The purpose of this blog
This blog lists the checks that SAP Code Vulnerability Analyzer provides.
The checks are made available with specific releases of SAP NetWeaver. For information as to which checks are available with which releases, please read note 1921820.
Background about Code Vulnerability Analyzer
The product "SAP Code Vulnerability Analyzer" is available for carrying out security checks. This is also called the code vulnerability analyzer (CVA). The CVA carries out a static analysis of the ABAP source code and reports possible security risks.
The CVA is a product in its own right and is subject to separate remuneration. If you enable the execution of the security checks, additional license costs are incurred.
You can allow the execution of system-wide security checks with the report RSLIN_SEC_LICENSE_SETUP. To carry out this step, you require authorization to make changes to global ATC check variants. Before activating the checks, make sure that you possess a valid license for the product. If in doubt, contact your sales representative at SAP.
Once the security checks are enabled, you can execute them in the ABAP Test Cockpit (ATC), the Code Inspector (SCI), and the extended program check. In the system, the security checks are sometimes called "Security Analyses in Extended Program Check (SLIN_SEC)". We recommend that you execute the security checks via the ATC only. This is possible for automatic mass runs and in the ABAP development environment for individual objects.
SAP Note 1921820 describes the releases and Support Packages with which the code vulnerability analyzer is available. SAP Note 1949276 describes restrictions pertaining to the functional scope. The documentation for the report RSLIN_SEC_LICENSE_SETUP describes the individual security checks in more detail, among other things.
General points about security common to some of all of the checks below
Security problems can occur wherever external data (such as user input) is processed further without being checked.
Sometimes external data is used within a dynamic clause of an OPEN SQL statement. This could enable potential attackers to gain unauthorized access to the SAP database of the system by making unexpected input. This is known as an
SQL injection.
Sometimes external data is used as a file name to open or delete files on the application server. This can give potential attackers access to the file system of the application server, so enabling them to access confidential information, modify file contents, and change the way the system behaves. This is known as
directory traversal.
For information about a specific check, click on the appropriate link below:
Manipulation of dynamic Open SQL (Open SQL Injection)
Manipulation of SQL statements (Native SQL Injection)
Manipulation of dynamically generated ABAP code (ABAP Command Injections)
Manipulation in dynamic calls (Call Injections)
Injections of operating system commands
Potential unauthorized access to directories and files (Directory Traversal)
Insufficient authorization checks or user administration bypassed
Potential back doors
Possible attacks using Web technologies
Further checks
Here is a list by check number in ascending order:
Hard-coded user name - 0821
User name queries in ABAP indicate security problems. User-specific code often presents a back door for attackers.
Procedure
Check if the user name query could possibly indicate a back door. This can be the case, for example, if authorization checks are performed that depend on the user name. Remove these back doors.
Remove any user-dependent code that is not required to run the program.
Some applications cases require user-specific code. However, there is currently no method of detecting these code sections and excluding them from the checks.
The check runs in all places where the current user name (taken directly or indirectly from the system fields SY-UNAME or SYST-UNAME) is compared with a fixed value (taken directly or indirectly from a string literal). To do this, it views the logical condition of the predefined functions BOOLC or BOOLX and the following statements:
- IF, ELSEIF
- CASE, WHEN
- CHECK
- ASSERT
Some predefined user accounts delivered by SAP have special functions. Since the system must respond to these special user names in certain ways at particular times, comparisons made with these values are permitted and do not produce warnings. The following are some of the user names relevant here:
- CSMREG
- DDIC
- EARLYWATCH
- GOINGLIVE
- SAP
- SAP*
- SAPCPIC
- SAPSYS
- SAPTERM
- TMSADM
If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.
Possible SQL injection (WHERE condition) - 1101
Potential manipulation of the dynamic where condition
The
dynamic WHERE
clause makes it possible for attackers to inject additional OR conditions that increase the volume of data selected in unexpected ways.
Procedure
First check whether it is necessary to use dynamic Open SQL. Switching to static OPEN SQL provides a full solution to the security problem. If this is not possible, the input data must be checked appropriately before being used in dynamic clauses.
The class CL_ABAP_DYN_PRG can be used to implement input checks as described in
Validation by Methods of CL_ABAP_DYN_PRG. (The individual methods in the class CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note
1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing):
- ESCAPE_QUOTES
- ESCAPE_QUOTES_STR
- QUOTE
- QUOTE_STR
- CHECK_CHAR_LITERAL
- CHECK_STRING_LITERAL
- CHECK_INT_VALUE
- CHECK_VARIABLE_NAME
- CHECK_COLUMN_NAME
- CHECK_WHITELIST_STR
- CHECK_WHITELIST_TAB
Secure data sources can also be displayed using the report
RSLIN_SEC_DISPLAY_BADIS.
Ranges tables in a WHERE clause are not at risk of SQL injections. However, if technical reasons require ranges tables in WHERE conditions to be converted and then used in a dynamic WHERE clause, it is best to use the function module FREE_SELECTIONS_RANGE_2_WHERE. This module is identified as a secure data source; this is not usually the case in self-programmed conversions.
SAP discourages the use of literals with backquotes (`) in Open SQL statements, even though this is allowed by the syntax. Literals of this type look like string literals in ABAP, but do not have the same attributes. Literals in Open SQL statements are passed to the database, but any blanks at the end of the literals are ignored, which is not the case in ABAP string literals. This is why the use of literals with backquotes (`) can be confusing.
Performs a
local data flow analysis.
If a source code position is flagged and does not present a security problem and an input check or escape action (for example, using a method from CL_ABAP_DYN_PRG) is not appropriate, an
exemption should be requested in ATC.
Possible directory traversal - 1104
Potential manipulation of the file name in the statement OPEN DATASET or DELETE DATASET
Procedure
Externally defined file names must be
validated before a file is opened or deleted. This is done by the function module FILE_VALIDATE_NAME. This function module was made available with the Support Packages or correction instructions listed in SAP Note
1497003. The ABAP keyword documentation contains an example of file name validation.
Another option is to call the function module FILE_GET_NAME_AND_VALIDATE or FILE_GET_NAME. No unchecked data can be included in the parameter LOGICAL_FILENAME here. This means the automated check currently requires LOGICAL_FILENAME to be a constant. In the case of the function module FILE_GET_NAME, no unchecked data can be included in the parameters PARAMETER_1, PARAMETER_2, and PARAMETER_3 either.
The function module FILE_GET_NAME_AND_VALIDATE was made available with SAP Note
1957910.
Secure data sources can also be displayed using the report
RSLIN_SEC_DISPLAY_BADIS.
A
local data flow analysis is performed.
If the source code position in question does not have any security problems and there is no point in modifying the source code, an
exemption should be requested in ATC.
Possible system command injection (addition FILTER) - 1106
Potential manipulation in the FILTER addition of the statement OPEN DATASET
The addition FILTER of the statement OPEN DATASET can be used to pass statements to the operating system. If this addition is filled from input data, potential attackers can inject further statements and modify the behavior of the application server in unexpected ways. These are known as
system command injections.
Procedure
First check whether it is absolutely necessary to use the addition FILTER. If this is the case, an input check must be performed. The addition FILTER should not be used to send operating system commands.
If an operating system command call is absolutely necessary, however, the SAPXPG mechanism must be used. This offers increased security due to the following characteristics:
- Abstraction from different operating systems
- Predefined operating system commands
- Stricter handling of parameters
- Allows check modules (such as allow lists) to be defined
- Predefined authorization check
New operating system commands must first be defined using transaction SM69. If possible, omit input values because these can also cause a security problem. The function module SXPG_CALL_SYSTEM can be used to make calls. See
System Command Injections for more information.
In some cases, the class
CL_ABAP_DYN_PRG can be used to perform an allow list check. Here, the following methods are sufficient for the machine check in question (if the RETURNING parameter of the method in question is used in further processing):
- CHECK_WHITELIST_STR
- CHECK_WHITELIST_TAB
The individual methods in the class CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note
1852318 provides an overview of these methods.
The escape methods of the class CL_ABAP_DYN_PRG are not suitable for operating system commands (or their parameters).
Secure data sources can also be displayed using the report
RSLIN_SEC_DISPLAY_BADIS.
A
local data flow analysis is performed.
If the source code position in question does not have any security problems and there is no point in modifying the source code, an
exemption should be requested in ATC.
Possible ABAP command injection - 1108
Potential injection of harmful code in the statements INSERT REPORT and GENERATE SUBROUTINE POOL
The statements INSERT REPORT and GENERATE SUBROUTINE POOL are used to generate ABAP programs dynamically, which can then be executed. If user input is entered directly in the source code of these generated programs, an attacker could potentially execute any of the operations in the system. These are known as
ABAP command injections.
Procedure
Dynamic generation of ABAP code always carries a high level of risk to security. First, always check whether other dynamic programming methods can be used instead. If dynamic generations are absolutely necessary, all input data must be checked separately and appropriately.
The class CL_ABAP_DYN_PRG can be used to implement input checks as described in
Validation by Methods of CL_ABAP_DYN_PRG. (The individual methods in the class CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note
1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing):
- ESCAPE_QUOTES
- ESCAPE_QUOTES_STR
- QUOTE
- QUOTE_STR
- CHECK_CHAR_LITERAL
- CHECK_STRING_LITERAL
- CHECK_INT_VALUE
- CHECK_VARIABLE_NAME
- CHECK_COLUMN_NAME
- CHECK_TABLE_OR_VIEW_NAME_STR
- CHECK_TABLE_OR_VIEW_NAME_TAB
- CHECK_TABLE_NAME_STR
- CHECK_TABLE_NAME_TAB
- CHECK_WHITELIST_STR
- CHECK_WHITELIST_TAB
Checks on the merged ABAP code passed to the statements INSERT REPORT or GENERATE SUBROUTINE POOL are not feasible.
Secure data sources can also be displayed using the report
RSLIN_SEC_DISPLAY_BADIS.
Performs a
local data flow analysis.
If a source code position is flagged and does not present a security problem and an input check or escape action (for example, using a method from CL_ABAP_DYN_PRG) is not appropriate, an
exemption should be requested in ATC.
Possible ABAP command injection via RFC Call - 1109
Potential injection of harmful code when the RFC-enabled function module RFC_ABAP_INSTALL_AND_RUN was called
Calling the RFC-enabled function module RFC_ABAP_INSTALL_AND_RUN allows dynamic ABAP programs (in remote systems) to be generated, which can then be executed. If user input is entered directly in the source code of these generated programs, an attacker could potentially execute any of the operations in the system. These are known as
ABAP command injections.
Procedure
Dynamic generation of ABAP code always carries a high level of risk to security. First, always check whether other dynamic programming methods can be used instead. If dynamic generations are absolutely necessary, all input data must be checked separately and appropriately.
The class CL_ABAP_DYN_PRG can be used to implement input checks as described in
Validation by Methods of CL_ABAP_DYN_PRG. (The individual methods in the class CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note
1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing):
- ESCAPE_QUOTES
- ESCAPE_QUOTES_STR
- QUOTE
- QUOTE_STR
- CHECK_CHAR_LITERAL
- CHECK_STRING_LITERAL
- CHECK_INT_VALUE
- CHECK_VARIABLE_NAME
- CHECK_COLUMN_NAME
- CHECK_TABLE_OR_VIEW_NAME_STR
- CHECK_TABLE_OR_VIEW_NAME_TAB
- CHECK_TABLE_NAME_STR
- CHECK_TABLE_NAME_TAB
- CHECK_WHITELIST_STR
- CHECK_WHITELIST_TAB
Checks on the merged ABAP code passed to the function module RFC_ABAP_INSTALL_AND_RUN are not feasible.
Secure data sources can also be displayed using the report
RSLIN_SEC_DISPLAY_BADIS.
Performs a
local data flow analysis.
If a source code position is flagged and does not present a security problem and an input check or escape action (for example, using a method from CL_ABAP_DYN_PRG) is not appropriate, an
exemption should be requested in ATC.
Potential manipulation of the dynamic WHERE condition of a wrapped SQL statement 110A
Security problems can occur wherever external data (such as user input) is processed further without being checked.
In the case in question, external data is passed to a procedure (for example, the function module
RFC_READ_TABLE), which itself uses the data within a dynamic clause of an OpenSQL statement. This could enable potential attackers to gain unauthorized access to the SAP database of the system by making unexpected input. This is known as an
SQL injection.
The
dynamic WHERE clause makes it possible for attackers to inject additional OR conditions that increase the volume of data selected in unexpected ways. If fewer than 11 characters can be injected in the dynamic
WHERE clause, no meaningful attack can take place and no message appears.
If an attacker can inject at least 50 characters in the dynamic
WHERE clause, they may contain a
subquery enabling any number of further tables to be accessed.
Further procedures that wrap vulnerable statements can themselves be registered as vulnerable using the BAdI
SLIN_BADI_VULN_PROCEDURES. All registered vulnerable procedures can be displayed using the report
RSLIN_SEC_DISPLAY_VULN_PROC.
Procedure
First check whether it is necessary to use dynamic Open SQL. Switching to static OPEN SQL provides a full solution to the security problem. If this is not possible, the input data must be checked appropriately before being used in dynamic clauses.
The class
CL_ABAP_DYN_PRG can be used to implement input checks as described in
Validation by Methods of CL_ABAP_DYN_PRG. (The individual methods in the class
CL_ABAP_DYN_PRG became available in different support packages or SAP Notes. SAP Note
1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing instead of the original input value):
- ESCAPE_QUOTES
- ESCAPE_QUOTES_STR
- QUOTE
- QUOTE_STR
- CHECK_CHAR_LITERAL
- CHECK_STRING_LITERAL
- CHECK_INT_VALUE
- CHECK_VARIABLE_NAME
- CHECK_COLUMN_NAME
- CHECK_TABLE_OR_VIEW_NAME_STR
- CHECK_TABLE_OR_VIEW_NAME_TAB
- CHECK_TABLE_NAME_STR
- CHECK_TABLE_NAME_TAB
Secure data sources can also be displayed using the report
RSLIN_SEC_DISPLAY_BADIS.
Ranges tables in a
WHERE clause are not at risk of SQL injections. However, if technical reasons require ranges tables in
WHERE conditions to be converted and then used in a dynamic
WHERE clause, it is best to use the function module
FREE_SELECTIONS_RANGE_2_WHERE. This module is identified as a secure data source; this is not usually the case in self-programmed conversions.
SAP discourages the use of literals with backquotes (`) in Open SQL statements, even though this is allowed by the syntax. Literals of this type look like string literals in ABAP, but do not have the same attributes. Literals in Open SQL statements are passed to the database, but any blanks at the end of the literals are ignored, which is not the case in ABAP string literals. This is why the use of literals with backquotes (`) can be confusing.
If a source code position is flagged and does not present a security problem and an input check or escape action (for example, using a method from
CL_ABAP_DYN_PRG) is not appropriate, an
exemption should be requested in ATC.
How is the check done?
A
local data flow analysis is performed.
Potential read performed on an illegal database table in a wrapped SELECT statement 110B
Security problems can occur wherever external data (such as user input) is processed further without being checked.
