Cybersecurity for SAP Managers: Injection Attacks
Apr 13, '17 by Joerg Schneider-Simon
External cybersecurity threats pose a very real risk to SAP systems of all sizes. One of the most common vehicles for hackers is the injection attack – both SQL injections and OS command injections. Preventing these attacks requires proactive strategies and a comprehensive SAP cybersecurity solution.
We’ve recently been publishing a series of posts to educate SAP Managers about these security threats, including denial of service (DoS) attacks and cross-site scripting (XSS). In this post, we’re investigating the threats behind SQL and OS command injections, along with best practices to protect your organization.
What Are Injection Attacks?
In an injection attack, a hacker manipulates a web application via malicious code inserted into data sent to the application. These hackers seize the opportunity to take advantage of vulnerabilities in coding, and their attacks can expose SAP systems to serious risk.
Although hackers can inject code into an application in multiple ways, they typically do so in one of two ways:
- Structured query language (SQL) injections
- Operating system (OS) command injections
SAP applications utilize SQL to retrieve or store records and may be vulnerable to injections of code that allow hackers to access, manipulate and even delete critical business data.
To carry out an attack, the hacker directly inserts either partial or complete SQL queries into an application’s user-input fields, such as login fields, contact forms and site search fields. Cybercriminals can also inject malicious code into strings that are directed to a table or for storage as metadata.
A SQL attack typically incorporates two coding elements to carry out its malicious intent:
- The hacker enters maliciously crafted code into the application entry field and starts the entry with a single quote. Because inputs stored in a SQL string are contained within single quotes mark, when a hacker starts an entry with a single quote, this closes the first SQL statement and sets the stage for something new to be added.
- After the single quote, the hacker adds a semicolon (“;”), which is the standard separator/connector for concatenating multiple commands in a single line. Because the hacker has already closed the previous statement, adding “;” allows them to insert any additional valid SQL command.
Essentially, the hacker tricks your SQL interpreter and renders it unable to differentiate between legitimate and ill-intentioned commands. If the injected code is syntactically correct, it will be executed and virtually undetectable.
As a result, hackers may be able to:
- Run new commands on the database
- Bypass authentication requirements
- Access or modify sensitive data from the database
- Execute administration operations
- Add or modify administrator accounts
- Manipulate business data
Note that most SAP applications use what’s called “Open SQL,” a database-vendor-independent subset of the multiple SQL dialects that exist. Limiting applications to Open SQL prevents certain types of SQL queries from running – for example, code that would delete an entire table. However, even in Open SQL, attacks using prepared statements are possible. So while your tables can’t be deleted, the data contained in the tables can still be manipulated, which is serious enough for concern. Further, some applications support Native SQL in addition to Open SQL, exposing them to the full range of SQL based attacks.
OS Command Injections
OS command injections, on the other hand, occur when an attacker compromises a web application by inserting malicious operating system-level commands into otherwise valid commands.
Although text fields are one point of entry, OS command injections can potentially come from any external input that hasn’t been data-validated – for example, hidden fields, parameter names and checkboxes.
Similar to a SQL injection, the OS command injection occurs when the hacker adds “;” to an entry, which allows the insertion of a second, malicious command – in this case, executing at the operating system level. This may include shutting down machines, stealing data, launching denial-of-service attacks or deleting files and directories. As a result, your entire system may be vulnerable, even though the hacker may not have manipulated your SAP data directly.
How Common Are Injection Attacks?
Because most SAP applications require some form of user input, SQL injection attacks are one of the most common types of security attacks across the computing world and accounted for more than 80% of all data breaches from 2005 to 2011.
In one of the biggest SQL injection attacks on record, hackers in 2011 used a single SQL injection to steal personal information, including music codes, coupons and passwords, from the Sony Pictures database of nearly 1 million users. The attack cost Sony an estimated $171 million — a significant sum even for a company of this size and potentially devastating for a smaller company.
More recently, during the 2016 U.S. presidential election, advertisements on the dark web offered for sale details of an unpatched SQL injection vulnerability in U.S. voting machines. The seller also included multiple credentials for the system, including some with administrative privileges.
Preventing Injections from Compromising Your SAP System
Injection attacks are a critical security failure for businesses. And because even properly functioning systems are at risk of attack, it’s imperative to minimize vulnerabilities.
Critically, all data in SAP systems resides in the database. Just one flaw in any of an application’s components can put that data at risk, as hackers will do whatever they can to obtain SAP_ALL privileges. If hackers do obtain these privileges, they can easily remove roles and profiles from other users, leaving your system completely exposed.
Although traditional SAP security focuses on internal security controls, injection attacks come from the outside. However, external firewalls and traditional antivirus programs cannot easily block injection attacks, either. Instead, SAP managers must be cognizant of the two primary solutions to prevent these hacks:
- Write secure code that adheres to ABAP and Java best practices and sanitizes user input. This is the best solution to prevent malicious commands from running and violating your systems. However, it’s not always practical. Many organization simply don’t have the time and/or resources to test and sanitize every line of code. And unfortunately, all it takes is one vulnerability to expose the entire application.
- Employ a trusted solution that blocks standard SQL and OS command injections while allowing your specific application commands to execute as intended. Ideally, the solution will scan all data entered into your SAP application. If the data appears to be a SQL or OS command, the command will be blocked.
To further ensure the security of the SAP environment, SAP managers should:
- Understand all of an application’s components, functions and infrastructure.
- Validate user input for each field, testing type, length, format and range. Data that can’t be validated should be rejected.
- Encrypt sensitive data.
- Incorporate multiple layers of validation.
- Consider rejecting input that contains semicolons, single quotes and dashes.
- Automatically review all codes that include execute commands.
- Use existing APIs for programming languages
- Execute only static strings that don’t include user input
- Install any patch updates that address injection vulnerabilities.
Only one-third of companies have the in-house tools and resources needed to identify and prevent SQL injection attacks. Therefore, consider implementing an SAP-certified solution that protects your applications from structured content-based threats in form data.