SAP platforms, used by 99 of the Fortune 100 companies and with over 280 million cloud subscribers worldwide, are among the most reliable business applications. As SAP administrators, your role in maintaining the security of these platforms is crucial. However, the platform’s popularity makes it a prime target for hackers to exploit Structured Query Language (SQL) injections and directory traversal vulnerabilities, which are only two specific risks in a much larger group. By understanding these risks and proactively applying security measures, you play a vital part in safeguarding SAP environments. This article will detail how to reduce SQL injection and Directory Traversal Vulnerability attack vectors.
SQL Injection Attacks
SQL injection, a common vulnerability found in many software programs, including those created in the SAP Advanced Business Application Programming language ABAP/4, can have severe consequences. A SQL injection attack leverages malicious SQL code to exploit vulnerabilities in an application's handling of user-supplied data. The system becomes vulnerable to SQL injection if this user-input application is not correctly sanitized. Once inside, the attacker can supply malicious code that the database executes as part of a SQL statement, potentially leading to data breaches and other security incidents.
Imagine a simple ABAP/4 program that allows an end-user to search for customer records based on their last name. The program takes the user input, connects it with the SQL statement, and executes the query. The following is an example of an application that takes user input and uses it in an SQL statement without sanitizing:
data: lv_last_name type string,
lt_customers type table of customers.
* get user input for last name
lv_last_name = request->get_form_field( ‘last_name’ ).
* build the SQL statement
select * from customers into table lt_customers
where last_name = lv_last_name.
* execute the query
execute.
However, the program does not properly validate or sanitize the user input, and an attacker can inject malicious code into the SQL statement, i.e., supply the following input for the last name:
' OR 1=1
This would modify the SQL statement to the following:
select * from customers into table lt_customers
where last_name = '' OR 1=1.
This modified statement would return all the records in the customer's table since condition 1=1 is always true, allowing the attacker to access sensitive information.
Finding vulnerabilities in the code is a challenge. SAP has an ABAP Test Cockpit (ATC), which supports ABAP/4. However, it lacks the functionality to scan for SQL injection vulnerabilities. If the vulnerability can be identified, correcting the problem takes proper input validation, sanitization, prepared statements, and database-level access control implementation. Regarding the SAP standard codebase, the manufacturer is responsible for the correction. Detection and correction require SAP software and SAP security patches, which must be kept up to date to address known vulnerabilities.
The problem inherent in the SAP ATC, which runs automatically, is that it only detects some security-related code vulnerabilities, but not all. SAP offers a commercial product to address this issue, but it does not integrate with threat detection or vulnerability and risk assessment tools. Third-party solutions offer code vulnerability scanning that improves the ATC test by incorporating security checks.
Directory Traversal Vulnerability
Like SQL injections, directory traversal vulnerabilities can occur by manipulating user input or URL parameters containing file path information. Once the path is compromised, attackers can modify, delete, or steal financial information, employee records, and other customer details. The following is an example of a vulnerable function in SAP ABAP:
METHOD read_file.
DATA: filename TYPE string,
filepath TYPE string,
filedata TYPE string.
filename = request->get_form_field( ‘filename’ ).
filepath = ‘/var/www/uploads/’ && filename.
CALL FUNCTION 'GUI_UPLOAD'
EXPORTING
filename = filepath
IMPORTING
filelength = len
TABLES
data_tab = filedata.
response->set_data( filedata ).
ENDMETHOD.
In the example above, exploitation of directory traversal vulnerability involves manipulating the input parameters. The function reads a file from the directory based on the filename parameter supplied by the user. An attacker can then manipulate the filename parameter to access files outside the "uploads"- directory by injecting path traversal characters such as "../" into the input parameter. Thus, the attacker can travel throughout the directory and access files outside the web server.
User input validation is crucial to preventing the attack. If the vulnerable function takes a filename as input and appends it to a fixed path without validating it, the attacker gains access to any file they desire.
Third-Party Software to the Rescue
Fortunately, third-party software is available to spot vulnerable coding within SAP applications. These tools, equipped with a code analysis tool, can identify potential security risks by analyzing the code structure and content to detect patterns and irregularities. This reassurance should give you the confidence to mitigate these risks and protect SAP systems.
Checking for potential problems, such as SQL injections and directory traversal vulnerabilities, is best accomplished with a view of security risks and vulnerabilities across multiple SAP systems. Real-time alerting software with statistical risk assessment is crucial so that vulnerabilities do not go undetected.
Conclusion
Code vulnerabilities can be complex to detect and usually require manual code walk-throughs and peer reviews, which can be timely, consume resources, and render the process susceptible to human error. Third-party SAP cybersecurity solutions, which include code vulnerability analysis, can identify bad actors and spot malicious code before damage is done. The software must run automatically and frictionlessly for best results and offer real-time analysis—providing accuracy and efficiency that isn't possible with manual processes.
SAP helps businesses run efficiently by centralizing data. However, all that data is a sitting duck for attackers looking for code vulnerabilities if SAP is not bolstered by suitable cybersecurity protection. As SAP administrators, it's your responsibility to ensure that additional software not native to SAP is used to detect SQL and traversal vulnerabilities. Otherwise, all that data can be scooped up and used to inhibit business success. The potential consequences of not addressing these vulnerabilities are significant, underscoring the urgency of your role in this process.