In the case in question, external data is passed to a procedure (for example, the function module RFC_READ_TABLE), which itself uses the data within a dynamic clause of an OpenSQL statement. This could enable potential attackers to gain unauthorized access to the SAP database of the system by making unexpected input. This is known as an
SQL injection.
Potential attackers can
specify tables dynamically and by doing this run operations on database tables other than those intended.
Further procedures that wrap vulnerable statements can themselves be registered as vulnerable using the BAdI
SLIN_BADI_VULN_PROCEDURES. All registered vulnerable procedures can be displayed using the report
RSLIN_SEC_DISPLAY_VULN_PROC.
Procedure
First check whether it is necessary to use dynamic Open SQL. Switching to static OPEN SQL provides a full solution to the security problem. If this is not possible, the input data must be checked appropriately before being used in dynamic clauses.
The class CL_ABAP_DYN_PRG can be used to implement input checks as described in
Validation by Methods of CL_ABAP_DYN_PRG. (The individual methods in the class CL_ABAP_DYN_PRG became available in different support packages or SAP Notes. SAP Note
1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing instead of the original input value):
- CHECK_TABLE_OR_VIEW_NAME_STR
- CHECK_TABLE_OR_VIEW_NAME_TAB
- CHECK_TABLE_NAME_STR
- CHECK_TABLE_NAME_TAB
- CHECK_WHITELIST_STR
- CHECK_WHITELIST_TAB
Secure data sources can also be displayed using the report
RSLIN_SEC_DISPLAY_BADIS.
If the source code position in question does not have any security problems and there is no point in modifying the source code, an
exemption should be requested in ATC.
How is the check done?
A
local data flow analysis is performed.
FILTER addition of the statement OPEN DATASET used 1107
The addition
FILTER of the statement
OPEN DATASET can be used to pass commands to the operating system. For security reasons, this addition can no longer be used.
Procedure
Do not use the addition
FILTER.
If an operating system command call is absolutely necessary, however, the
SAPXPG mechanism must be used. This offers increased security due to the following characteristics:
- Abstraction from different operating systems
- Predefined operating system commands
- Stricter handling of parameters
- Permits the definition of check modules, for example for checking for valid values
- Predefined authorization check
New operating system commands must first be defined using transaction SM69. If possible, omit input values because these can also cause a security problem. The function module
SXPG_CALL_SYSTEM can be used to make calls. See System Command Injections for more information.
If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.
How is the check done?
All uses of the addition
FILTER of the statement
OPEN DATASET are reported.
Potentially important reports deleted from the ABAP repository 1110
Potentially important reports deleted from the ABAP repository
Security problems can occur wherever external data (such as user input) is processed further without being checked.
The statement
DELETE REPORT or the function module
RS_DELETE_PROGRAM and various other procedures can be used to delete or overwrite programs from the ABAP repository. If the name of the deleted or overwritten program is derived from user input, an attacker can potentially delete or overwrite ABAP programs required by the application or the system and hence impair system functions.
Procedure
If at all possible, the names of deleted or overwritten programs should not be derived from user input for security reasons. If this is absolutely necessary, the input data must be checked first accordingly.
The class
CL_ABAP_DYN_PRG can be used to implement input checks as described in
Validation by Methods of CL_ABAP_DYN_PRG. (The individual methods in the class
CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note
1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing):
- 1. CHECK_WHITELIST_STR
- 2. CHECK_WHITELIST_TAB
Secure data sources can also be displayed using the report
RSLIN_SEC_DISPLAY_BADIS.
Performs a local data flow analysis.
If a source code position is flagged and does not present a security problem and an input check or escape action (for example, using a method from
CL_ABAP_DYN_PRG) is not appropriate, an exemption should be requested in ATC.
How is the check done?
All those
DELETE REPORT statements are checked where it is not possible to know statically that only the inactive version of a program is deleted using the addition
STATE = 'I'. Furthermore, calls of the function module
RS_DELETE_PROGRAM are checked, plus a range of other procedures that delete or overwrite programs.
A local data flow analysis is performed.
Replacement of potentially important reports deleted from the ABAP repository by the statement INSERT REPORT 1111
Security problems can occur wherever external data (such as user input) is processed further without being checked.
The statement
INSERT REPORT can be used to overwrite programs from the ABAP repository. If the name of the overwritten program is derived from user input, an attacker can potentially overwrite ABAP programs required by the application or the system and hence impair system functions.
Procedure
If at all possible, the names of overwritten programs should not be derived from user input for security reasons. If this is absolutely necessary, the input data must be verified using suitable checks first.
The class
CL_ABAP_DYN_PRG can be used to implement input checks as described in
Validation by Methods of CL_ABAP_DYN_PRG. (The individual methods in the class
CL_ABAP_DYN_PRG became available in different support packages or SAP Notes. SAP Note
1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing instead of the original input value):
- 1. CHECK_WHITELIST_STR
- 2. CHECK_WHITELIST_TAB
Secure data sources can also be displayed using the report
RSLIN_SEC_DISPLAY_BADIS.
Performs a local data flow analysis.
If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.
How is the check done?
For all
INSERT REPORT statements, the system checks whether the specified program name contains dynamic parts that are taken from external data without being checked.
A local data flow analysis is performed.
Possible SQL injection (SET clause) 1112
Potential manipulation of the SET clause in the statement UPDATE
Potential attackers can use the
dynamic SET clause to inject additional modifying expressions into the statement UPDATE, and so make unexpected database changes.
Procedure
First check whether it is necessary to use dynamic Open SQL. Switching to static OPEN SQL provides a full solution to the security problem. If this is not possible, the input data must be checked appropriately before being used in dynamic clauses.
The class CL_ABAP_DYN_PRG can be used to implement input checks as described in
Validation by Methods of CL_ABAP_DYN_PRG. (The individual methods in the class CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note
1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing):
- ESCAPE_QUOTES
- ESCAPE_QUOTES_STR
- QUOTE
- QUOTE_STR
- CHECK_CHAR_LITERAL
- CHECK_STRING_LITERAL
- CHECK_INT_VALUE
- CHECK_VARIABLE_NAME
- CHECK_COLUMN_NAME
- CHECK_WHITELIST_STR
- CHECK_WHITELIST_TAB
Secure data sources can also be displayed using the report
RSLIN_SEC_DISPLAY_BADIS.
SAP discourages the use of literals with backquotes (`) in Open SQL statements, even though this is allowed by the syntax. Literals of this type look like string literals in ABAP, but do not have the same attributes. Literals in Open SQL statements are passed to the database, but any blanks at the end of the literals are ignored, which is not the case in ABAP string literals. This is why the use of literals with backquotes (`) can be confusing.
Performs a
local data flow analysis.
If a source code position is flagged and does not present a security problem and an input check or escape action (for example, using a method from CL_ABAP_DYN_PRG) is not appropriate, an
exemption should be requested in ATC.
Possible SQL injection (column names) 1114
Potential read performed on invalid table columns
An attacker may be able to access forbidden columns by
specifying the selected columns dynamically. Furthermore, in certain contexts (in INTO CORRESPONDING FIELDS) the attacker could attempt to manipulate the application by renaming columns ("COL1 AS COL2").
Procedure
First check whether it is necessary to use dynamic Open SQL. Switching to static OPEN SQL provides a full solution to the security problem. If this is not possible, the input data must be checked appropriately before being used in dynamic clauses.
If table columns exist that must not be read in the context in question, an allow list check is a good idea (see below). In other case, this message is a false alarm.
The class CL_ABAP_DYN_PRG can be used to implement input checks as described in
Validation by Methods of CL_ABAP_DYN_PRG. (The individual methods in the class CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note
1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing):
- CHECK_WHITELIST_STR
- CHECK_WHITELIST_TAB
Secure data sources can also be displayed using the report
RSLIN_SEC_DISPLAY_BADIS.
Performs a
local data flow analysis.
If a source code position is flagged and does not present a security problem and an input check or escape action (for example, using a method from CL_ABAP_DYN_PRG) is not appropriate, an
exemption should be requested in ATC.
Dynamic CALL TRANSACTION without authorization check 1114E
What is checked?
When a transaction is started from the user interface or by executing the ABAP statement
LEAVE TO TRANSACTION, an authorization check is performed automatically. The check is always made using the authorization object
S_TCODE. In the transaction code editor (transaction SE93), developers can specify an authorization object with authorization values. If an entry of this type is found, the authorization specified there is checked.
These authorization checks are not usually made when the ABAP statement
CALL TRANSACTION is executed. The developer of the program in question must decide whether the transaction start authorization is checked.
In the dynamic
CALL TRANSACTION in question, none of the authorization checks above were found in the source code. This could present a security risk.
A check on valid transaction names restricts the set of potential transactions called, which means that the security risk is already reduced. Depending on the context, this restriction may be enough.
Procedure
If the authorization checks are missing by accident, they can implemented in full by simply calling the function module
AUTHORITY_CHECK_TCODE . From
SAP_BASIS 7.40 SP 02, the addition
WITH AUTHORITY-CHECK in
CALL TRANSACTION can also be used to do this. It works in the same way as the function module call. Both methods check the authorization object
S_TCODE and the authorization from the transaction editor (SE93). However, it should be noted that the table
TCDCOUPLES is respected for the function module
AUTHORITY_CHECK_TCODE.
In a few situations, it is intentional that no authorizations are checked in
CALL TRANSACTION (or only the authorization for the authorization
S_TCODE). In these cases, the addition
WITHOUT AUTHORITY-CHECK can be used in
CALL TRANSACTION from SAP_BASIS 7.40 SP 02. In systems with older releases, the message must be suppressed using an exemption. In dynamic
CALL TRANSACTIONS, it is only acceptable to skip the authorization check if the set of callable transactions is restricted (usually by using a check on valid values).
SAP recommends that the entries in the table
TCDCOUPLES (transaction SE97) are no longer used to control the behavior.
If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.
How is the check done?
For each dynamic
CALL TRANSACTION, a search is made for the a suitable call of the function module
AUTHORITY_CHECK_TCODE within the same procedure (event, method, function, form routine). In called procedures, a search is also performed for these authorization checks up to a restricted nesting depth. The message is displayed if none of the authorization checks above are found.
Dynamic CALL TRANSACTION without authorization check and without check on valid transaction names 1114F
What is checked?
Security problems can occur wherever external data (such as user input) is processed further without being checked.
In the case in question, external data is used within a dynamic transaction call. This enables potential attackers to call unexpected transactions by making unexpected input, and thereby illegally modify the running of the program.
When a transaction is started from the user interface or by executing the ABAP statement
LEAVE TO TRANSACTION, an authorization check is performed automatically. The check is always made using the authorization object
S_TCODE. In the transaction code editor (transaction SE93), developers can specify an authorization object with authorization values. If an entry of this type is found, the authorization specified there is checked.
These authorization checks are not usually made when the ABAP statement
CALL TRANSACTION is executed. The developer of the program in question must decide whether the transaction start authorization is checked.
In this dynamic
CALL TRANSACTION, the potential influence of the user input on the called transaction was identified and, additionally, none of the authorization checks mentioned above were found in the source code. This could present a security risk.
Procedure
Both the authorization check aspect and the aspect of dynamics in the name of the called transaction must be considered. In most situations, an authorization check is the best choice for removing the security problem.
Authorization Check
If the authorization checks are missing by accident, they can implemented in full by simply calling the function module
AUTHORITY_CHECK_TCODE . From
SAP_BASIS 7.40 SP 02, the addition
WITH AUTHORITY-CHECK in
CALL TRANSACTION can also be used to do this. It works in the same way as the function module call. Both methods check the authorization object
S_TCODE and the authorization from the transaction editor (SE93). However, it should be noted that the table
TCDCOUPLES is respected for the function module
AUTHORITY_CHECK_TCODE.
In a few situations, it is intentional that no authorizations are checked in
CALL TRANSACTION (or only the authorization for the authorization
S_TCODE). In these cases, the addition
WITHOUT AUTHORITY-CHECK can be used in
CALL TRANSACTION from
SAP_BASIS 7.40 SP 02. In systems with older releases, the message must be suppressed using an exemption. In dynamic
CALL TRANSACTIONS, it is only acceptable to skip the authorization check if the set of callable transactions is restricted (usually by using a check on valid values).
SAP recommends that the entries in the table
TCDCOUPLES (transaction SE97) are no longer used to control the behavior.
Possible SQL injection (GROUP BY clause) 1116
Potential use of illegal columns in a dynamic GROUP BY clause
Potential attackers can use the dynamic GROUP BY clause to modify the selection in unexpected ways.
Procedure
First check whether it is necessary to use dynamic Open SQL. Switching to static OPEN SQL provides a full solution to the security problem. If this is not possible, the input data must be checked appropriately before being used in dynamic clauses.
The class CL_ABAP_DYN_PRG can be used to implement input checks as described in
Validation by Methods of CL_ABAP_DYN_PRG. (The individual methods in the class CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note
1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing):
- CHECK_COLUMN_NAME
- CHECK_WHITELIST_STR
- CHECK_WHITELIST_TAB
Secure data sources can also be displayed using the report
RSLIN_SEC_DISPLAY_BADIS.
Performs a
local data flow analysis.
If a source code position is flagged and does not present a security problem and an input check or escape action (for example, using a method from CL_ABAP_DYN_PRG) is not appropriate, an
exemption should be requested in ATC.
Possible SQL injection (HAVING clause) - 1117
Potential use of illegal columns in a dynamic HAVING clause
Potential attackers can use the dynamic HAVING clause to modify the selection in unexpected ways.
Procedure
First check whether it is necessary to use dynamic Open SQL. Switching to static OPEN SQL provides a full solution to the security problem. If this is not possible, the input data must be checked appropriately before being used in dynamic clauses.
The class CL_ABAP_DYN_PRG can be used to implement input checks as described in
Validation by Methods of CL_ABAP_DYN_PRG. (The individual methods in the class CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note
1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing):
- ESCAPE_QUOTES
- ESCAPE_QUOTES_STR
- QUOTE
- QUOTE_STR
- CHECK_CHAR_LITERAL
- CHECK_STRING_LITERAL
- CHECK_INT_VALUE
- CHECK_VARIABLE_NAME
- CHECK_COLUMN_NAME
- CHECK_WHITELIST_STR
- CHECK_WHITELIST_TAB
Secure data sources can also be displayed using the report
RSLIN_SEC_DISPLAY_BADIS.
SAP discourages the use of literals with backquotes (`) in Open SQL statements, even though this is allowed by the syntax. Literals of this type look like string literals in ABAP, but do not have the same attributes. Literals in Open SQL statements are passed to the database, but any blanks at the end of the literals are ignored, which is not the case in ABAP string literals. This is why the use of literals with backquotes (`) can be confusing.
Performs a
local data flow analysis.
If a source code position is flagged and does not present a security problem and an input check or escape action (for example, using a method from CL_ABAP_DYN_PRG) is not appropriate, an
exemption should be requested in ATC.
Possible SQL injection (table name when reading) - 1118
Potential read performed on an illegal database table in a SELECT statement
Potential attackers can
specify tables dynamically and by doing this run operations on database tables other than those intended.
Procedure
First check whether it is necessary to use dynamic Open SQL. Switching to static OPEN SQL provides a full solution to the security problem. If this is not possible, the input data must be checked appropriately before being used in dynamic clauses.
