Please complete your session evaluation.
Be courteous — deposit your trash,
and do not take the handouts for the following session.
20
© 2010 SAP AG. All rights reserved. / Page 39
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. in the United States and in other countries.
All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.
The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice.
SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.
SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence.
The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.
© 2010 SAP AG. All Rights Reserved