All you wanted to know about protection from XSS in SAP

Introduction

We haven’t published anything about SAP for a long time, and today we’ll look at a vulnerability that affects any SAP solution from the old R / 3 to the new-fangled HANA. The name of this vulnerability is cross-site scripting (XSS). This article, contrary to our usual narrative about the search and exploitation of vulnerabilities, will be largely devoted to protection from this vulnerability.

Crossite scripting is one of the most common vulnerabilities in general, and in SAP products in particular. Thus, over 12 years, 628 XSS vulnerabilities were discovered in SAP, which makes up 22% of all vulnerabilities in SAP. Only ERPScan researchers found 52 XSS vulnerabilities in SAP, and this was because more time was spent writing Advisory and bureaucratic issues than direct search for vulnerabilities. More detailed information on all vulnerabilities can be studied in our study " Analysis of 3000 vulnerabilities in SAP ", and we come to the main part.

')

Ten most common vulnerabilities in SAP products

Attack description

The danger of cross-site scripting is that this vulnerability allows an attacker to execute arbitrary JavaScript code within a user session. This code can help get access to cookies, session tokens, and other critical information stored by the browser. An attacker can gain access to a user session and get important business information, and in the worst case, gain complete control over the system. With the help of XSS, you can also illegally replace the data displayed on the site, and conduct a phishing attack, etc. and etc. I think you already know about XSS enough, but you cannot do without an introductory one.
XSS is usually possible in the following cases:

The server does not escape special characters entered by the user - '"& <>;
The server allows you to send dangerous parameters as a value, which in turn allows you to execute JavaScript code from other sources.

Traditionally, the following types of cross-site scripting are distinguished:

Stored crossite scripting

In this type of malicious code should be stored on the server. For example, an attacker can embed a code by changing the name of an object on the server (for example, the name of a file in the workflow system). If the attack is successful, then when a legitimate user requests information about the file list, his browser will launch malicious code downloaded by the attacker.

Once, a long time ago, we conducted a similar attack during one of the work on SAP security analysis. In this organization, SAP SRM was used for bidding, so each supplier could post their documentation with information about services and pricing. The system was vulnerable to stored cross-site scripting, so we were able to inject JavaScript code in the file name field. When an employee from a purchasing department opened a folder with a list of files to see recently uploaded documents, the malicious code automatically started and the attacker got access to the employee’s account. Using this account, he could get access to the tender documentation of competitors and get information about their services and prices, which allowed them to win the bid by adjusting their prices. The vulnerability has been closed by SAP (SAP Security Note 1284360).

Another example of stored cross-site scripting in SAP is the acclaimed XSS vulnerability in the SAP Afaria system with a very interesting way of exploitation. Vulnerability such as stored cross-site scripting is extremely dangerous and easy to operate, but is much less common than the reflected cross-site scripting, which is described below.

Mirrored Crossite Scripting

This type of vulnerability is more common. In this case, the malicious code is not stored on the server, but is executed by the user at the moment when he opens a link of the following form:

example.com/search.php?q=

To exploit the vulnerability, you need to send a link to the user. This type of XSS is less powerful because it requires user interaction, but more popular than stored cross-site scripting, and there are hundreds of such vulnerabilities.

As an example of a critically dangerous attack, you can embed JavaScript code and not only steal user session information stored in a cookie, but also exploit the ActiveX component installed on the victim’s computer. Thus, it will be possible to get full access to his computer through one of the vulnerabilities in ActiveX. As a result, you will get access to the corporate intranet and will be one step closer to the SAP server with all corporate data.

DOM-XSS

In this case, the attacker changes the DOM (Document Object Model) environment of the browser page so that one of the scripts on the page executes malicious JavaScript code.

Consider this type in more detail using the example of a closed SAP Security Note 1788080 vulnerability. The bug exists because user input in the JSP script 'error_msg.jsp' is not filtered, which allows an attacker to embed JavaScript code into the page.

An example of a page that is vulnerable to cross-site scripting

As we can see, an attacker can use the 'id' variable in order to inject code (line 15), because the value of the 'id' variable will be displayed to the user without changes (line 28).
The exploit for this vulnerability is the following query:

example1234567.com/dir/start/error_msg.jsp?id=1111 ">

General protective measures

To avoid such vulnerabilities, you should always screen / filter user input. In our DOM XSS example, the variable 'ID' must be re-stored in the 'URLEncoder.encode ()' method, because its value is used as an HTTP request parameter.