The class CL_ABAP_DYN_PRG can be used to implement input checks as described in
Validation by Methods of CL_ABAP_DYN_PRG. (The individual methods in the class CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note
1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing):
- CHECK_TABLE_OR_VIEW_NAME_STR
- CHECK_TABLE_OR_VIEW_NAME_TAB
- CHECK_TABLE_NAME_STR
- CHECK_TABLE_NAME_TAB
- CHECK_WHITELIST_STR
- CHECK_WHITELIST_TAB
Secure data sources can also be displayed using the report
RSLIN_SEC_DISPLAY_BADIS.
Performs a
local data flow analysis.
If a source code position is flagged and does not present a security problem and an input check or escape action (for example, using a method from CL_ABAP_DYN_PRG) is not appropriate, an
exemption should be requested in ATC.
Possible SQL injection (table name when writing) - 1120
Potential read performed on an illegal database table in a modifying OpenSQL statement
Potential attackers can
specify tables dynamically and by doing this run operations on database tables other than those intended.
Procedure
First check whether it is necessary to use dynamic Open SQL. Switching to static OPEN SQL provides a full solution to the security problem. If this is not possible, the input data must be checked appropriately before being used in dynamic clauses.
The class CL_ABAP_DYN_PRG can be used to implement input checks as described in
Validation by Methods of CL_ABAP_DYN_PRG. (The individual methods in the class CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note
1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing):
- CHECK_TABLE_OR_VIEW_NAME_STR
- CHECK_TABLE_OR_VIEW_NAME_TAB
- CHECK_TABLE_NAME_STR
- CHECK_TABLE_NAME_TAB
- CHECK_WHITELIST_STR
- CHECK_WHITELIST_TAB
Secure data sources can also be displayed using the report
RSLIN_SEC_DISPLAY_BADIS.
Performs a
local data flow analysis.
If a source code position is flagged and does not present a security problem and an input check or escape action (for example, using a method from CL_ABAP_DYN_PRG) is not appropriate, an
exemption should be requested in ATC.
Potential read performed using an invalid secondary database connection in an Open SQL statement - 1121
Security problems can occur wherever external data (such as user input) is processed further without being checked.
Here, external data is used within a dynamic clause of an OPEN SQL statement. This could enable potential attackers to gain unauthorized access to the SAP database of the system by making unexpected input. This is known as an SQL injection.
Attackers can potentially use dynamically specified connections to execute operations using a secondary database connection.
Procedure
First check whether it is necessary to use dynamic Open SQL. Switching to static OPEN SQL provides a full solution to the security problem. If this is not possible, the input data must be checked appropriately before being used in dynamic clauses.
- CHECK_WHITELIST_STR
- CHECK_WHITELIST_TAB
Secure data sources can also be displayed using the report
RSLIN_SEC_DISPLAY_BADIS.
If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.
A local data flow analysis is performed.
Possible SQL injection via object services - 1122
Potential manipulation of a dynamic
WHERE condition using the parameter
I_FILTER of the object services method
CREATE_QUERY
In the present case, external data is passed to the method
CREATE_QUERY of an object services class. This class handles the data like a dynamic
WHERE clause. This makes it possible for attackers to inject additional OR conditions that increase the volume of data selected in unexpected ways. This is known as an
SQL injection.
Procedure
The input values for the parameter
I_FILTER of the object services method
CREATE_QUERY must be made subject to an input check.
The class
CL_ABAP_DYN_PRG can be used to implement input checks as described in
Validation by Methods of CL_ABAP_DYN_PRG. (The individual methods in the class
CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note
1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing):
- ESCAPE_QUOTES
- ESCAPE_QUOTES_STR
- QUOTE
- QUOTE_STR
- CHECK_CHAR_LITERAL
- CHECK_STRING_LITERAL
- CHECK_INT_VALUE
- CHECK_VARIABLE_NAME
- CHECK_COLUMN_NAME
- CHECK_WHITELIST_STR
- CHECK_WHITELIST_TAB
Furthermore, the function module
FREE_SELECTIONS_RANGE_2_WHERE is also accepted as a suitable input check.
Secure data sources can also be displayed using the report
RSLIN_SEC_DISPLAY_BADIS.
SAP discourages the use of literals with backquotes (`) in Open SQL statements, even though this is allowed by the syntax. Literals of this type look like string literals in ABAP, but do not have the same attributes. Literals in Open SQL statements are passed to the database, but any blanks at the end of the literals are ignored, which is not the case in ABAP string literals. This is why the use of literals with backquotes (`) can be confusing.
Performs a
local data flow analysis.
If a source code position is flagged and does not present a security problem and an input check or escape action (for example, using a method from
CL_ABAP_DYN_PRG) is not appropriate, an
exemption should be requested in ATC.
Possible Directory Traversal via file utilities class - 1124
Potential manipulation of the file name in the method
CREATE_UTF8_FILE_WITH_BOM of the class
CL_ABAP_FILE_UTILITIES
Procedure
Externally defined file names must be
validated before a file is opened or deleted. This is done by the function module
FILE_VALIDATE_NAME. This function module was made available with the Support Packages or correction instructions listed in SAP Note
1497003. The ABAP keyword documentation contains an
example of file name validation.
Another option is to call the function module
FILE_GET_NAME_AND_VALIDATE or
FILE_GET_NAME. No unchecked data can be included in the parameter
LOGICAL_FILENAME here. This means the automated check currently requires
LOGICAL_FILENAME to be a constant. In the case of the function module
FILE_GET_NAME, no unchecked data can be included in the parameters
PARAMETER_1,
PARAMETER_2, and
PARAMETER_3 either.
The function module
FILE_GET_NAME_AND_VALIDATE was made available with SAP Note
1957910.
Secure data sources can also be displayed using the report
RSLIN_SEC_DISPLAY_BADIS.
A
local data flow analysis is performed.
If the source code position in question does not have any security problems and there is no point in modifying the source code, an
exemption should be requested in ATC.
Potential directory traversal due to insecure parameters - 1126
Non-secure parameter of the function module
FILE_GET_NAME used
In this case, the external data is passed to the non-secure parameters of function module
FILE_GET_NAME. If this data is part of the file name, users might be able to access data for which they have no authorization and read or even overwrite this data. This is also known as
directory traversal.
Procedure
It is advisable to use the function module
FILE_GET_NAME_AND_VALIDATE. This function module was made available with SAP Note
1957910.
If the function module
FILE_GET_NAME still needs to be used:
In some cases, the class
CL_ABAP_DYN_PRG can be used to perform an allow list check. Here, the following methods are sufficient for the machine check in question (if the RETURNING parameter of the method in question is used in further processing):
- CHECK_WHITELIST_STR
- CHECK_WHITELIST_TAB
The individual methods in the class
CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note
1852318 provides an overview of these methods.
Secure data sources can also be displayed using the report
RSLIN_SEC_DISPLAY_BADIS.
A
local data flow analysis is performed. Here the parameters
PARAMETER_1, PARAMETER_2, PARAMETER_3 of the function module
FILE_GET_NAME are regarded as critical.
If the source code position in question does not have any security problems and there is no point in modifying the source code, an
exemption should be requested in ATC.
Possible SQL injection via ADBC (DDL) - 1128
Potential injection of harmful SQL statements or clauses in execution of DDL statements in
ADBC
In the present case, external data is injected into an SQL statement that is passed for execution by the
ADBC API of the database. This could enable potential attackers to gain unauthorized access to the SAP database of the system by making unexpected input. This is known as an
SQL injection.
Unlike using Open SQL with dynamic clauses,
ADBC is used to specify complete SQL statements. This increases the level of risk.
Procedure
First check whether it is necessary to use dynamic
ADBC. Switching to static OPEN SQL provides a full solution to the security problem. If this is not possible, consider a switch to dynamic Open SQL. This reduces the opportunities for attacks considerably.
If it is absolutely essential that you use
ADBC, make sure that no user input is entered directly into the SQL statement. Use ? placeholders for dynamic components of the statement. The relevant ABAP data objects can then be connected to these placeholders by using the method
SET_PARAM of class
CL_SQL_STATEMENT.
In exceptional cases, it may still be necessary to create the SQL statement based on user entries. These entries must be thoroughly checked beforehand.
The class
CL_ABAP_DYN_PRG can be used to implement input checks as described in
Validation by Methods of CL_ABAP_DYN_PRG. (The individual methods in the class
CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note
1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing):
- CHECK_WHITELIST_STR
- CHECK_WHITELIST_TAB
Secure data sources can also be displayed using the report
RSLIN_SEC_DISPLAY_BADIS.
Performs a
local data flow analysis.
If a source code position is flagged and does not present a security problem and an input check or escape action (for example, using a method from CL_ABAP_DYN_PRG) is not appropriate, an
exemption should be requested in ATC.
Possible SQL injection via ADBC (DML) - 1130
Potential injection of harmful SQL statements of clauses in execution of DML statements in ADBC
In the present case, external data is injected into an SQL statement that is passed for execution by the ADBC API of the database. This could enable potential attackers to gain unauthorized access to the SAP database of the system by making unexpected input. This is known as an
SQL injection.
Unlike using Open SQL with dynamic clauses, ADBC is used to specify complete SQL statements. This increases the level of risk.
Procedure
First check whether it is necessary to use dynamic ADBC. Switching to static OPEN SQL provides a full solution to the security problem. If this is not possible, consider a switch to dynamic Open SQL. This reduces the opportunities for attacks considerably.
If it is absolutely essential that you use ADBC, make sure that no user input is entered directly into the SQL statement. Use ? placeholders for dynamic components of the statement. The relevant ABAP data objects can then be connected to these placeholders by using the method SET_PARAM of class CL_SQL_STATEMENT.
In exceptional cases, it may still be necessary to create the SQL statement based on user entries. These entries must be thoroughly checked beforehand.
The class CL_ABAP_DYN_PRG can be used to implement input checks as described in
Validation by Methods of CL_ABAP_DYN_PRG. (The individual methods in the class CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note
1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing):
- ESCAPE_QUOTES
- QUOTE
- CHECK_CHAR_LITERAL
- CHECK_INT_VALUE
- CHECK_VARIABLE_NAME
- CHECK_COLUMN_NAME
- CHECK_TABLE_OR_VIEW_NAME_STR
- CHECK_TABLE_OR_VIEW_NAME_TAB
- CHECK_TABLE_NAME_STR
- CHECK_TABLE_NAME_TAB
- CHECK_WHITELIST_STR
- CHECK_WHITELIST_TAB
Secure data sources can also be displayed using the report
RSLIN_SEC_DISPLAY_BADIS.
Performs a
local data flow analysis.
If a source code position is flagged and does not present a security problem and an input check or escape action (for example, using a method from CL_ABAP_DYN_PRG) is not appropriate, an
exemption should be requested in ATC.
Possible cross-site scripting - 1132
Potential risk of cross-site scripting
In the case in question, external data is used without encoding to generate a dynamic HTML page and then forwarded to the browser. This makes it possible for an attacker to send unwanted scripts to the browser of the victim (using unwanted input) and execute malicious code there. In this case, this is known as reflected
cross-site scripting (XSS).
Procedure
The first check should verify whether modern Web frameworks can be used with automatic XSS protection, for example Web Dynpro or BSP with HTMLB extension, where encoding is activated globally (using the attribute forceEncode="ENABLED" of the HTMLB:CONTENT tag). If this is not possible, the external data must be encoded before being used in the dynamic HTML page.
For BSP pages, global encoding can be set using the global page attribute forceEncode:
<%@page language="abap" forceEncode="html|url|javascript|css"%>
If necessary, global encoding can be overwritten by local encoding:
- <%html=.........%> - HTML encoding
- <%url=..........%> - URL encoding for parameter names or parameter values of URLs
- <%javascript=...%> - JavaScript encoding
- <%css=..........%> - CSS encoding
- <%raw=..........%> - No encoding
More information can be found in SAP Note
887168.
An encoding API should be used for generic Web applications. From Release SAP_BASIS 731, the built-in function ESCAPE:
- out = escape(val = val format = cl_abap_format=>e_xss_ml)
- out = escape(val = val format = cl_abap_format=>e_xss_js)
- out = escape(val = val format = cl_abap_format=>e_xss_url)
- out = escape(val = val format = cl_abap_format=>e_xss_css)
In lower releases, methods of the class CL_ABAP_DYN_PRG:
- CL_ABAP_DYN_PRG=>ESCAPE_XSS_XML_HTML
- CL_ABAP_DYN_PRG=>ESCAPE_XSS_JAVASCRIPT
- CL_ABAP_DYN_PRG=>ESCAPE_XSS_CSS
- CL_ABAP_DYN_PRG=>ESCAPE_XSS_URL
The individual methods in the class CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note
1852318 provides an overview of these methods.
For more information, see "XSS Secure Programming Guide". SAP Note
1714836.
Secure data sources can also be displayed using the report
RSLIN_SEC_DISPLAY_BADIS.
Performs a
local data flow analysis.
If a source code position is flagged and does not present a security problem and an input check or escape action (for example, using a method from CL_ABAP_DYN_PRG) is not appropriate, an
exemption should be requested in ATC.
Potential reflected cross-site scripting - 1134
Potential reflected cross-site scripting
In the case in question, external data from a HTTP request (such as URL parameters and HTML form fields) are used without encoding to generate a dynamic HTML page and then forwarded to the browser. This makes it possible for an attacker to send unwanted scripts to the browser of the victim (using unwanted input) and execute malicious code there. In this case, this is known as reflected
cross-site scripting (XSS).
Procedure
The first check should verify whether modern Web frameworks can be used with automatic XSS protection, for example Web Dynpro or BSP with HTMLB extension, where encoding is activated globally (using the attribute forceEncode="ENABLED" of the HTMLB:CONTENT tag). If this is not possible, the external data must be encoded before being used in the dynamic HTML page.
For BSP pages, global encoding can be set using the global page attribute forceEncode:
<%@page language="abap" forceEncode="html|url|javascript|css"%>
If necessary, global encoding can be overwritten by local encoding:
- <%html=.........%> - HTML encoding
- <%url=..........%> - URL encoding for parameter names or parameter values of URLs
- <%javascript=...%> - JavaScript encoding
- <%css=..........%> - CSS encoding
- <%raw=..........%> - No encoding
More information can be found in SAP Note
887168.
An encoding API should be used for generic Web applications. From Release SAP_BASIS 731, the built-in function ESCAPE:
- out = escape(val = val format = cl_abap_format=>e_xss_ml)
- out = escape(val = val format = cl_abap_format=>e_xss_js)
- out = escape(val = val format = cl_abap_format=>e_xss_url)
- out = escape(val = val format = cl_abap_format=>e_xss_css)
In lower releases, methods of the class CL_ABAP_DYN_PRG:
- CL_ABAP_DYN_PRG=>ESCAPE_XSS_XML_HTML
- CL_ABAP_DYN_PRG=>ESCAPE_XSS_JAVASCRIPT
- CL_ABAP_DYN_PRG=>ESCAPE_XSS_CSS
- CL_ABAP_DYN_PRG=>ESCAPE_XSS_URL
The individual methods in the class CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note
1852318 provides an overview of these methods.
