Session Security Protection
There are many types of session-based attacks, such as, impersonation, where a malicious user attempts to access another user's session by posing as that user.
These types of attacks require that, the malicious user obtains a valid session identifier, as this is the minimum amount of information required for identification.
Activating secure session management in the SAP Gateway host protects and prevents access to SAP logon ticket and security session cookies (SAP_SESSIONID_<sid>...<client>), through Javascript and plug-ins.
Within a secure session, users can start applications that require a user logon without logging on again. When a security session ends, the system also ends all applications that are linked to this security session.
Also, use Secure Session Management (transaction SICF_SESSIONS) together with other authentication methods you choose to implement in the SAP Gateway host, for example, SAML.
For protection of session cookies, use HTTPS transport.
Cross Site Scripting Protection
Cross site scripting (XSS) describes all vulnerabilities that allow an attacker to inject HTML markup or JavaScript into a Web application's front-end.
XSS can occur whenever the application dynamically creates its HTML/JavaScript/CSS content which is passed to the user's Web browser and an attacker-controlled values are used in this process.
SAP Gateway is compliant with RFC 4287 which states the following:
If the value of "type" is "html", the content of atom:content MUST NOT contain child elements and SHOULD be suitable for handling as HTML [HTML]. The HTML markup MUST be escaped; for example, " " as "<br>".
The HTML markup SHOULD be such that it could validly appear directly within an HTML element. Atom Processors that display the content MAY use the markup to aid in displaying it.
For more information, see https://tools.ietf.org/html/rfc4287#section-4.1.3.3
In addition, all modifying requests through SAP Gateway is protected using tokens for Cross-Site Request Forgery (CSRF).