Skip to Content
Technical Articles
Author's profile photo Jose Sequeira
Jose Sequeira
June 2, 2021 3 minute read

#SafeSAPUI5 – EP08

Hello,

*** Default Header ***

With the intention to show why SAPUI5 developers (as most of them came from the ABAP world) need toupskillwith “safe programming” knowledge and skills, i’ve decided to create the#SafeSAPUI5.

What is#SafeSAPUI5?

  1. A series of episodes with examples (of course with responsible disclosure, not showing names, servers, etc.) of security breaches that were exposed on SAPUI5 apps. The idea here is not to point fingers, but to educate as a “learned mistake” that someone made, to all. I think this is the first series that the creator “hopes” that it has fewer possible episodes ☺️.
  2. Encourage developers to also use the hashtag#SafeSAPUI5around the web on interesting articles, courses (why not?), ebooks or even self made materials, that will help SAPUI5 developers to upskill their knowledge, specially for the security part, also bringing examples that some may had not thought about it.

I try to keep everything as short as possible here, but this researches, analyses, testing, contacting the customers, reporting and getting the bugs fixed takes a long time (not really described here).

SAP has anofficialbug bounty program, please read more onthislink. If you would like to report an SAP vulnerability found, please use the official linkhere.

*** Default Header ***

也保持哑光的所有重要的话题r here:safesapui5.web.app

Ok…So now for theEpisode 8we have: “Don’t let the bots take your data…⚠️⚠️⚠️:

One customer with a custom SAPUI5 application (with internet access, not just inside the customers network), used his solution forSales Order creation and tracking. So far so good right? But by the metadata on the service, their user base could be accessed (and exploited).

User%20base%20count

User base count

With detail information about each user if needed (in other services):

User%20base%20details

User base details

So here, their user base could suffer multiplesocial engineeringattacks, like we saw on previous episodes…

Also, their sales order base was open for queries, without authentication:

Sales%20order%20header

Sales order header

And fulled detailed with prices, etc, etc…

Sales%20order%20items

Sales order items

Sales%20order%20creation%20details

Sales order creation details

As this OData services was open and didn’t require any authentication, their sales order base (alongside with user base) could bemonitored by BOTs and extracted everyday (and also other types of attacks), to keep a history of their sales somewhere else and try to obtain any advantage with this data… The sales order info was only openly displaying orders from the current date, that’s why if a BOT was reading and saving this data the overall sales/price history of the company could be monitored.

t后发生了什么hat? With a full and detailed vulnerability report, the customer is being able to understand this breach and go back to “safety” by correcting the data leaks, and the types of attack that they could suffer.

Ok, so what can be learned from this episode?

  1. Always validate filter on Odata entities, don’t do aSELECT *on your backend, specially for real sensitive data like Sales Order, users emails, etc. Sensitive data can never be available without standard login, from inside the environment only.
  2. On your custom applications, that can be accessed over the internet, all types ofresearchers(some good, some bad) will be analyzing your application, so please be extra careful with the information that could be found on your$metadata. Also, sensitive type of information cannot be exposed on this open Odata services on the internet, because your Odata services will be tested for possible leaks (like the one found on this episode).
  3. Again, always revise useraccess(backend) and audit the types of information that “traffics” on your environment’s OData services (all the other types of services as well, if possible).
  4. Prior to releasing custom SAPUI5 solutions (specially if could be accessed from the internet), conduct all types of testings and validations on all possible scenarios (not just business scenarios, alsosecurityscenarios).
  5. If your custom SAPUI5 solution is very big/complex, internet faced, and will “contain” all types of sensitive data, you should also consider to work with security researches (for security tests, like myself) or withBug赏金计划新万博买球to stop breaches before the bad guys can find them.

PS:Please checkepisode 07, if you haven’t already.

Thanks.

#SafeSAPUI5

Assigned Tags

      Be the first to leave a comment
      You must beLogged onto comment or reply to a post.