For more information, see "XSS Secure Programming Guide". SAP Note
1714836.
Secure data sources can also be displayed using the report
RSLIN_SEC_DISPLAY_BADIS.
Performs a
local data flow analysis.
If a source code position is flagged and does not present a security problem and an input check or escape action (for example, using a method from CL_ABAP_DYN_PRG) is not appropriate, an
exemption should be requested in ATC.
Potentially manipulated HTML page in HTML control - 1135
Security problems can occur wherever external data (such as user input) is processed further without being checked.
In some cases, external data is used without encoding to generate a dynamic HTML page and then sent to the front end (browser). This makes it possible for an attacker to send unwanted scripts to the front end (browser) of the victim (using unwanted input) and execute malicious code there. In this case, this is known as cross-site scripting (XSS).
In the case in question, it is possible that a manipulated HTML page was sent to a HTML control (
CL_GUI_HTML_VIEWER).
Procedure
The first check should verify whether modern Web frameworks can be used with automatic XSS protection, for example Web Dynpro or BSP with HTMLB extension, where encoding is activated globally (using the attribute
forceEncode="ENABLED" of the HTMLB:CONTENT tag). If this is not possible, the external data must be encoded before being used in the dynamic HTML page.
For BSP pages, global encoding can be set using the global page attribute
forceEncode:
<%@page language="abap" forceEncode="html|url|javascript|css"%>
If necessary, global encoding can be overwritten by local encoding:
- <%html=.........%> - HTML encoding
- <%url=..........%> - URL encoding for parameter names or parameter values of URLs
- <%javascript=...%> - JavaScript encoding
- <%css=..........%> - CSS encoding
- <%raw=..........%> - No encoding
More information can be found in SAP Note
887168.
An encoding API should be used for generic Web applications. From Release SAP_BASIS 731, the built-in function
ESCAPE:
- out = escape(val = val format = cl_abap_format=>e_xss_ml)
- out = escape(val = val format = cl_abap_format=>e_xss_js)
- out = escape(val = val format = cl_abap_format=>e_xss_url)
- out = escape(val = val format = cl_abap_format=>e_xss_css)
In lower releases, methods of the class
CL_ABAP_DYN_PRG:
- CL_ABAP_DYN_PRG=>ESCAPE_XSS_XML_HTML
- CL_ABAP_DYN_PRG=>ESCAPE_XSS_JAVASCRIPT
- CL_ABAP_DYN_PRG=>ESCAPE_XSS_CSS
- CL_ABAP_DYN_PRG=>ESCAPE_XSS_URL
The individual methods in the class
CL_ABAP_DYN_PRG became available in different support packages or SAP Notes. SAP Note
1852318 provides an overview of these methods.
For more information, see "XSS Secure Programming Guide", SAP Note
1714836.
Internal SAP link: https://wiki.wdf.sap.corp/wiki/display/NWCUIAMSIM/XSS+Secure+Programming+Guide
Secure data sources can also be displayed using the report
RSLIN_SEC_DISPLAY_BADIS.
If the source code position in question does not have any security problems and there is no point in modifying the source code, an
exemption should be requested in ATC.
How is the check done?
INCLUDE CHAPBC_SLINSEC_DATAFLOW OBJECT DOKU ID HY
User-controlled dynamic CALL FUNCTION via RFC - 1140
Potential call of invalid function module using RFC
In the case in question, external data is used as the name of a function modules that is called using RFC. An attacker might be able to call forbidden function modules in other systems by entering unexpected data in this location. The problem is made worse because function parameters with incorrect names at runtime are ignored in this case and character-like parameters with incorrect lengths are truncated if necessary. This is also the case if 'NONE' was specified as DESTINATION.
Procedure
First check whether it is necessary to use
dynamic procedure calls. Switching to static calls provides a full solution to the security problem presented here. If this is not possible, the input data must be checked accordingly before being used as function module names.
The class CL_ABAP_DYN_PRG can be used to implement input checks as described in
Validation by Methods of CL_ABAP_DYN_PRG. (The individual methods in the class CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note
1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing):
- CHECK_WHITELIST_STR
- CHECK_WHITELIST_TAB
Secure data sources can also be displayed using the report
RSLIN_SEC_DISPLAY_BADIS.
Performs a
local data flow analysis.
If a source code position is flagged and does not present a security problem and an input check or escape action (for example, using a method from CL_ABAP_DYN_PRG) is not appropriate, an
exemption should be requested in ATC.
Note
The message in questions is only produced for RFC calls, i.e. calls with the addition DESTINATION. In other
dynamic function module calls,
SLIN_SEC 1144 is produced if necessary.
User-controlled dynamic program unit call - 1141
Potential call of an illegal program using the statement SUBMIT
In the case in question, external data is used within a dynamic program call (meaning a
dynamic call of a report or transaction). This enables potential attackers to call unexpected program units by making unexpected input, and thereby illegally modify the running of the program.
Procedure
First check whether it is necessary to use dynamic program calls. Switching to static calls provides a full solution to the security problem presented here. If this is not possible, the input data must be checked accordingly before being used as report names or transaction names.
The class CL_ABAP_DYN_PRG can be used to implement input checks as described in
Validation by Methods of CL_ABAP_DYN_PRG. (The individual methods in the class CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note
1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing):
- CHECK_WHITELIST_STR
- CHECK_WHITELIST_TAB
Secure data sources can also be displayed using the report
RSLIN_SEC_DISPLAY_BADIS.
Performs a
local data flow analysis.
If a source code position is flagged and does not present a security problem and an input check or escape action (for example, using a method from CL_ABAP_DYN_PRG) is not appropriate, an
exemption should be requested in ATC.
User-controlled dynamic CALL TRANSACTION - 1142
Dynamic CALL TRANSACTION without allow list check
When a transaction is started from the user interface or by executing the ABAP command LEAVE TO TRANSACTION, an authorization check is performed automatically. The check is always made using the authorization object S_TCODE . In the transaction code editor (transaction SE93), developers can specify an authorization object with authorization values. If an entry of this type is found, the authorization specified there is checked.
These authorization checks are not usually made when the ABAP command CALL TRANSACTION is executed. The developer of the program in question must decide whether the transaction start authorization is checked.
A corresponding authorization check was found in the dynamic CALL TRANSACTION in question. This authorization check is usually enough to secure the dynamic CALL TRANSACTION statement in question. In special cases, it may be appropriate to have an additional allow list check (see the following explanation).
In the case in question, external data is used within a dynamic program call (meaning a
dynamic call of a report or transaction). This enables potential attackers to call unexpected program units by making unexpected input, and thereby illegally modify the running of the program.
Procedure
First check whether it is necessary to use dynamic program calls. Switching to static calls provides a full solution to the security problem presented here. If this is not possible, the input data must be checked accordingly before being used as report names or transaction names.
The class CL_ABAP_DYN_PRG can be used to implement input checks as described in
Validation by Methods of CL_ABAP_DYN_PRG. (The individual methods in the class CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note
1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing):
- CHECK_WHITELIST_STR
- CHECK_WHITELIST_TAB
Secure data sources can also be displayed using the report
RSLIN_SEC_DISPLAY_BADIS.
Performs a
local data flow analysis.
If a source code position is flagged and does not present a security problem and an input check or escape action (for example, using a method from CL_ABAP_DYN_PRG) is not appropriate, an
exemption should be requested in ATC.
User-controlled dynamic LEAVE TO TRANSACTION - 1143
Potential call of an unwanted transaction using the statement LEAVE TO TRANSACTION
In the case in question, external data is used within a dynamic program call (meaning a
dynamic call of a report or transaction). This enables potential attackers to call unexpected program units by making unexpected input, and thereby illegally modify the running of the program.
Procedure
First check whether it is necessary to use dynamic program calls. Switching to static calls provides a full solution to the security problem presented here. If this is not possible, the input data must be checked accordingly before being used as report names or transaction names.
The class CL_ABAP_DYN_PRG can be used to implement input checks as described in
Validation by Methods of CL_ABAP_DYN_PRG. (The individual methods in the class CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note
1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing):
- CHECK_WHITELIST_STR
- CHECK_WHITELIST_TAB
Secure data sources can also be displayed using the report
RSLIN_SEC_DISPLAY_BADIS.
Performs a
local data flow analysis.
If a source code position is flagged and does not present a security problem and an input check or escape action (for example, using a method from CL_ABAP_DYN_PRG) is not appropriate, an
exemption should be requested in ATC.
Dynamic function module call controllable from UI or via RFC - 1144
UI-driven or RFC-driven dynamic call of a function module
Here, the name of a called function module can be controlled using either the user interface or a parameter of an RFC-enabled function module.
An attacker might be able to call forbidden function modules by entering unexpected data in this location.
Procedure
First check whether it is necessary to use dynamic function module calls. Switching to static calls provides a full solution to the security problem presented here. If this is not possible, the input data must be checked accordingly before being used as function module names.
The class CL_ABAP_DYN_PRG can be used to implement input checks as described in
Validation by Methods of CL_ABAP_DYN_PRG. (The individual methods in the class CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note
1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing):
- CHECK_WHITELIST_STR
- CHECK_WHITELIST_TAB
Secure data sources can also be displayed using the report
RSLIN_SEC_DISPLAY_BADIS.
Dynamic function module calls are frequent, which means that only those calls are registered here for which some or all of the function module name can be controlled meaningfully using the user interface or RFC. To do this, a local data flow analysis is performed.
If a source code position is flagged and does not present a security problem and an input check (for example, using a method from CL_ABAP_DYN_PRG) is not appropriate, an
exemption should be requested in ATC.
Note:
- This message (SLIN_SEC 1144) is not raised for dynamic function module calls that represent an RFC call. In dynamic RFC calls like this, SLIN_SEC 1140 is produced if necessary. For this reason, the checks SLIN_SEC 1140 and 1144
- must always be performed together (neither of the checks should be suppressed using its priority) or
- must always be suppressed together using their priorities.
- A local data flow analysis is performed, which means that exactly those occurrences are registered in which the function module name can be controlled using the user interface of the wrapper program or in which dynamic calls within a function group can be controlled using the parameter of an RFC-enabled function module of this function group.
Static CALL TRANSACTION without check of authorization object from SE93 – 114A
Static
CALL TRANSACTION without check on authorization from the transaction editor
When a transaction is started from the user interface or by executing the ABAP command
LEAVE TO TRANSACTION, an authorization check is performed automatically. The check is always made using the authorization object
S_TCODE . In the transaction code editor (transaction SE93), developers can specify an authorization object with authorization values. If an entry of this type is found, the authorization specified there is checked.
These authorization checks are not usually made when the ABAP command
CALL TRANSACTION is executed. The developer of the program in question must decide whether the transaction start authorization is checked.
Here, a check on the authorization object
S_TCODE was found. The additional check was specified in the transaction editor, but no check on this authorization was found in the code. This could present a security risk.
Procedure
If the authorization check is missing by accident, it can implemented in full by simply calling the function module
AUTHORITY_CHECK_TCODE . From SAP_BASIS 7.40 SP 02, the addition
WITH AUTHORITY-CHECK in CALL TRANSACTION can also be used to do this. It works in the same way as the function module call. Both methods check the authorization object
S_TCODE. It may be a good idea to remove the explicit
AUTHORITY-CHECK on S_TCODE.
If the check on the authorization object from the transaction editor in
CALL TRANSACTION was skipped intentionally, the addition
WITHOUT AUTHORITY-CHECK in CALL TRANSACTION can be used from SAP_BASIS 7.40 SP 02. In systems with older releases, the message must be suppressed using an exemption.
For each
CALL TRANSACTION, a search is made for the
AUTHORITY-CHECKs or a suitable call of the function module
AUTHORITY_CHECK_TCODE within the same procedure (event, method, function, form routine). In called procedures, a search is also performed for these authorization checks up to a nesting depth of five. If an
AUTHORITY-CHECK on the authorization object
S_TCODE is found, but no
AUTHORITY-CHECK that matches the entry from the transaction editor, the message is displayed.
Static CALL TRANSACTION without check of authorization object S_TCODE – 114B
Static
CALL TRANSACTION without check on authorization object
S_TCODE.
When a transaction is started from the user interface or by executing the ABAP command
LEAVE TO TRANSACTION, an authorization check is performed automatically. The check is always made using the authorization object
S_TCODE . In the transaction code editor (transaction SE93), developers can specify an authorization object with authorization values. If an entry of this type is found, the authorization specified there is checked.
These authorization checks are not usually made when the ABAP command
CALL TRANSACTION is executed. The developer of the program in question must decide whether the transaction start authorization is checked.
Here, a check on the authorization object from the transaction editor (SE93) was found. The code, however, did not contain a check on the authorization object
S_TCODE for the called transaction. This could present a security risk.
Procedure
If the authorization check is missing by accident, it can implemented in full by simply calling the function module
AUTHORITY_CHECK_TCODE . From SAP_BASIS 7.40 SP 02, the addition
WITH AUTHORITY-CHECK in
CALL TRANSACTION can also be used to do this. It works in the same way as the function module call. Both methods check the authorization from the transaction editor (SE93) and the authorization object
S_TCODE. It may be a good idea to remove the explicit
AUTHORITY-CHECK on the authorization from the transaction editor (SE93).
If the check on the authorization object
S_TCODE in CALL TRANSACTION was skipped intentionally, the addition
WITHOUT AUTHORITY-CHECK in CALL TRANSACTION can be used from SAP_BASIS 7.40 SP 02. In systems with older releases, the message must be suppressed using an exemption.
For each
CALL TRANSACTION, a search is made for the
AUTHORITY-CHECKs or a suitable call of the function module
AUTHORITY_CHECK_TCODE within the same procedure (event, method, function, form routine). In called procedures, a search is also performed for these authorization checks up to a nesting depth of five. If an
AUTHORITY-CHECK on the authorization from the transaction editor (SE93) is found, but no
AUTHORITY-CHECK on S_TCODE, the message is displayed.
Static CALL TRANSACTION without authorization check – 114C
Static
CALL TRANSACTION without authorization check
When a transaction is started from the user interface or by executing the ABAP command
LEAVE TO TRANSACTION, an authorization check is performed automatically. The check is always made using the authorization object
S_TCODE . In the transaction code editor (transaction SE93), developers can specify an authorization object with authorization values. If an entry of this type is found, the authorization specified there is checked.
These authorization checks are not usually made when the ABAP command
CALL TRANSACTION is executed. The developer of the program in question must decide whether the transaction start authorization is checked.
Here, none of the authorization checks above were found in the code. This could present a security risk.
Procedure
If the authorization checks are missing by accident, they can implemented in full by simply calling the function module
AUTHORITY_CHECK_TCODE . From SAP_BASIS 7.40 SP 02, the addition
WITH AUTHORITY-CHECK in CALL TRANSACTION can also be used to do this. It works in the same way as the function module call. Both methods check the authorization object
S_TCODE and the authorization from the transaction editor (SE93). However, you should note that table
TCDCOUPLES is taken into account for function module
AUTHORITY_CHECK_TCODE.
