Canonicalization describes the mechanisms for tracing back different polymorphic expressions to a canonical distinct expression. For example, within the context of a search engine, the data file Hello World.doc may be accessible by any one of the following polymorphic links:
The canonical representation ensures that 'strange' but allowed forms of an expression (for example, URL encoding or Unicode) do not pass any filter mechanisms. A polymorph representation of data is not necessarily an attack in itself, but helps to slip malicious data past a filter by "disguising" it.
The figure following clarifies what you as a developer have to do:
Example for the original file, which one is allowed to accessed:
c:\sap\file\test.txt
The following are examples of potentially malicious code.
Example Code 1
c:\sap\file\test.asp
Access to the file is denied by the filter of the process, due to the extension .asp. Such a filter does not accept any .asp or .jsp extensions.
Example Code 2
c:\sap\file\test.asp::$data
The file ends with data, which is not interpreted as a malicious ending such as .asp or .jsp by the process filter. Therefore, the file is accessed by the interpreter.
Example Code 3
c:\sap\file\test.asp%00de.doc
The file ends with doc, which is not interpreted as malicious ending such as .asp or .jsp by the process filter. The file is opened, because the interpreter does not accept any information following the NULL (%00).
For Web Dynpro ABAP and for BSP Applications
The method CL_HTTP_UTILITY=> IF_HTTP_UTILITY~CHECK_HTTP_WHITELIST is available in the SAP NetWeaver Application Server to check URL-like parameters against a white list of patterns in table HTTP_WHITELIST . Maintain the table in transaction SE16. This process verifies that the URL from external sources can be accepted
For HTML Interpreters
The SAP NetWeaver platform offers several output encoding functions to circumvent cross-site scripting (XSS) attacks.