🕠 🏫 ✒️ SAPのXSS保護について知りたいこと 👖 🎥 🚕

はじめに

昔、SAPについては何も公開していませんでしたが、今日は、古いR / 3から最新のHANAまでのSAPソリューションに影響を与える脆弱性を検討します。この脆弱性の名前は、クロスサイトスクリプティング（XSS）です。この記事は、脆弱性の検索と悪用に関する私たちの通常の話に反して、主にこの脆弱性からの保護に専念します。

Crossiteスクリプトは、一般的に、特にSAP製品で最も一般的な脆弱性の1つです。そのため、12年にわたって、628のXSS脆弱性がSAPで発見されました。これは、SAPのすべての脆弱性の22％です。 SAPで52のXSS脆弱性を発見したのはERPScanの研究者のみです。これは、脆弱性を直接探すよりもアドバイザリーおよび官僚的な問題を書くのに時間がかかったためです。すべての脆弱性に関するより詳細な情報は、「 SAPの3000の脆弱性の分析」という調査で調査できます。次に、主要部分に進みます。

SAP製品のトップ10の脆弱性

攻撃の説明

クロスサイトスクリプティングの危険性は、この脆弱性により、攻撃者がユーザーセッション内で任意のJavaScriptコードを実行できることです。このコードは、ブラウザに保存されているCookie、セッショントークン、その他の重要な情報へのアクセスに役立ちます。攻撃者はユーザーセッションにアクセスして重要なビジネス情報を取得し、最悪の場合はシステムを完全に制御できます。 XSSを使用すると、サイトに表示されているデータを違法に置き換えて、フィッシング攻撃などを行うこともできます。すでにXSSについて多くのことを知っていると思いますが、紹介なしではできません。
XSSは通常、次の場合に可能です。

サーバーは、ユーザーが入力した特殊文字をエスケープしません-'"＆<>;
サーバーでは、危険なパラメーターを値として送信できます。これにより、他のソースからJavaScriptコードを実行できます。

従来、次のタイプのクロスサイトスクリプティングは区別されています。

クロスサイトスクリプティングの保存

このタイプでは、悪意のあるコードをサーバーに保存する必要があります。たとえば、攻撃者はサーバー上のオブジェクトの名前（たとえば、ワークフローシステム内のファイルの名前）を変更することでコードを挿入できます。攻撃が成功した場合、正当なユーザーがファイルのリストに関する情報を要求すると、ブラウザーは攻撃者がダウンロードした悪意のあるコードを起動します。

むかしむかし、SAPセキュリティの分析作業中に同様の攻撃を行いました。この組織では、入札にSAP SRMが使用されたため、各ベンダーはサービスと価格に関する情報を記載したドキュメントを投稿できました。システムは保存されたクロスサイトスクリプティングに対して脆弱であったため、ファイル名フィールドにJavaScriptコードを埋め込むことができました。調達部門の会社の従業員が、最近アップロードされたドキュメントを見るためにファイルのリストを含むフォルダーを開くと、悪意のあるコードが自動的に起動され、攻撃者は従業員のアカウントにアクセスしました。このアカウントを使用して、彼は競合他社の入札書類にアクセスし、彼らのサービスと価格に関する情報を取得することができました。この脆弱性はSAPによって解決されました（SAPセキュリティノート1284360）。

SAPに保存されているクロスサイトスクリプティングの別の例は、非常に興味深い悪用方法を使用したSAP AfariaシステムのセンセーショナルなXSS脆弱性です。格納されたクロスサイトスクリプティングなどの脆弱性は非常に危険であり、簡単に操作できますが、以下に説明する反映されたクロスサイトスクリプティングほど一般的ではありません。

反映されたクロスサイトスクリプティング

このタイプの脆弱性はより一般的です。この場合、悪意のあるコードはサーバーに保存されませんが、ユーザーが次のようなリンクを開いたときに実行されます。

example.com/search.php?q=

この脆弱性を悪用するには、ユーザーにリンクを送信する必要があります。このタイプのXSSは、ユーザーの操作を必要とするためそれほど強力ではありませんが、保存されたクロスサイトスクリプティングよりも人気があり、そのような脆弱性の例は数百あります。

極めて危険な攻撃の例として、JavaScriptコードを埋め込み、Cookieに保存されているユーザーセッション情報を盗むだけでなく、被害者のコンピューターにインストールされているActiveXコンポーネントを悪用することもできます。したがって、ActiveXの脆弱性の1つを介して彼のコンピューターに完全にアクセスすることが可能になります。その結果、企業の内部ネットワークにアクセスし、すべての企業データを含むSAPサーバーに一歩近づきます。