In a few situations, it is intentional that no authorizations are checked in
CALL TRANSACTION (or only the authorization for the authorization
S_TCODE). In these cases, the addition
WITHOUT AUTHORITY-CHECK can be used in
CALL TRANSACTION from SAP_BASIS 7.40 SP 02. In systems with older releases, the message must be suppressed using an exemption. In dynamic
CALL TRANSACTIONS, it is only acceptable to skip the authorization check if the set of callable transactions is restricted (usually by using a allow list check).
SAP recommends that the entries in table
TCDCOUPLES (transaction SE97) are no longer used to control the behavior.
For each
CALL TRANSACTION, a search is made for the
AUTHORITY-CHECKs or a suitable call of the function module
AUTHORITY_CHECK_TCODE within the same procedure (event, method, function, form routine). In called procedures, a search is also performed for these authorization checks up to a restricted nesting depth. The message is displayed if none of the authorization checks above are found.
Static CALL TRANSACTION without authorization check (restricted function) – 114D
Static
CALL TRANSACTION without authorization check in the case of restricted functions
When a transaction is started from the user interface or by executing the ABAP command
LEAVE TO TRANSACTION, an authorization check is performed automatically. The check is always made using the authorization object
S_TCODE . In the transaction code editor (transaction SE93), developers can specify an authorization object with authorization values. If an entry of this type is found, the authorization specified there is checked.
These authorization checks are not usually made when the ABAP command
CALL TRANSACTION is executed. The developer of the program in question must decide whether the transaction start authorization is checked.
Here, none of the authorization checks above were found in the code. This could present a security risk. The security risk becomes slightly less severe because a restriction to a specific context (
AND SKIP FIRST SCREEN or USING bdc_tab) was found in the statement
CALL TRANSACTION .
Procedure
If the authorization checks are missing by accident, they can implemented in full by simply calling the function module
AUTHORITY_CHECK_TCODE . From SAP_BASIS 7.40 SP 02, the addition
WITH AUTHORITY-CHECK in
CALL TRANSACTION can also be used to do this. It works in the same way as the function module call. Both methods check the authorization object
S_TCODE and the authorization from the transaction editor (SE93). However, you should note that table
TCDCOUPLES is taken into account for function module
AUTHORITY_CHECK_TCODE.
In a few situations, it is intentional that no authorizations are checked in
CALL TRANSACTION (or only the authorization for the authorization
S_TCODE). In these cases, the addition
WITHOUT AUTHORITY-CHECK can be used in
CALL TRANSACTION from SAP_BASIS 7.40 SP 02. In systems with older releases, the message must be suppressed using an exemption. In dynamic
CALL TRANSACTIONS, it is only acceptable to skip the authorization check if the set of callable transactions is restricted (usually by using an allow list check).
SAP recommends that the entries in table
TCDCOUPLES (transaction SE97) are no longer used to control the behavior.
For each
CALL TRANSACTION, a search is made for the
AUTHORITY-CHECKs or a suitable call of the function module
AUTHORITY_CHECK_TCODE within the same procedure (event, method, function, form routine). In called procedures, a search is also performed for these authorization checks up to a restricted nesting depth. The message is displayed if none of the authorization checks above are found.
Dynamic CALL TRANSACTION without authorization check - 114E
Dynamic
CALL TRANSACTION without authorization check
When a transaction is started from the user interface or by executing the ABAP command
LEAVE TO TRANSACTION, an authorization check is performed automatically. The check is always made using the authorization object
S_TCODE . In the transaction code editor (transaction SE93), developers can specify an authorization object with authorization values. If an entry of this type is found, the authorization specified there is checked.
These authorization checks are not usually made when the ABAP command
CALL TRANSACTION is executed. The developer of the program in question must decide whether the transaction start authorization is checked.
In the dynamic
CALL TRANSACTION in question, none of the authorization checks above were found in the code. This could present a security risk.
An allow list check restricts the set of potential transactions called, which means that the security risk is already reduced. Depending on the context, this restriction may be enough.
Procedure
If the authorization checks are missing by accident, they can implemented in full by simply calling the function module
AUTHORITY_CHECK_TCODE . From SAP_BASIS 7.40 SP 02, the addition
WITH AUTHORITY-CHECK in
CALL TRANSACTION can also be used to do this. It works in the same way as the function module call. Both methods check the authorization object
S_TCODE and the authorization from the transaction editor (SE93). However, you should note that table
TCDCOUPLES is taken into account for function module
AUTHORITY_CHECK_TCODE.
In a few situations, it is intentional that no authorizations are checked in
CALL TRANSACTION (or only the authorization for the authorization
S_TCODE). In these cases, the addition
WITHOUT AUTHORITY-CHECK can be used in
CALL TRANSACTION from SAP_BASIS 7.40 SP 02. In systems with older releases, the message must be suppressed using an exemption. In dynamic
CALL TRANSACTIONS, it is only acceptable to skip the authorization check if the set of callable transactions is restricted (usually by using an allow list check).
SAP recommends that the entries in table
TCDCOUPLES (transaction SE97) are no longer used to control the behavior.
For each dynamic
CALL TRANSACTION, a search is made for the a suitable call of the function module
AUTHORITY_CHECK_TCODE within the same procedure (event, method, function, form routine). In called procedures, a search is also performed for these authorization checks up to a restricted nesting depth. The message is displayed if none of the authorization checks above are found.
Dynamic CALL TRANSACTION without authorization check and without check on valid transaction names – 114F
What is checked
Dynamic
CALL TRANSACTION without authorization check and without an allow list check
In the case in question, external data is used within a
dynamic transaction call. This enables potential attackers to call unexpected transactions by making unexpected input, and thereby illegally modify the running of the program.
When a transaction is started from the user interface or by executing the ABAP command
LEAVE TO TRANSACTION, an authorization check is performed automatically. The check is always made using the authorization object
S_TCODE . In the transaction code editor (transaction SE93), developers can specify an authorization object with authorization values. If an entry of this type is found, the authorization specified there is checked.
These authorization checks are not usually made when the ABAP command
CALL TRANSACTION is executed. The developer of the program in question must decide whether the transaction start authorization is checked.
In this dynamic
CALL TRANSACTION, the potential influence of the user input on the called transaction was identified and, additionally, none of the authorization checks mentioned above were found in the source code. This could present a security risk.
Procedure
Both the authorization check aspect and the aspect of dynamics in the name of the called transaction must be considered. In most situations, an authorization check is the best choice for removing the security problem.
Authorization check
If the authorization checks are missing by accident, they can implemented in full by simply calling the function module
AUTHORITY_CHECK_TCODE . From SAP_BASIS 7.40 SP 02, the addition
WITH AUTHORITY-CHECK in
CALL TRANSACTION can also be used to do this. It works in the same way as the function module call. Both methods check the authorization object
S_TCODE and the authorization from the transaction editor (SE93). However, you should note that table
TCDCOUPLES is taken into account for function module
AUTHORITY_CHECK_TCODE.
In a few situations, it is intentional that no authorizations are checked in
CALL TRANSACTION (or only the authorization for the authorization
S_TCODE). In these cases, the addition
WITHOUT AUTHORITY-CHECK can be used in
CALL TRANSACTION from SAP_BASIS 7.40 SP 02. In systems with older releases, the message must be suppressed using an exemption. In dynamic
CALL TRANSACTIONS, it is only acceptable to skip the authorization check if the set of callable transactions is restricted (usually by using an allow list check).
SAP recommends that the entries in table
TCDCOUPLES (transaction SE97) are no longer used to control the behavior.
Dynamics in the name of the called transaction
First check whether it is necessary to use dynamic transaction calls. Switching to static calls provides a solution to the security problem presented here at least. If this is not possible, the input data must be checked accordingly before being used as transaction names.
The class
CL_ABAP_DYN_PRG can be used to implement input checks as described in
Validation by Methods of CL_ABAP_DYN_PRG. (The individual methods in the class
CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note
1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing):
- CHECK_WHITELIST_STR
- CHECK_WHITELIST_TAB
Secure data sources can also be displayed using the report
RSLIN_SEC_DISPLAY_BADIS.
If an authorization check is not predefined, an error message stating that the authorization check is missing might be raised the next time the program is checked.
A
local data flow analysis is performed.
For each dynamic
CALL TRANSACTION, a search is made for the a suitable call of the function module
AUTHORITY_CHECK_TCODE within the same procedure (event, method, function, form routine). In called procedures, a search is also performed for these authorization checks up to a restricted nesting depth. The message is displayed if none of the authorization checks above are found.
Dynamic CALL TRANSACTION with potentially incomplete authorization check – 114G
What is checked?
Security problems can occur wherever external data (such as user input) is processed further without being checked.
In the case in question, external data is used within a dynamic transaction call. This enables potential attackers to call unexpected transactions by making unexpected input, and thereby illegally modify the running of the program.
When a transaction is started from the user interface or by executing the ABAP statement
LEAVE TO TRANSACTION, an authorization check is performed automatically. The check is always made using the authorization object
S_TCODE. In the transaction code editor (transaction SE93), developers can specify an authorization object with authorization values. If an entry of this type is found, the authorization specified there is checked.
These authorization checks are not usually made when the ABAP statement
CALL TRANSACTION is executed. The developer of the program in question must decide whether the transaction start authorization is checked.
In this dynamic
CALL TRANSACTION, the potential influence of the user input on the called transaction was identified and, additionally, only one authorization check on the authorization object
S_TCODE was found in the source code. The authorization check might be incomplete, since the system analysis cannot decide whether a check was made on the authorization from the transaction editor (transaction SE93). This could present a security risk.
Procedure
Both the authorization check aspect and the aspect of dynamics in the name of the called transaction must be considered. In most situations, an authorization check is the best choice for removing the security problem.
Authorization Check
If the authorization checks are missing by accident, they can implemented in full by simply calling the function module
AUTHORITY_CHECK_TCODE . From SAP_BASIS 7.40 SP 02, the addition
WITH AUTHORITY-CHECK in
CALL TRANSACTION can also be used to do this. It works in the same way as the function module call. Both methods check the authorization object
S_TCODE and the authorization from the transaction editor (SE93). However, it should be noted that the table
TCDCOUPLES is respected for the function module
AUTHORITY_CHECK_TCODE.
In a few situations, it is intentional that no authorizations are checked in
CALL TRANSACTION (or only the authorization for the authorization
S_TCODE). In these cases, the addition
WITHOUT AUTHORITY-CHECK can be used in
CALL TRANSACTION from SAP_BASIS 7.40 SP 02. In systems with older releases, the message must be suppressed using an exemption. In dynamic
CALL TRANSACTIONS, it is only acceptable to skip the authorization check if the set of callable transactions is restricted (usually by using a check on valid values).
SAP recommends that the entries in the table
TCDCOUPLES (transaction SE97) are no longer used to control the behavior.
Dynamics in the name of the called transaction
First check whether it is necessary to use dynamic transaction calls. Switching to static calls provides a solution to the security problem presented here. If this is not possible, the input data must be checked appropriately before being used as transaction names.
The class
CL_ABAP_DYN_PRG can be used to implement input checks as described in Validation by Methods of
CL_ABAP_DYN_PRG. (The individual methods in the class
CL_ABAP_DYN_PRG became available in different support packages or SAP Notes. SAP Note
1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing instead of the original input value):
1. CHECK_WHITELIST_STR
2. CHECK_WHITELIST_TAB
Secure data sources can also be displayed using the report
RSLIN_SEC_DISPLAY_BADIS.
If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.
How is the check done
A local data flow analysis is performed.
For each dynamic
CALL TRANSACTION, a search is made for the a suitable call of the function module
AUTHORITY_CHECK_TCODE within the same procedure (event, method, function, form routine). In called procedures, a search is also performed for these authorization checks up to a restricted nesting depth. The message is displayed if none of the authorization checks above are found.
Dynamic CALL TRANSACTION without authorization check – 114H
What is checked?
When a transaction is started from the user interface or by executing the ABAP statement
LEAVE TO TRANSACTION, an authorization check is performed automatically. The check is always made using the authorization object
S_TCODE. In the transaction code editor (transaction SE93), developers can specify an authorization object with authorization values. If an entry of this type is found, the authorization specified there is checked.
These authorization checks are not usually made when the ABAP statement
CALL TRANSACTION is executed. The developer of the program in question must decide whether the transaction start authorization is checked.
In the dynamic
CALL TRANSACTION in question, none of the authorization checks above were found in the source code. This could present a security risk.
No vulnerable data source was found for the transaction name. This means that the name of the called transaction most probably cannot be manipulated from outside.
Procedure
If the authorization checks are missing by accident, they can implemented in full by simply calling the function module
AUTHORITY_CHECK_TCODE. From SAP_BASIS 7.40 SP 02, the addition
WITH AUTHORITY-CHECK in
CALL TRANSACTION can also be used to do this. It works in the same way as the function module call. Both methods check the authorization object
S_TCODE and the authorization from the transaction editor (SE93). However, it should be noted that the table
TCDCOUPLES is respected for the function module
AUTHORITY_CHECK_TCODE.
In a few situations, it is intentional that no authorizations are checked in
CALL TRANSACTION (or only the authorization for the authorization S_TCODE). In these cases, the addition
WITHOUT AUTHORITY-CHECK can be used in
CALL TRANSACTION from SAP_BASIS 7.40 SP 02. In systems with older releases, the message must be suppressed using an exemption. In dynamic
CALL TRANSACTIONS, it is only acceptable to skip the authorization check if the set of callable transactions is restricted (usually by using a check on valid values).
SAP recommends that the entries in the table
TCDCOUPLES (transaction SE97) are no longer used to control the behavior.
If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.
How is the check done
For each dynamic
CALL TRANSACTION, a search is made for the a suitable call of the function module
AUTHORITY_CHECK_TCODE within the same procedure (event, method, function, form routine). In called procedures, a search is also performed for these authorization checks up to a restricted nesting depth. The message is displayed if none of the authorization checks above are found.
Dynamic CALL TRANSACTION without authorization check – 114I
What is checked?
When a transaction is started from the user interface or by executing the ABAP statement
LEAVE TO TRANSACTION, an authorization check is performed automatically. The check is always made using the authorization object
S_TCODE. In the transaction code editor (transaction SE93), developers can specify an authorization object with authorization values. If an entry of this type is found, the authorization specified there is checked.
These authorization checks are not usually made when the ABAP statement
CALL TRANSACTION is executed. The developer of the program in question must decide whether the transaction start authorization is checked.
In the dynamic
CALL TRANSACTION in question, none of the authorization checks above were found in the source code. This could present a security risk.
No vulnerable data source was found for the transaction name. This means that the name of the called transaction most probably cannot be manipulated from outside.
Procedure
If the authorization checks are missing by accident, they can implemented in full by simply calling the function module
AUTHORITY_CHECK_TCODE. From SAP_BASIS 7.40 SP 02, the addition
WITH AUTHORITY-CHECK in
CALL TRANSACTION can also be used to do this. It works in the same way as the function module call. Both methods check the authorization object
S_TCODE and the authorization from the transaction editor (SE93). However, it should be noted that the table
TCDCOUPLES is respected for the function module
AUTHORITY_CHECK_TCODE.