Actions required to close a vulnerability

As a result, let's present some more tips on how to prevent the possibility of cross-site scripting at the development stage:

Never enter data from unverified sources (including any user input) into an HTML page;
screen HTML snippets from unreliable sources before pasting them into HTML Element Content;
escape HTML attributes from unreliable sources before pasting them into HTML Element Content;
escape JavaScript code from unreliable sources before inserting JavaScript Data Values;
screen JSON from unreliable sources before embedding it in HTML Element Content or using it in JSON.parse;
Shield CSS snippets from unreliable sources before pasting them into HTML Style Property Values;
screen URLs from unreliable sources before inserting them into the HTML URL Parameter Values;
protect the system against the DOM XSS.

Also in browsers there are several mechanisms that can significantly reduce the risk of XSS attacks:

Use the 'HTTPOnly' flag for cookies - this security measure will prevent users from obtaining session data from cookies through JavaScript;
set content security policy - this security measure will prohibit the use of javascript inside the domain;
HTTPS Cookies Protection - Protect cookies when using the HTTPS protocol.

Now let's take a closer look at how to protect various SAP platforms from XSS attacks from the developer, administrator, and incident investigation specialist.

SAP NetWeaver ABAP Security

From a developer’s point of view

For all Web applications where parameter entry is allowed, the encoding methods provided by the ICF handler should be used. The implementation is available as an API in two versions:

Built-in function in ABAP ESCAPE (available in SAP_BASIS> = 731);
Deployment class in CL_ABAP_DYN_PRG.

In SAP NetWeaver version 7.0 enhancement package 3 and above (SAP_BASIS> = 731), use the ABAP built-in ESCAPE () function. More information is available in the ABAP keyword documentation for the ESCAPE () function.

HTML / XML	out = escape (val = val format = cl_abap_format => e_xss_ml)
Javascript	out = escape (val = val format = cl_abap_format => e_xss_js)
URL	out = escape (val = val format = cl_abap_format => e_xss_url)
CSS	out = escape (val = val format = cl_abap_format => e_xss_css)

For versions SAP_BASIS 702, 720 and below, there is an implementation of ABAP OO in the class CL_ABAP_DYN_PRG.

Context	Method
HTML / XML	out = CL_ABAP_DYN_PRG => ESCAPE_XSS_XML_HTML (val)
Javascript	out = CL_ABAP_DYN_PRG => ESCAPE_XSS_JAVASCRIPT (val)
URL	out = CL_ABAP_DYN_PRG => ESCAPE_XSS_URL (val)
CSS	out = CL_ABAP_DYN_PRG => ESCAPE_XSS_CSS (val)

Detailed information about these extensions in SAP Security Note 1582870. Now consider the features of protection against XSS with specific SAP-technologies.

For WebDynpro ABAP

For WebDynpro, ABAP does not need to worry about cross-site scripting. Security is provided by the platform itself.

For Business Server Pages (BSP)

For BSP, page directives should be used. For more information, refer to SAP Security Note 1600317 and SAP Security Note 1638779. The advantage of these BSP page attributes is that the BSP architecture ensures that the safest version of encoding is used.

For BSP, use page directives: <% page language = "abap" forceEncode = "html | url | javascript | css"%>
After installing SAP Security Note 1600317, the existing page directives also use the updated BSP compiler, which supports HTML encoding of all the expressions entered on the page.

In the following example, all input expressions use HTML encoding. It affects only printed expressions on BSP pages and does nothing with the tag parameters.

For example:

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks <%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED\|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks	<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED\|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED\|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks	<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED\|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED\|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks	<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED\|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED\|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks	<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED\|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED\|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks	<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED\|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED\|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks	<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED\|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED\|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks	<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED\|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED\|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks	<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED\|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED\|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks	<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED\|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED\|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks	<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED\|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

Source: https://habr.com/ru/post/275719/

All Articles