alterno logo 2024_Negative (1)


This document is intended for use by Information Security Officers that are planning to use \ using SAP NetWeaver platforms for extending their SAPUI5 applications. It covers the most popular vulnerabilities described in OWASP Top Ten (2017) manifest.

A1:2017 – Injection

  • SAP application API is built upon Microsoft-based ODATA protocol, which defines the structures used within HTTP requests. Adding unmapped information that was not defined within SEGW / data mapping tools will not be processed by SAP NetWeaver platform / SAP Gateway Foundation components.
  • SAP NetWeaver Gateway utilises XML parser engine that is blocking incorrect / inconsistent structures – server-site whitelist validation.


A2:2017 – Broken Authentication

  • Recommended architecture includes Web Application Firewall (F5) built-in session management, multi-factor authentication, SSO to SAP Portal and SSO to SAP NetWeaver Gateway, which is connected to SAP ECC back end system with trust-enabled RFC connections.
  • User credentials are not passed through non-standard authentication layers.
  • Password length, complexity and logoff policies are managed on WAF (F5) side.
  • SAP NetWeaver Gateway utilizes standard SAP-based session management mechanisms.


A3:2017 – Sensitive Data Exposure

  • All data access authorization is managed by SAP ECC standard authorizations.
  • The web app itself is not storing any data on client side. Once user session is closed data is destroyed on browser side.
  • All data is encrypted with SSL.
  • Authentication data (such as passwords) is stored in SAP systems and encrypted with SAP standard mechanisms.


A4:2017 – XML External Entities (XXE)

XML parser embedded within SAP NetWeaver Gateway is not processing referenced (external) entities passed within the API calls performed by UI5 applications.


A5:2017 – Broken Access Control

Access control is managed on multiple layers:


  • WAF (F5) URL whitelist & profiling
  • SAP SICF access list (node enablement)
  • File system access is disabled through SAP NetWeaver Gateway

We hope material above will help you coping with information security officers while you aim to expose your UI5 application to the outer world.

Contact us for further questions.

See you in next part of this article.

Any questions?

Just write us a message!

Fill out the form and we will be in touch as soon as possible!