In a few situations, it is intentional that no authorizations are checked in
CALL TRANSACTION (or only the authorization for the authorization
S_TCODE). In these cases, the addition
WITHOUT AUTHORITY-CHECK can be used in
CALL TRANSACTION from SAP_BASIS 7.40 SP 02. In systems with older releases, the message must be suppressed using an exemption. In dynamic
CALL TRANSACTIONS, it is only acceptable to skip the authorization check if the set of callable transactions is restricted (usually by using a check on valid values).
SAP recommends that the entries in the table
TCDCOUPLES (transaction SE97) are no longer used to control the behavior.
If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.
How is the check done
For each dynamic
CALL TRANSACTION, a search is made for the a suitable call of the function module
AUTHORITY_CHECK_TCODE within the same procedure (event, method, function, form routine). In called procedures, a search is also performed for these authorization checks up to a restricted nesting depth. The message is displayed if none of the authorization checks above are found.
Usage of an obsolete escaping method - 1150
Obsolete escape method used
The
ESCAPE methods of classes
CL_HTTP_UTILITY, CL_HTTP_SERVER and CL_HTTP_CLIENT are obsolete and do not fulfill the current OWASP recommendations. They have been replaced by the predefined function
ESCAPE( ).
Procedure
Calls of the obsolete escape methods must be replaced by calls of the predefined function
ESCAPE( ), appropriate for the context in question. Valid formats are the values
E_XSS_* from the class
CL_ABAP_FORMAT. More information is available in the ABAP keyword documentation.
The specified formats are not available for the predefined function
ESCAPE( ) in releases older than SAP_BASIS 731. Instead, you need to use the
ESCAPE_XSS_* methods from class
CL_ABAP_DYN_PRG. The individual methods in the class
CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note
1852318 provides an overview of these methods.
All calls of the obsolete methods are reported. This relates to the following methods:
- CL_HTTP_UTILITY=>ESCAPE_JAVASCRIPT
- CL_HTTP_UTILITY=>ESCAPE_HTML
- CL_HTTP_UTILITY=>ESCAPE_URL
- CL_HTTP_UTILITY=>ESCAPE_WML
- CL_HTTP_UTILITY=>ESCAPE_XML_CHAR_DATA
- CL_HTTP_UTILITY=>ESCAPE_XML_ATTR_VALUE
- CL_HTTP_SERVER=>ESCAPE_HTML
- CL_HTTP_SERVER=>ESCAPE_URL
- CL_HTTP_CLIENT=>ESCAPE_HTML
- CL_HTTP_CLIENT=>ESCAPE_URL
forceEncode="enabled" not specified for htmlb:content - 1151
On BSP pages that use htmlb, the values of the attributes of the htmlb tags are encoded only if the attribute forceEncode in htmlb:content has the value 'enabled'. This is the only way to ensure that the encoding matches the context in which an attribute value is used in the finished HTML document.
Procedure
The attribute forceEncode of the htmlb tag htmlb:content is set to the value 'enabled'.
For more information, see "XSS Secure Programming Guide". SAP Note
1714836.
If the position in question does not have any security problems and there is no point in modifying the BSP page, an
exemption should be requested in ATC.
In tag htmlb:content an obsolete design is specified or none at all - 1152
Obsolete design or no design specified for htmlb:content
Message number 1152
The designs CLASSIC and DESIGN2002 are no longer supported. This means that any XSS weaknesses in the associated BSP extensions htmlb, xhtmlb, and so on are no longer corrected.
Only the designs DESIGNS2003 and DESIGN2008 (and any later designs) encode all attributes in full and are secure with respect to cross site scripting (XSS).
Procedure
Obsolete designs can no longer be used. A design must be specified explicitly, since otherwise the obsolete design CLASSIC is used.
For more information, see "XSS Secure Programming Guide". SAP Note
1714836.
AUTHORITY-CHECK without processing of sy-subrc - 1160
SY-SUBRC not evaluated after the statement
AUTHORITY-CHECK
After the statement
AUTHORITY-CHECK, sy-subrc needs to be read. If
SY-SUBRC is not equal to 0, the authorization check was not successful.
The check confirms whether a read is performed on
SY-SUBRC directly after
AUTHORITY-CHECK. Statements such as ENDIF, simple assignments (that do not modify
SY-SUBRC), or comments are permitted before reads. Some declarative statements, such as DATA, are also valid. Many ABAP statements (such as REFRESH) set
SY-SUBRC and are not allowed. If there is an empty IF/ENDIF block after
AUTHORITY-CHECK, a problem is detected.
Procedure
Insert a sy-subrc query with a valid response (for example, cancel).
If the source code position in question does not have any security problems and there is no point in modifying the source code, an
exemption should be requested in ATC.
Call of a security-relevant method without handling the return value - 1161
Return value (for example,
SY-SUBRC) not evaluated after a security-relevant method was called
It is necessary to evaluate the return value (for example,
SY-SUBRC) after a security-relevant method such as
CL_SACF=>AUTH_CHECK_SPEC( ) has been called.
From the perspective of this check, the following methods are security-relevant:
- CL_SACF=>AUTH_CHECK_SPEC( )
- CL_SACF=>AUTH_CHECK_SPEC_USER( )
Further procedures can be registered as security-relevant using the BAdI
SLIN_BADI_SEC_PROCEDURES. All registered security-relevant function modules and methods can be displayed using the report
RSLIN_SEC_DISPLAY_SECREL_PROC.
This check checks whether the return value (for example,
SY-SUBRC) is read immediately after the procedure call. Statements such as ENDIF, simple assignments (that do not modify the return value), or comments are permitted before reads. Some declarative statements, such as DATA, are also valid. If there is an empty IF/ENDIF block after the method call, a problem is registered.
Procedure
Insert an evaluation of the return value (for example,
SY-SUBRC) with an appropriate response (for example, error message or cancel).
If the message is caused by an inconsistent
BAdI implementation, contact the person responsible for the BAdI implementation classes specified in the message details.
If the source code position in question does not have any security problems and there is no point in modifying the source code, an
exemption should be requested in ATC.
Return value (for example, SY-SUBRC) not evaluated after a security-relevant subroutine was called. - 1162
Return value (for example,
SY-SUBRC) not evaluated after a security-relevant subroutine was called.
Once the security-relevant subroutine (FORM routine) has been called, a check must be run to verify that execution was successful. In general this is an evaluation of the corresponding output parameter or a check of system field
SY-SUBRC, if the subroutine uses this as an implicit output parameter.
Procedure
Insert an evaluation of the return value (for example,
SY-SUBRC) with an appropriate response (for example, error message or cancel).
If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.
A check is run to verify if an evaluation is performed after an external security-relevant subroutine is called.
The check can be expanded by using a BAdI.
Further procedures can be registered as security-relevant using the
BAdI SLIN_BADI_SEC_PROCEDURES. All registered security-relevant procedures can be displayed using the report
RSLIN_SEC_DISPLAY_SECREL_PROC.
This check checks whether the return value (for example,
SY-SUBRC) is read immediately after the procedure call or
AUTHORITY-CHECK. Statements such as ENDIF, simple assignments (that do not modify the return value), or comments are permitted before reads. If there is an empty IF/ENDIF block after the procedure call, a problem is registered.
Potentially security-relevant procedure without registration - 1163
Potentially security-relevant procedure without registration
Directly after the call of an authorization check using the statement
AUTHORITY-CHECK or after the call of a similar procedure, the result of the call in question must be checked. To do this after the statement
AUTHORITY-CHECK, the system field
SY-SUBRC must be queried. After a procedure is called, the corresponding output parameter must be queried.
In some cases, the authorization check is made in a procedure A and the value of
SY-SUBRC (or a corresponding output parameter) returned to its own caller B. This delegates the job of responding appropriately to a failed authorization check to the the caller B. The procedure A becomes a security-relevant procedure and it must now be ensured that all callers of the procedure A check the returned result (in exactly the way they would if they had called the statement
AUTHORITY-CHECK themselves).
In this case, we know that a globally visible procedure delegates the evaluation of the result of an authorization check to its calling programs. Therefore the procedure should be registered as security-relevant in CVA, so that all its calling programs can be checked, to verify that they evaluate the returned result.
Example
The function module is a global procedure, which wraps statement
AUTHORITY-CHECK. The successful execution check is delegated to the calling program.
FUNCTION Z_AUTHORITY_CHECK.
...
*" EXCEPTIONS
*" NO_AUTHORITY
...
AUTHORITY-CHECK OBJECT 'S_TCODE'
ID 'TCD' FIELD I_TCODE.
IF SY-SUBRC 0.
MESSAGE eXXX(XX) RAISING NO_AUTHORITY.
ENDIF.
ENDFUNCTION.
Procedure
First check whether it is necessary to use the global procedure. Switching to a local procedure (for example, from a public to a private method) means that 1163 messages are no longer displayed.
If it is not possible to switch, you should register the procedure as security-relevant using BAdl
SLIN_BADI_SEC_PROCEDURES. Once the procedure has been registered as security-relevant, 1163 messages are no longer displayed. Instead, new security messages can now be displayed in all programs that use the registered
If it is not possible to switch, you should register the procedure as security-relevant using BAdl
SLIN_BADI_SEC_PROCEDURES. Once the procedure has been registered as security-relevant, 1163 messages are no longer displayed. Instead, new security messages can now be displayed in all programs that use the registered procedure.
If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.
This check verifies whether the return value (for example,
SY-SUBRC) is read immediately after the procedure call or
AUTHORITY-CHECK. In the case in question, this return is either reused as the return code of the current procedure or a classic exception is raised dependent on the return code (which creates a new return code). This means that the handling of the value is delegated to the caller of the current procedure.
Return value (for example, SY-SUBRC) not evaluated after a security-relevant local procedure was called - 1164
Return value (for example,
SY-SUBRC) not evaluated after a security-relevant local procedure was called
Directly after the call of an authorization check using the statement
AUTHORITY-CHECK or after the call of a similar procedure, the result of the call in question must be checked. To do this after the statement
AUTHORITY-CHECK, the system field
SY-SUBRC must be queried. After a procedure is called, the corresponding output parameter must be queried.
In some cases, the authorization check is made in a procedure A and the value of
SY-SUBRC (or a corresponding output parameter) returned to its own caller B. This delegates the job of responding appropriately to a failed authorization check to the the caller B. The procedure A becomes a security-relevant procedure and it must now be ensured that all callers of the procedure A check the returned result (in exactly the way they would if they had called the statement
AUTHORITY-CHECK themselves).
Procedure
After the procedure call, run the evaluation of the return value with an appropriate response (for example, error message or cancel).
If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.
This check verifies whether the return value (for example,
SY-SUBRC) is read immediately after the procedure call or
AUTHORITY-CHECK. In the case in question, this return is either reused as the return code of the current procedure or a classic exception is raised dependent on the return code (which creates a new return code). This means that the handling of the value is delegated to the caller of the current procedure.
Call of a security-relevant function without processing sy-subrc - 1165
After a security-relevant function module such as AUTHORITY_CHECK_TCODE or AUTHORITY_CHECK is called, the return value (for example, SY-SUBRC) must be evaluated.
From the perspective of this check, the following function modules are security-relevant:
- AUTHORITY_CHECK
- AUTHORITY_CHECK_TCODE
- SU_RAUTH_CHECK_FOR_USER
- VIEW_AUTHORITY_CHECK
- FILE_VALIDATE_NAME
- AUTHORITY_CHECK_DATASET
- AUTHORITY_CHECK_RFC
Further procedures can be registered as security-relevant using the BAdI
SLIN_BADI_SEC_PROCEDURES. All registered security-relevant function modules and methods can be displayed using the report
RSLIN_SEC_DISPLAY_SECREL_PROC.
This check checks whether the return value (for example, SY-SUBRC) is read immediately after the procedure call. Statements such as ENDIF, simple assignments (that do not modify the return value), or comments are permitted before reads. Some declarative statements, such as DATA, are also valid. If there is an empty IF/ENDIF block after the method call, a problem is registered.
Procedure
Insert an evaluation of the return value (for example, SY-SUBRC) with an appropriate response (for example, error message or cancel).
If the message is caused by an inconsistent
BAdI implementation, contact the person responsible for the BAdI implementation classes specified in the message details.
If the source code position in question does not have any security problems and there is no point in modifying the source code, an
exemption should be requested in ATC.
Call of system function CALL “SYSTEM” - 1170
Statement
CALL “SYSTEM” used
The system function call
CALL 'SYSTEM' can be used to execute operating system commands. However, calling operating system commands can be a potential security problem. This is a particular risk in cases where end users can modify or manipulate the parameters of an operating system command.
Usually all system function calls (CALL cfunc) are only allowed to be used in system programs and are not allowed to be used in application programs.
Procedure
Operating system commands should not be called from ABAP.
If an operating system command call is absolutely necessary, however, the SAPXPG mechanism must be used. This offers increased security due to the following characteristics:
- Abstraction from different operating systems
- Predefined operating system commands
- Stricter handling of parameters
- Allows check modules (such as allow lists) to be defined
- Predefined authorization check
New operating system commands must first be defined using transaction SM69. If possible, omit input values because these can also cause a security problem. The function module
SXPG_CALL_SYSTEM can be used to make calls. See
System Command Injections for more information.
All uses of the system function call
CALL 'SYSTEM' are registered.
If the source code position in question does not have any security problems and there is no point in modifying the source code, an
exemption should be requested in ATC.
System function call with potential user input on FIELD - 1171
C function call with names as potential user input
The ABAP command CALL cfunc can be used to execute specific C functions in the kernel. However, calling C functions can be a potential security problem.
Potential attackers can call unwanted kernel functions by making unexpected input, and thereby illegally modify the running of the program.
Procedure
If possible, avoid calling C functions from ABAP. You can do this by using official APIs (such as function modules and methods).
If this is not possible, check whether it is really necessary to use
dynamic calls of C functions. One solution is to switch to using static calls. If this is not possible either, the input data must be checked accordingly before being used as names of C functions.
The class CL_ABAP_DYN_PRG can be used to implement input checks as described in
Validation by Methods of CL_ABAP_DYN_PRG. (The individual methods in the class CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note
1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing instead of the original input value):
- CHECK_WHITELIST_STR
- CHECK_WHITELIST_TAB
Secure data sources can also be displayed using the report
RSLIN_SEC_DISPLAY_BADIS.
If the source code position in question does not have any security problems and there is no point in modifying the source code, an
exemption should be requested in ATC.
How is the check done?
If user input is incorporated in the names cfunc, the CALL statement is reported. To do this, a
local data flow analysis is performed.
AUTHORITY-CHECK for specified User - 1180
AUTHORITY-CHECK with explicit user name
The statement
AUTHORITY-CHECK is used together with the addition
FOR USER to check the authorization of the user specified by
FOR USER (and not for the logged on user). This is often a very sensible requirement.
Example: Data needs to be processed using a specific user in a background job. Before the job is scheduled,
AUTHORITY-CHECK FOR USER checks whether the user has the required authorization. In the background job itself, however, the current user should check the authorization again.
If the user name specified using
FOR USER has an external source (such as GUI input, an RFC interface, or a file), an attack can manipulate the user name in certain circumstances. In this way, this variant of the statement
AUTHORITY-CHECK can be misused to gain additional authorizations that the logged on user is not allowed to have. The addition
FOR USER can be used to specify a predefined/delivered user (such as DDDIC or SAP*), which can then be used in certain circumstances to gain administrative rights.
