Intro
This document is intended for use by Information Security Officers that are planning to use \ using SAP NetWeaver platforms for extending their SAPUI5 applications. It covers the most popular vulnerabilities described in OWASP Top Ten (2017) manifest.
A1:2017 – Injection
- SAP application API is built upon Microsoft-based ODATA protocol, which defines the structures used within HTTP requests. Adding unmapped information that was not defined within SEGW / data mapping tools will not be processed by SAP NetWeaver platform / SAP Gateway Foundation components.
- SAP NetWeaver Gateway utilises XML parser engine that is blocking incorrect / inconsistent structures – server-site whitelist validation.
A2:2017 – Broken Authentication
- Recommended architecture includes Web Application Firewall (F5) built-in session management, multi-factor authentication, SSO to SAP Portal and SSO to SAP NetWeaver Gateway, which is connected to SAP ECC back end system with trust-enabled RFC connections.
- User credentials are not passed through non-standard authentication layers.
- Password length, complexity and logoff policies are managed on WAF (F5) side.
- SAP NetWeaver Gateway utilizes standard SAP-based session management mechanisms.
A3:2017 – Sensitive Data Exposure
- All data access authorization is managed by SAP ECC standard authorizations.
- The web app itself is not storing any data on client side. Once user session is closed data is destroyed on browser side.
- All data is encrypted with SSL.
- Authentication data (such as passwords) is stored in SAP systems and encrypted with SAP standard mechanisms.
A4:2017 – XML External Entities (XXE)
XML parser embedded within SAP NetWeaver Gateway is not processing referenced (external) entities passed within the API calls performed by UI5 applications.
A5:2017 – Broken Access Control
Access control is managed on multiple layers:
- WAF (F5) URL whitelist & profiling
- SAP SICF access list (node enablement)
- File system access is disabled through SAP NetWeaver Gateway