HTML / XML | out = escape (val = val format = cl_abap_format => e_xss_ml) |
Javascript | out = escape (val = val format = cl_abap_format => e_xss_js) |
URL | out = escape (val = val format = cl_abap_format => e_xss_url) |
CSS | out = escape (val = val format = cl_abap_format => e_xss_css) |
Context | Method |
HTML / XML | out = CL_ABAP_DYN_PRG => ESCAPE_XSS_XML_HTML (val) |
Javascript | out = CL_ABAP_DYN_PRG => ESCAPE_XSS_JAVASCRIPT (val) |
URL | out = CL_ABAP_DYN_PRG => ESCAPE_XSS_URL (val) |
CSS | out = CL_ABAP_DYN_PRG => ESCAPE_XSS_CSS (val) |
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
|
|
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
|
|
|
|
|
|
|
|
|
|
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
|
|
|
|
|
|
|
|
|
|
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>
. , ( ):
<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )
BSP
BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">
ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .
, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .
<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">
, design=CLASSIC. .
Mixed BSP- HTML HTMLB
forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,
Internet Transaction Server (ITS) HTML Business
Internet Transaction Server (ITS) HTML Business, :
xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business
, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :
7.20, ~new_xss_functions, XSS- .
, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.
Business HTML (BHTML)
HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.
, . , .
, XSS-:
http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.
, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.
, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,
SAP NetWeaver J2EE
SAP NetWeaver J2EE
AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):
. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode
, .
1 ( )
[CASE1]
Username [CASE1]
2 ( , – URL)
Click here
3 ( - URL)
4 ( SCRIPT', – )
5 ( – declaration )
XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).
:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );
, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:
, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .
, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS
, XSS- – SAP HANA.
SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:
, :
sessiontimeout = 900. - , . HttpOnly .
, , - XSS-, - -, .
HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.
, ( chipik ) .
Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
Source: https://habr.com/ru/post/275719/
All Articles