The function modules
AUTHORITY_CHECK and
SU_RAUTH_CHECK_FOR_USER offer similar options and can also be viewed as a potential source of hazards.
Procedure
Try to avoid using the addition
FOR USER with the statement
AUTHORITY-CHECK . The addition
FOR USER sy-uname or
FOR USER syst-uname in particular is usually not required. Instead, use the statement
AUTHORITY-CHECK without the addition
FOR USER. The same applies to the function modules
AUTHORITY_CHECK and
SU_RAUTH_CHECK_FOR_USER.
If an authorization check needs to be run for a user other than the logged on user, it is important to ensure that the user name specified for the addition
FOR USER cannot be manipulated externally (by making entries on the user interface, for example). Checks against an allow list can be a good way of verifying user names entered from outside. Request an
exemption for cases where the addition
FOR USER is essential and not just useful.
In the example above (authorization check before scheduling a background job for the user name to be used to run the job), it is important that you perform an authorization check yourself in the background job.
If you want to query the authorization for the user currently logged on locally in RFC calls of the function modules
AUTHORITY_CHECK and
SU_RAUTH_CHECK_FOR_USER, you should obtain the user name using a call of the method
cl_abap_syst=>get_user_name( ) and pass it to the function module. This method, however, still produces a security message (such as "Querying an authorization for a user presents a security risk."). Request an
exemption in this case.
All uses of the statement
AUTHORITY-CHECK with the addition
FOR USER are reported. Here, the source of the user name is not checked. Any allow list checks are ignored.
The local use of the function modules
AUTHORITY_CHECK and
SU_RAUTH_CHECK_FOR_USER is handled in a similar way, since they offer mainly the same functions.
AUTHORITY-CHECK for SY-UNAME - 1181
AUTHORITY-CHECK with addition
FOR USER sy-uname
The statement
AUTHORITY-CHECK is used together with the addition
FOR USER to check the authorization of the user specified by
FOR USER (and not for the logged on user). This is often a very sensible requirement.
It does not make any sense, however, to specify
FOR USER sy-uname or
FOR USER syst-uname.
If the function modules
AUTHORITY_CHECK and
SU_RAUTH_CHECK_FOR_USER are called, the situation is different. Local calls of these function modules are not a good idea, since the statement
AUTHORITY-CHECK is far quicker and produces the same result. In RFC calls of these functions, it is often a requirement to check the authorization for the same user ID as the logged on user in the local system. Here it is advisable to obtain the name of the user logged on locally using the method
cl_abap_syst=>get_user_name( ).
Procedure
Do not use the additions
FOR USER sy-uname or
FOR USER syst-uname in the statement
AUTHORITY-CHECK.
Replace the local calls of the function modules
AUTHORITY_CHECK and
SU_RAUTH_CHECK_FOR_USER by the statement
AUTHORITY-CHECK without the clause
FOR USER.
If you want to pass the user name of the user logged on locally for RFC calls of these function modules, use the method
cl_abap_syst=>get_user_name( ) to obtain the user name. However, you should note that this user name might be assigned to a different person in the called system.
The additions
FOR USER sy-uname and
FOR USER syst-uname are registered in the statement
AUTHORITY-CHECK.
Local calls of the function modules
AUTHORITY_CHECK and
SU_RAUTH_CHECK_FOR_USER produce a message when the user name
sy-uname or
syst-uname is specified.
The dynamic WHERE condition allows a potential code injection - 1190
Potential manipulation of the dynamic WHERE condition in an internal table
The dynamic WHERE clause makes it possible for attackers to inject additional conditions, joined using OR or AND, that modify the volume of data selected in unexpected ways. These conditions can also contain functional ABAP method calls.
Procedure
First check whether it is necessary to use the dynamic WHERE clause. Switching to a static WHERE clause provides a full solution to the security problem. If this is not possible, the input data must be checked appropriately before being used in the dynamic clause.
The documentation of the class
CL_ABAP_DYN_PRG explains how input data needs to be handled when constructing a dynamic WHERE clause.
The class CL_ABAP_DYN_PRG can be used to implement input checks as described in
Validation by Methods of CL_ABAP_DYN_PRG. (The individual methods in the class CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note
1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing):
- ESCAPE_QUOTES
- ESCAPE_QUOTES_STR
- QUOTE
- QUOTE_STR
- CHECK_CHAR_LITERAL
- CHECK_STRING_LITERAL
- CHECK_INT_VALUE
- CHECK_VARIABLE_NAME
- CHECK_COLUMN_NAME
- CHECK_WHITELIST_STR
- CHECK_WHITELIST_TAB
Secure data sources can also be displayed using the report
RSLIN_SEC_DISPLAY_BADIS.
Performs a
local data flow analysis.
If a source code position is flagged and does not present a security problem and an input check or escape action (for example, using a method from CL_ABAP_DYN_PRG) is not appropriate, an
exemption should be requested in ATC.
Potentially missing authorization check in a report– 11A1
Authorization checks should be used to secure reports against being called by unauthorized users.
Procedure
Check whether an authorization check exists for this report and, if necessary, add a check at the start of the report. If the report is already being used or has been delivered, a switchable authorization check should be integrated using the method call
CL_SACF=>AUTH_CHECK_SPEC( ).
It is also possible to assign an authorization group to the report, in which case an authorization check does not need to be integrated and no message is displayed (if the group is entered in database table TPGP and hence valid). The authorization group can be entered in the attributes of the report.
If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.
How is the check done?
The report is scanned for certain authorization checks and risky statements (see below), which entails the report code (including form routines, dynpro modules, functions calls, and method calls) being scanned.
These calls are traced recursively up to a maximum search depth of 10 compilation units. (This means that calls within a compilation unit are ignored.) Any authorization checks at a greater depth are not found.
If a program or a procedure, which does not belong to SAP_BASIS, calls a procedure from SAP_BASIS, then this call is not traced. (Reason: From a semantic perspective, authorization checks in SAP_BASIS have nothing to do with the required authorization check in the application.)
The following authorization checks are found:
- ABAP command: AUTHORITY-CHECK (without the addition FOR USER)
- Function call: CALL FUNCTION 'AUTHORITY_CHECK'
- Function call: CALL FUNCTION 'AUTHORITY_CHECK_TCODE'
- Function call: CALL FUNCTION 'AUTH_CHECK_TCODE'
- Function call CALL FUNCTION 'VIEW_AUTHORITY_CHECK'
- Method call: CALL METHOD CL_SACF=>AUTH_CHECK_SPEC
Authorization checks against authorization object
B_BUP_PCPT are ignored.
The system also searches for potentially dangerous statements. These include database access and file access in particular. If a statement like this is found before an authorization check, a message is displayed.
The following statements are classified as dangerous:
- DELETE from a database table (Open SQL), DELETE DATASET, DELETE DYNPRO, DELETE REPORT, DELETE TEXTPOOL, DELETE FROM DATABASE, DELETE FROM SHARED MEMORY, DELETE FROM SHARED BUFFER
- EXPORT TO DATABASE, EXPORT TO DATASET, EXPORT TO SHARED MEMORY, EXPORT TO SHARED BUFFER
- GENERATE SUBROUTINE POOL
- INSERT in a database table (Open SQL), INSERT REPORT, INSERT TEXTPOOL
- MODIFY in a database table (Open SQL), MODIFY LINE, MODIFY SCREEN
- SELECT from a database table not in the delivery class C, E, G, S, or W (Open SQL)
- TRANSFER
- TRUNCATE
- UPDATE
- WITH: Reads from a database table not in the delivery class C, E, G, S, or W (Open SQL)
Potentially missing authorization check in an RFC function module – 11A2
Authorization checks should be used to secure RFC function modules against being called by unauthorized users.
Procedure
Check whether an authorization check exists for this RFC function module and, if necessary, add a check at the start of the RFC function module. If the RFC function module is already being used or has been delivered, a switchable authorization check should be integrated using the method call
CL_SACF=>AUTH_CHECK_SPEC( ).
If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.
How is the check done?
The RFC function module is scanned for certain authorization checks and risky statements (see below), which entails the function code (including form routines, dynpro modules, functions calls, and method calls) being scanned.
These calls are traced recursively up to a maximum search depth of 10 compilation units. (This means that calls within a compilation unit are ignored.) Any authorization checks at a greater depth are not found.
If a program or a procedure, which does not belong to SAP_BASIS, calls a procedure from SAP_BASIS, then this call is not traced. (Reason: From a semantic perspective, authorization checks in SAP_BASIS have nothing to do with the required authorization check in the application.)
The following authorization checks are found:
- ABAP command: AUTHORITY-CHECK without the addition FOR USER
- Function call: CALL FUNCTION 'AUTHORITY_CHECK'
- Function call: CALL FUNCTION 'AUTHORITY_CHECK_TCODE'
- Function call: CALL FUNCTION 'AUTH_CHECK_TCODE'
- Function call: CALL FUNCTION 'VIEW AUTHORITY CHECK'
- Method call: CALL METHOD CL_SACF=>AUTH_CHECK_SPEC
Authorization checks against authorization object
S_RFC are not accepted here since this authorization object is checked automatically against every RFC call.
Authorization checks against authorization object
B_BUP_PCPT are also not accepted.
The system also searches for potentially dangerous statements. These include database access and file access in particular. If a statement like this is found before an authorization check, a message is displayed.
The following statements are classified as dangerous:
- DELETE from a database table (Open SQL), DELETE DATASET, DELETE DYNPRO, DELETE REPORT, DELETE TEXTPOOL, DELETE FROM DATABASE, DELETE FROM SHARED MEMORY, DELETE FROM SHARED BUFFER
- EXPORT TO DATABASE, EXPORT TO DATASET, EXPORT TO SHARED MEMORY, EXPORT TO SHARED BUFFER
- GENERATE SUBROUTINE POOL
- INSERT in a database table (Open SQL), INSERT REPORT, INSERT TEXTPOOL
- MODIFY in a database table (Open SQL), MODIFY LINE, MODIFY SCREEN
- SELECT from a database table not in the delivery class C, E, G, S, or W (Open SQL)
- TRANSFER
- TRUNCATE
- UPDATE
- WITH: Reads from a database table not in the delivery class C, E, G, S, or W (Open SQL)
If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.
Potentially missing authorization check in a BOR object – 11A3
Authorization checks should be used to secure BOR objects (Business Object Repository) against being called by unauthorized users.
Procedure
Check whether an authorization check exists for this BOR object and, if necessary, add a check at the start of the method. If the BOR object is already being used or has been delivered, a switchable authorization check should be integrated using the method call
CL_SACF=>AUTH_CHECK_SPEC( ).
If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.
How is the check done?
Non-active BOR objects are not analyzed.
The
ExistenceCheck method of the BOR object is scanned for specific authorization checks, including the code of the method and its form routines, dynpro modules, function calls, and method calls.
These calls are traced recursively up to a maximum search depth of 10 compilation units. (This means that calls within a compilation unit are ignored.) Any authorization checks at a greater depth are not found.
If a program or a procedure, which does not belong to SAP_BASIS, calls a procedure from SAP_BASIS, then this call is not traced. (Reason: From a semantic perspective, authorization checks in SAP_BASIS have nothing to do with the required authorization check in the application.)
The following authorization checks are found:
- ABAP command: AUTHORITY-CHECK without the addition FOR USER
- Function call: CALL FUNCTION 'AUTHORITY_CHECK'
- Function call: CALL FUNCTION 'AUTHORITY_CHECK_TCODE'
- Function call: CALL FUNCTION 'AUTH_CHECK_TCODE'
- Function call: CALL FUNCTION 'VIEW AUTHORITY CHECK'
- Method call: CALL METHOD CL_SACF=>AUTH_CHECK_SPEC
Authorization checks against authorization object
B_BUP_PCPT are not accepted.
Unlike other checks for missing authorization checks (for example, in reports or RFC function modules) dangerous statements are not covered by this check. This means that missing authorization checks are also registered if no dangerous statement is found.
Use of command COMMUNICATION – 11C1
Statement COMMUNICATION used
The statement COMMUNICATION is based on a non-secure communication protocol. Neither this protocol nor the statement COMMUNICATION should be used any longer.
Procedure
Use a different communication protocol, such as RFC, instead of the existing code.
All places where the statement COMMUNICATION is used are detected.
If the source code position in question does not have any security problems and there is no point in modifying the source code, an
exemption should be requested in ATC.
Potential SQL injection – 11D1
Potential injection of malicious SQL statements or clauses
In the case in question, external data is injected into an SQL statement that is passed for execution by the database. This could enable potential attackers to gain unauthorized access to the SAP database of the system by making unexpected input. This is known as an
SQL injection.
Procedure
It is important that user input is not injected directly into the SQL statement. If it is necessary to create the SQL statement based on user input regardless of this, this input must be thoroughly checked beforehand.
The class CL_ABAP_DYN_PRG can be used to implement input checks as described in
Validation by Methods of CL_ABAP_DYN_PRG. (The individual methods in the class CL_ABAP_DYN_PRG became available in different Support Packages or SAP Notes. SAP Note
1852318 provides an overview of these methods.) In the case in question, the following methods of this class are viewed as sufficient by the automated check (if the RETURNING parameter of the method in question is used in further processing):
- ESCAPE_QUOTES
- QUOTE
- CHECK_CHAR_LITERAL
- CHECK_INT_VALUE
- CHECK_VARIABLE_NAME
- CHECK_COLUMN_NAME
- CHECK_TABLE_OR_VIEW_NAME_STR
- CHECK_TABLE_OR_VIEW_NAME_TAB
- CHECK_TABLE_NAME_STR
- CHECK_TABLE_NAME_TAB
- CHECK_WHITELIST_STR
- CHECK_WHITELIST_TAB
Secure data sources can also be displayed using the report
RSLIN_SEC_DISPLAY_BADIS.
Performs a
local data flow analysis.
If a source code position is flagged and does not present a security problem and an input check or escape action (for example, using a method from CL_ABAP_DYN_PRG) is not appropriate, an
exemption should be requested in ATC.
Missing content check during HTTP upload -11F1
Method IF_HTTP_REQUEST~GET_DATA( ) was called without parameter VSCAN_SCAN_ALWAYS.
In certain cases, this could lead to
Cross-Site-Scripting (XSS) via file upload (MIME sniffing). For more information, see the "SAP NetWeaver Security Guide" ("Network Services" -> "Preventing Cross-Site Scripting From Uploads").
Procedure
Method IF_HTTP_REQUEST~GET_DATA( ) should be called with parameter VSCAN_SCAN_ALWAYS set (see Note
1883929).
If the source code position in question does not have any security problems and there is no point in modifying the source code, an
exemption should be requested in ATC.
Calls of methods IF_HTTP_REQUEST~GET_DATA( ) and IF_HTTP_ENTITY~GET_DATA( ) without parameter VSCAN_SCAN_ALWAYS are reported.
See Also
"XSS Secure Programming Guide". SAP Note
1714836.
SAP Note
1693981.
Direct read access to critical database tables – 11G0
Read on sensitive database tables
A sensitive database table was read in a customer system.