DOM-XSS

この場合、攻撃者はブラウザページのDOM（ドキュメントオブジェクトモデル）環境を変更して、ページ上のスクリプトの1つが悪意のあるJavaScriptコードを実行するようにします。

SAPセキュリティノート1788080でクローズされた脆弱性の例を使用して、このタイプをより詳細に検討してください。

クロスサイトスクリプティングの脆弱性の例

ご覧のとおり、変数 'id'の値は変更せずにユーザーに表示されるため（行28）、攻撃者は変数 'id'を使用してコードを挿入できます（行15）。
この脆弱性の悪用は次のとおりです。

example1234567.com/dir/start/error_msg.jsp?id=1111 ">

一般的な保護対策

このような脆弱性を回避するには、ユーザー入力を保護/フィルタリングすることが常に必要です。 XSS DOMの例では、変数「ID」は「URLEncoder.encode（）」メソッドで再設定する必要があります。これは、その値がHTTPリクエストパラメーターとして使用されるためです。

脆弱性を閉じるために必要なアクション

その結果、開発段階でクロスサイトスクリプティングを防ぐ方法に関するいくつかのヒントを紹介します。

未検証のソース（ユーザー入力を含む）からのデータをHTMLページに入力しないでください。
HTML要素コンテンツに埋め込む前に、信頼できないソースからHTMLスニペットをエスケープします。
HTML要素コンテンツに埋め込む前に、信頼できないソースのHTML属性を選別します
JavaScriptデータ値を埋め込む前に、信頼できないソースからのJavaScriptコードを選別します。
JSONをHTML要素コンテンツに埋め込む前またはJSON.parseで使用する前に、信頼できないソースからJSONをエスケープします。
HTMLスタイルプロパティ値に埋め込む前に、信頼できないソースからCSSスニペットをエスケープします。
HTML URLパラメーター値に埋め込む前に、信頼できないソースからURLをエスケープします。
DOM XSSからシステムを保護します。

ブラウザには、XSS攻撃のリスクを大幅に削減できるメカニズムもいくつかあります。

Cookieに「HTTPOnly」フラグを使用します-このセキュリティ対策は、JavaScriptを介したCookieからのユーザーセッションデータの受信を防ぎます。
コンテンツセキュリティポリシーを設定する-このセキュリティ対策は、ドメイン内でのJavaScriptの使用を禁止します。
HTTPS Cookie保護-HTTPSプロトコルを使用する場合、Cookieを保護します。

次に、開発者、管理者、およびインシデント調査者によるXSS攻撃からさまざまなSAPプラットフォームを保護する方法を詳しく見てみましょう。

SAP NetWeaver ABAPセキュリティ

開発者の観点から

パラメーターの入力が許可されているすべてのWebアプリケーションでは、ICFプロセッサーが提供するエンコード方式を使用する必要があります。実装は、2つのバージョンのAPIとして利用可能です。

ABAP ESCAPEの組み込み関数（SAP_BASIS> = 731で利用可能）;
CL_ABAP_DYN_PRGの展開クラス。

SAP NetWeaverバージョン7.0拡張パッケージ3以降（SAP_BASIS> = 731）では、組み込みのABAP関数ESCAPE（）を使用します。詳細については、ESCAPE（）関数のABAPキーワード文書を参照してください。

HTML / XML	out = escape（val = val format = cl_abap_format => e_xss_ml）
Javascript	out = escape（val = val format = cl_abap_format => e_xss_js）
URL	out = escape（val = val format = cl_abap_format => e_xss_url）
CSS	out = escape（val = val format = cl_abap_format => e_xss_css）

バージョンSAP_BASIS 702、720以前の場合、クラスCL_ABAP_DYN_PRGにABAP OO実装があります。

コンテキスト	方法
HTML / XML	out = CL_ABAP_DYN_PRG => ESCAPE_XSS_XML_HTML（val）
Javascript	out = CL_ABAP_DYN_PRG => ESCAPE_XSS_JAVASCRIPT（val）
URL	out = CL_ABAP_DYN_PRG => ESCAPE_XSS_URL（val）
CSS	out = CL_ABAP_DYN_PRG => ESCAPE_XSS_CSS（val）

