Web Dynpro ABAP Security Guide

It is important to consider security issues when you create Web applications using the Web Dynpro ABAP programming model. Security functions are provided for when you create Web applications as well as for when you operate them.

Security in AS-ABAP

For information about security issues for creating Web Dynpro applications in AS-ABAP systems, see:

Network Infrastructure
Security in AS-ABAP
Note in particular the Configuration for SSL Support.
Furthermore, a function is provided for increasing performance in the case of multiple logons, namely the Logon Ticket Cache.
Certain Virus Scan Profiles are delivered by SAP in the standard system. A virus scan is provided for HTTP upload.
For more information, see: Virus Scan Interface).
If problems occur with missing certificates for Web Dynpro ABAP applications, follow the recommendations for building trust relationships for server-side authentication.
For more information, see: SSL -Scenario 1: Trust Relationship for Server-Side Authentication.

Caution Caution

In a productive system the following HTTP service nodes (transaction SICF) are not active for the Configuration, since a configuration always represents a development.

/sap/bc/webdynpro/sap/CONFIGURE_APPLICATION
/sap/bc/webdynpro/sap/CONFIGURE_COMPONENT
/sap/bc/webdynpro/sap/WD_ANALYZE_CONFIG_APPL
/sap/bc/webdynpro/sap/WD_ANALYZE_CONFIG_COMP
/sap/bc/webdynpro/sap/WD_ANALYZE_CONFIG_USER

For more information about active service nodes in the HTTP service tree, see Active Services in the SICF.

End of the caution.

Security Issues When Developing Web Dynpro Applications

Data Security in Web Applications
Permissibility of Database Changes
Security of View Context Data
Security Notes for FileUpload UI Elements
Security for UI Element Events
In an SSR client only those events can be triggered by a JavaScript attack that can also be triggered by a user interaction. The UI element associated with each event arriving on the server is checked to ensure it is visible and enabled. Certain events are also restricted by the attribute readOnly of the UI element when it is executed. In such cases this is also checked.
Security of URL Parameters
An application can define its own URL parameters. The content of these parameters should be checked by the application to avoid any attacks occurring this way. URL Parameters provided by Web Dynpro are automatically checked by the Web Dynpro runtime.

User Administration

Logging on to Web Applications
To access a Web application, AS ABAP uses the HTTP framework from the Internet Communication Manager (ICF), which provides functions for Logging On to AS ABAP.

Caution

Refer in particular to Activating and Deactivating Services. For security reasons, the only services that should be active in the HTTP service tree are those services that you really need. If, however, you activate nodes at a higher level, this means that the whole part of the service tree below this level is completely open and is therefore not secure if an anonymous user is defined, for example.

End of the caution.

A simple procedure is available for developing and configuring the system Logon with Web applications. The security functions are integrated in this procedure.
Authorizations
- General authorization checks for services and application are available in the ICF.
  For more information, see: Authorizations). If required, special authorization checks for Web Dynpro Applications are made by the respective application.
- There is a separate Authorization Check for launching Web Dynpro ABAP applications.
- An authorization check is provided by Web Dynpro ABAP, (see Authorizations for Personalization and Customizing). It checks the administration authorization for personalizing UI elements.
Application Logoff Page
You can use your own logoff page for your Web Dynpro application: Application Logoff Page
SAP Trust Center Service
Customers can use the SAP Trust Service Center to have SAP passports issued. Here the customer ABAP system acts as the registration authority (RA) and SAP as the certification authority (CA).

Note
For this, note that the users first have to log on (once) to the browser-based ABAP system using the password at the customer-side so that they can then request the SAP passports. Once these have been requested, they can be used from the browser - provided that an HTTP URL is used. In this case, the browser-based logon takes place completely automatically (using the SAP passport or X.509 certificates), irrespective of whether you call the browser directly, click on an HTTP URL in a mail, or the BEx Analyzer triggers the URL.

End of the note.

For more information on SAP Trust Center Services for SAP Passports, see http://service.sap.com/~form/sapnet?_SHORTKEY=01100035870000437021&SCENARIO=01100035870000000202&.

Web Applications Without Domain Relaxing

Before SAP NetWeaver 7.0 SP6 a Web Dynpro application could not be run isolated in an environment (for instance, in SAP NetWeaver portal), since it always relaxed the domain in its environment. However, for applications where security is critical this opens up a gateway for attack. Attackers could run their own application in a different IFrame, relax their domain too, and access sensitive data from the original application.

To ensure this does not happen, application parameter WDPROTECTEDAPPLICATION can be set for an application on the server, regardless of whether the application relaxes its domain or not.

The standard setting is where the domain remains relaxed. The parameter is used to deactivate this standard setting for applications where security is critical.

Check for which of your applications security is critical and set the indicator in the Web Dynpro application accordingly. To do this select the Web Dynpro application in SE80 and go to the tab page Parameters. Using F4 help on the parameter you can select the entry WDPROTECTEDAPPLICATION and set its value to X.

Web Dynpro Console

If parameter sap-wd-ssrconsole=true is set to true, the Web Dynpro console is displayed. This contains various information, such as the build number of the rendering, the version in use and other information to support error handling. No data can be input.

Application Error Pages

You can suppress the standard error page generated by the ICF and define your own error page instead: Application Error Page

Security Risk List

A white list infrastructure in the HTTP framework fends off XSS attacks: Security Risk List

The white list is also relevant for the Web Dynpro ABAP portal integration; for a WDA view, the portal stylesheet URL is passed to Web Dynpro ABAP by means of the URL parameter. You must therefore enter the URL of the portal into the white list if using the portal integration.

For security reasons, a white list is required to use the UI elements AcfExecute and AcfUpDownload. You can find further information in the documentation of these two UI elements and in the Implementation Guide (IMG) the in the system.

URL Generation

See URL Generation in an AS-ABAP - Web Dispatcher Configuration

Security for Portal Integration

For security reasons, we recommend that you use SAP logon tickets or X.509 certificates for portal integration. Other logon procedures are not fully supported.

Externe Stylesheet Information

The Enterprise Portal can use URL parameters to pass information to the Web Dynpro ABAP application about the stylesheet to be used. Stylesheets names as well as entire stylesheets can be passed in URL parameters to the application. For more information, see Security Risk List.

To prevent external stylesheet information being used, that is prevent external control, you can set Web Dynpro ABAP application parameter WDUSEEXTERNALSTYLESHEET to value OFF.

For more information, see Application Parameters and URL Parameters.

Notes

Relevant SAP notes

Note Number	Title
1088717	Active Services for Web Dynpro ABAP in Transaction SICF
510007	Setting Up SSL on the Web Application Server
420085	Logon Ticket Cache
853878	HTTP Whitelist Check (security)