These can be SAP tables (if not in the list of database tables registered as harmless).
These can also be all database tables registered as sensitive tables in the list.
Database tables can be registered as sensitive or harmless using the BAdI SLIN_BADI_DBTAB_ACCESS (see the
documentation).
Procedure
These database tables must not be accessed.
Write access to sensitive database tables – 11G1
Write on sensitive database tables
A write was performed on a sensitive database table in a customer system.
These can be SAP tables (if not in the list of database tables registered as harmless).
These can also be all database tables registered as sensitive tables in the list.
Database tables can be registered as sensitive or harmless using the BAdI SLIN_BADI_DBTAB_ACCESS (see the
documentation).
Procedure
These database tables must not be accessed.
Hard-coded password – 11K1
A method or function was called with a hard coded password. This is a possible indication, for example, that a user or an RFC destination exists in the system with logon data from the source code.
Example
CALL FUNCTION 'BAPI_USER_CREATE1' EXPORTING USERNAME = 'USER1' PASSWORD =
'Abcd1234' ...
Procedure
Verify that the hard coded password is necessary and, if possible, stop using the hard coded value.
The check does not return a message in the following cases:
- The password comes from user input.
- The password is from the database.
- The password was generated, for example using the function SUSR_GENERATE_PASSWORD. Some APIs, such as BAPI_USER_CREATE1, return a generated password when a user is created.
All method calls and function calls are logged in which a password-relevant IMPORTING CHANGING parameter has a hard coded value. A parameter is password-relevant if it follows a particular naming convention.
If the source code position in question does not have any security problems and there is no point in modifying the source code, an
exemption should be requested in ATC.
Field with hard coded password - 11K2
A variable or constant with a hard coded password exists. This is a possible indication, for example, that a user or an RFC destination exists in the system with logon data from the source code.
Example
FUNCTION 'GET_USER_PASSWORD'
*"--------------------------------------
*"*"Local Interface:
*" EXPORTING
*" VALUE(EV_PASSWORD) TYPE STRING
*"---------------------------------------
EV_PASSWORD = 'Abcd1234'
ENDFUNCTION.
Procedure
Verify that the hard coded password is necessary and, if possible, stop using the hard coded value.
The check does not return a message in the following cases:
•The password comes from user input.
•The password is from the database.
•The password was generated, for example using the function SUSR_GENERATE_PASSWORD.
If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.
All password-relevant fields that have a hard-coded value are reported. A field is a password-relevant field if it follows a specific naming convention or has a specific type.
Field with Base64-encoded password - 11K3
There is a variable with a Base64-encoded password. This can be an indication that the password was not sent or saved securely.
Example
L_ENCRYPTED_PASSWORD = CL_HTTP_UTILITY=>ENCODE_BASE64( I_PASSWORD ).
Procedure
Do not use Base64 as the encryption algorithm. Base64 encodes and does not encrypt. If possible, use the default methods for authentication and saving passwords.
If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.
All Base64-encoded password-relevant fields are highlighted. A field is a password-relevant field if it follows a specific naming convention or has a specific type.
The following Base64 encoding APIs are analyzed:
CL_HTTP_UTILITY=>ENCODE_BASE64
CL_HTTP_UTILITY=>ENCODE_X_BASE64
SSFC_BASE64_ENCODE
Potential valid invalidation using the class CL_ABAP_DYN_PRG - 11N1
The class
CL_ABAP_DYN_PRG can be used to implement input checks as described in Validation by Methods of
CL_ABAP_DYN_PRG. In this case, the validation may have no effect and may therefore be invalid.
Example
" - Incorrect validation
TRY.
tab_name =
cl_abap_dyn_prg=>check_table_or_view_name_str(
val = tab_name
packages = 'SABAPDEMOS' ).
CATCH cx_abap_not_a_table cx_abap_not_in_package.
"TODO...
ENDTRY.
SELECT SINGLE name FROM (tab_name) INTO lv_custname
WHERE id = '22'.
Procedure
Note the following notes for the selected elements:
- React appropriately to validation errors by handling the corresponding exception.
- Do not use the same variable as an argument for EXPORTING and RETURNING parameters. Only use the RETURNING value in further processing. This ensures that an unchecked entry cannot be processed further.
Example
TRY.
" - Correct validation
tab_name_checked
= cl_abap_dyn_prg=>check_table_or_view_name_str(
val = tab_name
packages = 'SABAPDEMOS' ).
CATCH cx_abap_not_a_table.
MESSAGE 'Table is not allowed' TYPE 'E'.
CATCH cx_abap_not_in_package.
MESSAGE 'Table is not in package' TYPE 'E'.
ENDTRY.
SELECT SINGLE name FROM (tab_name_checked) INTO lv_custname
WHERE id = '22'.
If the source code position in question does not have any security problems and there is no point in modifying the source code, an exemption should be requested in ATC.
How is the check done?
All method calls of
CL_ABAP_DYN_PRG are analyzed and any suspicious calls are reported.
Potential valid invalidation (tautological value check) with class CL_ABAP_DYN_PRG - 11N3
The class
CL_ABAP_DYN_PRG can be used to implement input checks as described in
Validation by Methods of CL_ABAP_DYN_PRG. The following methods can be used to check the input value against a list of allowed values:
In this case, the validation may have no effect and may therefore be invalid because the list of permitted values was probably derived from the value to be checked or is empty.
Example
" Incorrect validation (Tautological AllowList)
allow_list = tab_name.
tab_name =
cl_abap_dyn_prg=>check_whitelist_str( val = tab_name
whitelist = allow_list ).
SELECT SINGLE name FROM (tab_name) INTO lv_custname
WHERE id = '22'.
Procedure
Note the following notes for the selected elements:
- The list of allowed values must not be derived from the value to be checked (tautological case).
- If possible, use other validation methods from the class CL_ABAP_DYN_PRG instead of the methods CHECK_WHITELIST_STR, CHECK_WHITELIST_TAB, MASS_CHECK_WHITELIST_TAB and MASS_CHECK_WHITELIST_STR.
- React appropriately to validation errors by handling the corresponding exception.
- Do not use the same variable as an argument for EXPORTING and RETURNING parameters. Only use the RETURNING value in further processing. This ensures that an unchecked entry cannot be processed further. If exception handling is missing at the same time, an entry could otherwise be processed further even if the value to be checked is not contained in the list of permitted values.
Example
TRY.
" Correct validation with CHECK_WHITELIST_STR
allow_list = cl_some_class=>get_allowed_tables( ).
tab_name_checked =
cl_abap_dyn_prg=>check_whitelist_str( val = tab_name
whitelist = allow_list ).
CATCH cx_abap_not_in_whitelist.
MESSAGE 'Table not allowed' TYPE 'E'.
ENDTRY.
" Or Correct validation with another method
TRY.
tab_name_checked
= cl_abap_dyn_prg=>check_table_or_view_name_str(
val = tab_name
packages = 'SABAPDEMOS' ).
CATCH cx_abap_not_a_table.
MESSAGE 'Table is not allowed' TYPE 'E'.
CATCH cx_abap_not_in_package.
MESSAGE 'Table is not in package' TYPE 'E'.
ENDTRY.
SELECT SINGLE name FROM (tab_name_checked) INTO lv_custname
WHERE id = '22'.
If the source code position in question does not have any security problems and there is no point in modifying the source code, an
exemption should be requested in ATC.
How is the check done?
All method calls of
CL_ABAP_DYN_PRG are analyzed and any suspicious calls are reported.
Open URL redirect – 11P1
Potential Unvalidated URL Redirect
In the case in question, external data from an HTTP request (such as URL parameters or HTML form fields) is used as a source for URL redirect, or the data is used to create an HTTP Header with dynamic field names. This makes it possible for attackers to redirect victims to other websites. These cases are known as
unvalidated URL redirects.
Example
It is important to differentiate between the following two cases:
DATA RESPONSE TYPE REF TO IF_HTTP_RESPONSE. ... RESPONSE->REDIRECT( LV_URL ). RESPONSE->SET_HEADER_FIELD( NAME = 'LOCATION' VALUE = LV_URL ). RESPONSE->SET_HEADER_FIELD( NAME = 'REFRESH' VALUE = LV_URL ).
2. Call of IF_HTTP_RESPONSE~SET_HEADER_FIELDS or SET_HEADER_FIELD with dynamic HTTP Header field names |
RESPONSE->SET_HEADER_FIELD( NAME = LV_NAME VALUE = LV_URL ). RESPONSE->SET_HEADER_FIELDS( FIELDS = LT_HTTPNVP_TAB ).
Procedure
URL redirect API call
It is first necessary to check whether URL redirects by URL destination can be avoided by user input. If this is not possible, the input data should be checked via an allow list before being used in HTTP redirects.
In this case, the automated check views the allow list method
CL_HTTP_UTILITY=>CHECK_HTTP_WHITELIST, with a corresponding
ENTRY_TYPE (for example,
99 – Generic Redirect), as sufficient, if the
RETURNING parameter of the method is used for further processing.
This method is provided in support packages or correction instructions (see SAP Note
2189853).
SET_HEADER_FIELDS or SET_HEADER_FIELD with dynamic HTTP Header field names
In this case, the automatic check cannot estimate whether the call with dynamic field names will result in a URL redirect. Therefore, you should check whether
SET_HEADER_FIELDS or
SET_HEADER_FIELD with dynamic fields can be avoided. If this is not possible, you should apply for an exemption in ATC.
A
local data flow analysis is performed.
If the source code position in question does not have any security problems and there is no point in modifying the source code, an
exemption should be requested in ATC.
Potential Reverse Tabnabbing – 11R1
Reverse tabnabbing indicates attacks in which a linked page can overwrite the original page, for example, by replacing it with a phishing page. The user saw the correct page which means that he or she may not noticed that the page was switched. If the user enters confidential data on the switched page, they are sent to the phishing page and not to the original page.
See
https://owasp.org/www-community/attacks/Reverse_Tabnabbing
Example
- Code on vulnerable page:
<a href="
https://bad_evil.com" target="_blank">HTML Link </ a>
<button onclick="window.open('
https://bad_evil.com')">
Vulnerable target using javascript
</button>
- Code on malicious page:
<script>
if (window.opener) {
window.opener.location = "
https://phish.bad_evil.com";
}
</script>
Procedure
In the case of HTML links, add the attribute
rel = "noopener noreferrer" to each link.
In the case of JavaScript, use the function
window.open with
'noopener, noreferrer'
If the source code position in question does not have any security problems and there is no point in modifying the source code, an
exemption should be requested in ATC.
How is the check done?
The check analyzes character literals in the ABAP source code that contain
'TARGET="_BLANK"' or
'WINDOW.OPEN'. An error occurs if
'NOOPENER NOREFERRER' is not found in the same statement.
The BSP application is not protected against XSRF - 11RF
The BSP application is not protected against cross-site request forgeries (XSRF).
Procedure
Select the "XSRF protection" checkbox for the BSP application.
If the place in question is not a security risk (Public BSP, has its own XSRF protection), apply for an
exemption in ATC.
Hard-coded host name – 11S1
Hard-coded host name, possibly from forgotten test code or an indication of a back door
Host name queries in ABAP indicate security problems. Host-specific code often presents a back door for attackers.
Procedure
Check whether the host name query could possibly indicate a back door. Remove these back doors.
Remove any host-specific code that is not required to run the program.
Some applications cases require host-specific code. However, there is currently no method of detecting these code sections and excluding them from the checks.
Check whether suitable customizing or a suitable API could help to apply distinct behavior to individual hosts in these cases.
All occurrences are reported in which the current host name from the system fields
SY-HOST and
SYST-HOST or from the call of
CL_ABAP_SYST=>GET_HOST_NAME( ) is compared with a fixed value. To do this, it views the logical condition of the predefined functions
BOOLC or
BOOLX and the following statements:
- IF, ELSEIF
- CASE, WHEN
- CHECK
- ASSERT
If the source code position in question does not have any security problems and there is no point in modifying the source code, an
exemption should be requested in ATC.
Hard-coded system ID – 11S2
Hard-coded system ID, possibly from forgotten test code or an indication of a back door
System ID queries in ABAP indicate security problems. System-specific code often presents a back door for attackers.
Procedure
Check whether the system ID query could possibly indicate a back door. Remove these back doors.
Remove any system-specific code that is not required to run the program.
Some applications cases require system-specific code. However, there is currently no method of detecting these code sections and excluding them from the checks.
Check whether suitable customizing or a suitable API could help to apply distinct behavior to individual systems in these cases.
All occurrences are reported in which the current system ID from the system fields
SY-SYSID and
SYST-SYSID are compared with a fixed value. To do this, it views the logical condition of the predefined functions
BOOLC or
BOOLX and the following statements:
- IF, ELSEIF
- CASE, WHEN
- CHECK
- ASSERT
If the source code position in question does not have any security problems and there is no point in modifying the source code, an
exemption should be requested in ATC.
Hard-coded client – 11S3
Hard-coded client from forgotten test Code or that could indicate a back door.
Client queries in ABAP indicate security problems. Client-specific code often presents a back door for attackers.
Procedure
Check whether the client number query could possibly indicate a back door. Remove any back doors.
Remove any client-dependent code that is not required to run the program.
Some applications cases require client-specific code. However, there is currently no method of detecting these code sections and excluding them from the checks.
Check whether suitable customizing or a suitable API could help to apply distinct behavior to individual clients in these cases.
All occurrences are reported in which the current client from the system fields
SY-MANDT and
SYST-MANDT or from the call of
CL_ABAP_SYST=>GET_CLIENT( ) is compared with a fixed value. To do this, it views the logical condition of the predefined functions
BOOLC or
BOOLX and the following statements:
- IF, ELSEIF
- CASE, WHEN
- CHECK
- ASSERT
If the source code position in question does not have any security problems and there is no point in modifying the source code, an
exemption should be requested in ATC.
Comparison of a specific registered system variable with a fixed value – 11S4
System variable compared with a hard-coded value from forgotten test code or that could indicate a back door
A comparison between one or more registered system variables and a hard-coded value indicates a security problem, since the code dependent on these system variables could be a back door.
Procedure
Check whether the system variable query could possibly indicate a back door. Remove these back doors.
Remove any code dependent on these system variables that is not required to run the program.
Some application cases require code dependent on these system variables. However, there is currently no method of detecting these code sections and excluding them from the checks.
Check whether suitable customizing or a suitable API could help to apply distinct behavior in these cases, depending on the registered system variables.
The system variables in question were registered using the BAdI
SLIN_BADI_SEC_BACKDOOR as described in the
documentation.
All occurrences are reported in which the registered system variables from the system structures
SY and
SYST are compared with a fixed value. To do this, it views the logical condition of the predefined functions
BOOLC or
BOOLX and the following statements:
- IF, ELSEIF
- CASE, WHEN
- CHECK
- ASSERT
If the source code position in question does not have any security problems and there is no point in modifying the source code, an
exemption should be requested in ATC.
Undocumented profile parameter used – 11SP
Using undocumented profile parameters indicates a security problem, a potential back door.
Procedure
Use only documented profile parameters.
How is the check done?
All usages of profile parameters for which there is no documentation in transaction
RZ11 are reported.