Securing SAP Systems from XSS vulnerabilities Part 4: Defense for SAP HANA XS

Today’s post is the last in the series of articles about XSS vulnerabilities in SAP systems. The previous parts describe how to prevent XSS in SAP NetWeaver ABAP and SAP NetWeaver J2EE.

XSS is one of the most popular vulnerabilities and its effect can range from a petty nuisance to a significant security risk, depending on the sensitivity of the data. In SAP products, 628 XSS vulnerabilities were discovered that is almost 22% of all vulnerabilities found in SAP in 12 years.

From the developer’s perspective

There are several rules of protecting SAP HANA using SAP UI5 framework.

  • Validation of typed control properties - SAPUI5 core validates the value of properties set by the application against the type of the property. This guarantees that an int is always an int, and a sap.ui.core/CSSSize is a string representing a CSS size and does not contain a script tag. This also applies to enumerations and control IDs. The control renderer can rely on this check when writing the HTML.
  • Escaping - use helper methods to escape the value of a string property that is written to the HTML:
    • Use writeEscaped(oControl.getSomeStringProperty()) instead of just write(...) for writing plainly to the HTML.
    • Use writeAttributeEscaped(“someHtmlProperty”, oControl.getSomeStringProperty()) instead of just writeAttribute(...) for writing attributes.
    • Use for string properties where none of the other two options is possible to escape the string and then process it further.

From the administrator’s perspective

The administrator has to set the following parameters to improve security:

  • sessiontimeout = 900. Enable session timeout to minimize potential attack window.
  • HttpOnly cookie is enabled by Default.

From incident response perspective

To be able to identify the real attack happened because of the XSS vulnerability and also from some other web-based vulnerabilities, it is recommended to configure the following parameters.

  • To monitor all HTTP(s) requests processed in a SAP HANA system, you can set up the internal Web Dispatcher to write a standardized HTTP log for each request. To configure the Web Dispatcher to log all HTTP(s) requests, you add the property icm/http/logging _ 0:
    • set LOGFILE value to path_to_file Securing SAP Systems from XSS Vulnerabilities
    • Sеt PREFIX value to “/”. If URL prefix=”/” (root directory), or empty which means that all HTTP requests will be logged. If prefix value equal “/Directory”, the server will log only requests which call “/Directory” directory and subsequent.
    • Set FILEWRAP value to off. Old log files will be saved for future analysis.
  • global _ auditing _ state = true. The following configuration parameter for auditing is stored in global.ini, in the section auditing configuration. This can help you to log additional information such as logon’s logoffs and database requests which can be relevant for investigating XSS Attacks. You can find this configuration in SAP HANA Administration Console –> Security HDB –> Auditing Status menu.

Views: 308

Join the Discussion ...

You need to be a member of CISO Platform to join the discussion!

Join CISO Platform



CISO as an enabler

Started by Maheshkumar Vagadiya Jul 30. 0 Replies

Share the instances where you were able to convince the Executive management /board that CISO function is enabler rather then a hindrance.Thanks youMaheshContinue

Has Anyone Evaluated Digital Signature (like Docusign)?

Started by CISO Platform. Last reply by SACHIN BP SHETTY Apr 24. 1 Reply

(question posted on behalf of a CISO member)Has anyone evaluated digital signature (like Docusign), any specific risk/ security areas to be looked into while finalising a vendor? Any and all inputs will be very much appreciated.Continue

What are your strategies for using Zoom in your organization after recent vulnerabilities in news about Zoom platform?

Started by CISO Platform. Last reply by ANAND SHRIMALI May 20. 4 Replies

(question posted on behalf of a CISO member)What are your strategies for using Zoom in your organization after recent vulnerabilities in news about Zoom platform?Related Question: …Continue

[Please Suggest] Corona Virus: Security advisory for work from home

Started by CISO Platform. Last reply by Bhushan Deo Mar 20. 12 Replies

(question posted on behalf of a CISO member)Due to CORONA virus most of the organizations are allowing their employees to work form home.Has any one issued security advisory for work from home ?Continue

Tags: #COVID19

Follow us

Contact Us


Mobile: +91 99002 62585

InfoSec Media Private Limited,First Floor,# 48,Dr DV Gundappa Road, Basavanagudi,Bangalore,Karnataka - 560004

© 2020   Created by CISO Platform.   Powered by

Badges  |  Report an Issue  |  Privacy Policy  |  Terms of Service