Today’s post is the last in the series of articles about XSS vulnerabilities in SAP systems. The previous parts describe how to prevent XSS in SAP NetWeaver ABAP and SAP NetWeaver J2EE.

XSS is one of the most popular vulnerabilities and its effect can range from a petty nuisance to a significant cybersecurity risk, depending on the sensitivity of the data. In SAP products, 628 XSS vulnerabilities were discovered that is almost 22% of all vulnerabilities found in SAP in 12 years.

From the developer’s perspective

There are several rules of protecting SAP HANA using SAP UI5 framework.

  • Validation of typed control properties – SAPUI5 core validates the value of properties set by the application against the type of the property. This guarantees that an int is always an int, and a sap.ui.core/CSSSize is a string representing a CSS size and does not contain a script tag. This also applies to enumerations and control IDs. The control renderer can rely on this check when writing the HTML.
  • Escaping – use helper methods to escape the value of a string property that is written to the HTML:
    • Use writeEscaped(oControl.getSomeStringProperty()) instead of just write(…) for writing plainly to the HTML.
    • Use writeAttributeEscaped(“someHtmlProperty”, oControl.getSomeStringProperty()) instead of just writeAttribute(…) for writing attributes.
    • Use for string properties where none of the other two options is possible to escape the string and then process it further.

From the administrator’s perspective

The administrator has to set the following parameters to improve security:

  • sessiontimeout = 900. Enable session timeout to minimize potential attack window.
  • HttpOnly cookie is enabled by Default.

From incident response perspective

To be able to identify the real attack happened because of the XSS vulnerability and also from some other web-based vulnerabilities, it is recommended to configure the following parameters.

  • To monitor all HTTP(s) requests processed in an SAP HANA system, you can set up the internal Web Dispatcher to write a standardized HTTP log for each request. To configure the Web Dispatcher to log all HTTP(s) requests, you add the property icm/http/logging _ 0:
    • set LOGFILE value to path_to_file Securing SAP Systems from XSS Vulnerabilities
    • Sеt PREFIX value to “/”. If URL prefix=”/” (root directory), or empty which means that all HTTP requests will be logged. If prefix value equal “/Directory”, the server will log only requests which call “/Directory” directory and subsequent.
    • Set FILEWRAP value to off. Old log files will be saved for future analysis.
  • global _ auditing _ state = true. The following configuration parameter for auditing is stored in global.ini, in the section auditing configuration. This can help you to log additional information such as logon’s logoffs and database requests which can be relevant for investigating XSS Attacks. You can find this configuration in SAP HANA Administration Console –> Security HDB –> Auditing Status menu.