alterno logo 2024_Negative (1)

Securing SAPUI5 applications – Part 2


Dear followers, this articles continues to cover Information Security aspects for your plans to use SAP NetWeaver platforms to expose your SAPUI5 applications. It covers the most popular vulnerabilities described in OWASP Top Ten (2017) manifest.

A6:2017 – Security Misconfiguration

SAP environments are maintained by SAP BASIS team, which is constantly implementing security notes & patches to ensure the hardening of SAP environments. Security notes are implemented from time to time to make sure systems are secured.

A7:2017 – Cross-Site Scripting (XSS)

Cross-site scripting is protected by CSRF token (built-in SAP standard mechanism to support HTTP request validations). Read more…

A8:2017 – Insecure Deserialization

  • The only safe architectural pattern is not to accept serialized objects from untrusted sources or to use serialization mediums that only permit primitive data types.
  • Back end API is structured with primitive data defined by ODATA consortium (EDM types)
  • API calls are accepted only from trusted sources managed by the F5 appliance

A9:2017 – Using Components with Known Vulnerabilities

Front end application utilizes several components:

  • SAP-delivered UI libraries (SAPUI5)
  • GIS-delivered map JS libraries


SAPUI5 framework version is being upgraded from time to time to ensure activation of latest security features, and is controlled internally by BASIS team.

A10:2017 – Insufficient Logging & Monitoring

SAP NetWeaver Gateway provides monitoring capabilities on multiple layers:

  • Incoming HTTP traffic logging on ICM level
  • API call logging on SAP NetWeaver Gateway
  • SAP System logs on SAP NetWeaver Gateway
  • SAP System logs on SAP ECC

We hope material above will help you coping with information security officers while you aim to expose your UI5 application to the outer world.

Contact us for further questions.

Any questions?

Just write us a message!

Fill out the form and we will be in touch as soon as possible!