これらの拡張機能の詳細については、SAPセキュリティノート1582870を参照してください。次に、特定のSAPテクノロジーを使用したXSS保護の機能について検討します。

WebDynpro ABAPの場合

WebDynproの場合、ABAPはクロスサイトスクリプティング保護について心配する必要はありません。セキュリティはプラットフォーム自体によって提供されます。

ビジネスサーバーページ（BSP）

BSPの場合、ページディレクティブを使用する必要があります。詳細については、SAPセキュリティノート1600317およびSAPセキュリティノート1638779を参照してください。これらのBSPページ属性の利点は、BSPアーキテクチャにより、最も安全なバージョンのエンコードが使用されることです。

BSPの場合は、ページディレクティブを使用する必要があります。<％ page language = "abap" forceEncode = "html | url | javascript | css"％>
SAP Security Note 1600317のインストール後、既存のページディレクティブは、ページに入力されたすべての式のHTMLエンコーディングをサポートする更新されたBSPコンパイラも使用します。

次の例では、すべての入力式がHTMLエンコードを使用しています。 BSPページの型付き式にのみ影響し、タグパラメーターには何も影響しません。

例：

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks <%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED\|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks	<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED\|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED\|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks	<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED\|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED\|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks	<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED\|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED\|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks	<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED\|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED\|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks	<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED\|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED\|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks	<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED\|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED\|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks	<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED\|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED\|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks	<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED\|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED\|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks	<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED\|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED\|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks	<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED\|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%>
<% data: inputvalue type string.
inputvalue = request->get_form_field( 'x' ).
%>
</html>


. , ( ):

<%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , )

BSP

BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE">

ENABLED: . , ; BACKWARDS_COMPATIBLE: . , .

, htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) .

<htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008">


, design=CLASSIC. .

Mixed BSP- HTML HTMLB

forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP,

Internet Transaction Server (ITS) HTML Business

Internet Transaction Server (ITS) HTML Business, :

xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape()
HTML Business

, HTML-: , (`) , :
~auto_html_escaping=1: , ~new_xss_functions=1: XSS.
~html_escaping_off=1/0, .
, , SAP_BASIS:
ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF :

7.20, ~new_xss_functions, XSS- .

, , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500.

Business HTML (BHTML)

HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255.



, . , .



, XSS-:

http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-.

, RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy.



, , - , - -, :
icm/HTTP/logging_0 icm/security_log ,

SAP NetWeaver J2EE

SAP NetWeaver J2EE



AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils):

. Securing SAP from XSS vulnerabilities
escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode

, .

1 ( )

[CASE1]

Username [CASE1]



2 ( , – URL)


Click here


3 ( - URL)




4 ( SCRIPT', – )



5 ( – declaration )



XSSEncoder.
- XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder).

:
HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val );

, . SAP Security Note 1590008.
WebDynpro Java
WebDynpro Java, XSS. .
SAP UI Development Kit for HTML5
SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js.
:
HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue)
:

, :
Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, .


, , - XSS-, - -, .
LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace.
SAP HANA XS

, XSS- – SAP HANA.


SAP HANA SAPUI5.
- SAPUI5 , . , int int, sap.ui.core . – , HTML:

, :
sessiontimeout = 900. - , . HttpOnly .



, , - XSS-, - -, .

HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu.



- , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP.

, ( chipik ) .


Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks
<%@page language="abap" forceEncode="html"%> <% data: inputvalue type string. inputvalue = request->get_form_field( 'x' ). %> </html> . , ( ): <%html=...%>: HTML <%url=...%>: URL URL <%javascript=...%>: JavaScript <%css=…%> : CSS <%raw=...%> ( , , , ) BSP BSP HTMLB forceEncode <htmlb:content> ENABLED , ( ). ENABLED , , :<htmlb:content forceEncode="ENABLED|BACKWARDS_COMPATIBLE"> ENABLED: . , ; BACKWARDS_COMPATIBLE: . , . , htmlb:content , . : CLASSIC, DESIGN2002, DESIGN2003, DESIGN2008, , (+). CLASSIC DESIGN2002 (, ) . <htmlb:content forceEncode="ENABLED" design="DESIGN2003+DESIGN2008"> , design=CLASSIC. . Mixed BSP- HTML HTMLB forceEncode BSP page forceEncode HTMLB . , – HTMLB. , , HTML BSP, Internet Transaction Server (ITS) HTML Business Internet Transaction Server (ITS) HTML Business, : xss_url_escape() xss_html_escape() xss_wml_escape() xss_css_escape() xss_js_escape() HTML Business , HTML-: , (`) , : ~auto_html_escaping=1: , ~new_xss_functions=1: XSS. ~html_escaping_off=1/0, . , , SAP_BASIS: ITS ( <= 6.40), Internet Service SE80. ITS ( >= 6.40), GUI SICF : 7.20, ~new_xss_functions, XSS- . , , , . ~html_escaping_off=”X”, . , . SAP Security Note 1488500. Business HTML (BHTML) HTMLBusiness Template Library (, SAP_TemplateNonEditableField()) . , . SAP Security Note 916255. , . , . , XSS-: http/security_session_timeout = 900; - , . icf/set_HTTPonly_flag_on_cookies = 0; HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. , RZ10, ( Profile) (, DEFAULT.PFL, SAP-). , , , Extended maintenance . , Copy. , , - , - -, : icm/HTTP/logging_0 icm/security_log , SAP NetWeaver J2EE SAP NetWeaver J2EE AS Java tc_sec_csi.jar. , HTML/XML, JavaScript, CSS URL. StringUtils (com.sap.security.core.server.csi.util.StringUtils): . Securing SAP from XSS vulnerabilities escapeScriptEndTag(String pStr) - , javascript ; escapeToHTML(String input) – (. 1) escapeToJS(String input) – JS declaration ( . 5) escapeToURL(String input) – , URL ( 3). , 'disableScriptSignatures'. escapeToURL(StringBuffer sb, String input, int maxLength) - , URL ( 3). , 'disableScriptSignatures'. escapeToURL(String input, int maxLength) - , URL (. 3). , 'disableScriptSignatures'. urlEncode(String s) – URLEncoder.encode , . 1 ( ) [CASE1] Username [CASE1] 2 ( , – URL) Click here 3 ( - URL) 4 ( SCRIPT', – ) 5 ( – declaration ) XSSEncoder. - XSSEncoder ( : com.sap.security.core.server.csi.XSSEncoder). : HTML / XML out = XSSEncoder.encodeHTML( in ) and XSSEncoder.encodeXML( val ); JavaScript out = XSSEncoder.encodeJavaScript( val ); URL out = XSSEncoder.encodeURL( val ); CSS out = XSSEncoder.encodeCSS( val ); , . SAP Security Note 1590008. WebDynpro Java WebDynpro Java, XSS. . SAP UI Development Kit for HTML5 SAP UI Development Kit HTML5, jQuery /_core/src/main/js/jquery.sap.encoder.js. : HTML / XML jQuery.sap.encodeHTML(sValue) and jQuery.sap.encodeXML(sValue) JavaScript jQuery.sap.encodeJS(sValue) URL jQuery.sap.encodeURL(sValue) CSS jQuery.sap.encodeCSS(sValue) : , : Global_app_config/session_config/sessionTimeout = 900. - , . SystemCookiesDataProtection = true. HttpOnly , - , , . HTTPOnly, Logon tickets XSS-. ume.logon.httponlycookie= True. Logon tickets , Single Sign-On J2EE Engine. “True” , HTTP document.cookie ( XSS-) . SessionIPProtectionEnabled = True. , IP . True, HTTP- IP. IP, . , , - XSS-, - -, . LogCLF = TRUE http.properties logging CEF. ArchiveOldLogFiles = ON. Log Configurator . . , . , . . HttpTrace= Enable. HTTP- , ConfigTool. HTTP Provider Service, , HttpTrace. SAP HANA XS , XSS- – SAP HANA. SAP HANA SAPUI5. - SAPUI5 , . , int int, sap.ui.core . – , HTML: , : sessiontimeout = 900. - , . HttpOnly . , , - XSS-, - -, . HTTP (S) , SAP HANA, -. - HTTP (S) , icm/http/logging _ 0: global _ auditing _ state = true. global.ini, . , , XSS-. SAP HANA Administration Console –> Security HDB –> Auditing Status menu. - , XSS. , , - SAP . XSS- – SAP. SAP XSS-. XSS SAP. , ( chipik ) . Logging additional information ABAP protection SAP Encoding Functions for AS ABAP Java protection SAP Encoding Functions for AS Java and JavaScript Prevention of Cross-site Scripting SAP HANA protection Protecting SAP® Applications Based on Java and ABAP™ Against Common Attacks

SAPのXSS保護について知りたいこと