A Bad Cup of Java: Why Active Content Can Threaten SAP With XSS Attack

Oct 11, '17 by Joerg Schneider-Simon

Technology security professionals see a staggering variety of cyberattacks and are constantly on guard for new threats on the horizon. But even the most weathered IT pro feels a rise in blood pressure when they hear this phrase: cross-site scripting.

Cross-site scripting (or XSS) is one of the top cybersecurity issues plaguing any company that uses web-facing applications. Because of the sophistication of some XSS attacks, they can be difficult to detect, and because they’re such a common headache in the cybersecurity world, scores of tools and techniques exist to help prevent these attacks from launching.

However, there’s a gap. A big one. And it’s in SAP.

How XSS Attacks Target SAP via Active Content

JavaScript coding is a common vector for XSS attacks. When Web browsers render user input that is not sanitized by the Web application, cyberattackers can insert additional JavaScript code into the page markup to do whatever dirty work they want: embed malicious links, steal credentials, deface sites or set up spoof login or payment pages that steal confidential financial information.

So, what does this have to do with SAP?

As it turns out, XSS is the single most common security vulnerability in SAP applications, accounting for roughly 25% of all SAP Security Notes (read: “security patches”) ever published by SAP.

XSS attacks usually fall into one of three categories:

The first is via reflected XSS attacks through forms on website pages. Many SAP Netweaver applications allow vendors, partners, job applicants and others to complete online forms. In many cases, the data that is input is reflected back to the user (e.g. a series of text input boxes that use the previous input to dictate what questions come next).

With these reflected XSS attacks, the malicious code is not permanently inserted into the SAP database, but instead victims are sent a legitimate-looking link to the SAP application (often involving some social engineering). That link, however, already contains the malicious JavaScript which is then “reflected” to the user by the vulnerable application in order to deface the site, steal credentials, redirect pages, or insert malware.

The second type of XSS attack is a “stored” XSS attack. A classic example is a site’s guestbook, where the attacker can insert malicious code, which is then stored in the SAP database and sent to every user accessing the application.

A third way in which XSS attacks can happen is with content uploads. Some SAP applications allow external parties to not only fill out forms, but also to upload content like resumes, specs, purchase orders and other types of documents.

This may be convenient, but the active content creates an enormous vulnerability. We recently performed security tests on 120 randomly chosen SAP E-Recruiting installations. In our tests, 31% of the portals allowed the uploading of plain JavaScript files. And 89% allowed the uploading of PDF files with embedded JavaScript, making it alarmingly easy to hide devastating XSS attack code in an innocent-looking resume or purchase order.

The repercussions of these attacks could be ruinous: According to the 2017 ERP Cybersecurity Survey, the average ERP cybersecurity breach causes five million USD in damages. And a third of the companies surveyed would stand to lose between $10 to $50 million if their SAP system were breached and fraud resulted.

The bad news? Standard anti-malware programs can’t protect SAP applications.

Why Is SAP So Vulnerable?

In addition to the vulnerabilities created by outside user input, SAP is in a unique position when it comes to cybersecurity: It can’t be protected by standard operating system anti-malware programs.

A major reason for this is because uploads to SAP applications are usually transferred through SSL-encrypted connections and never written to OS disk volumes. And because of how they’re transmitted and stored, any deployed anti-malware program never gets the opportunity to “read” them.

SAP has long recognized its own vulnerabilities and in 2004 added the NW-VSI Virus Scan Interface, allowing anti-malware programs to plug in and scan for threats. The problem, however, is that standard anti-malware programs cannot connect with the interface. Instead, it requires content security solutions, like those provided by bowbridge, that are designed and certified for it.

Cross-site scripting attacks can create huge headaches, but with the right SAP cybersecurity solutions, you won’t have to worry they’re slipping in without you even knowing.

Learn more about how to protect your SAP applications from cyberattacks by downloading our free white paper. 


Can SAP E-Recruiting Expose Your Company to Risk?