By running a few lines of script a determined hacker could bypass a company firewall and trick an application to gain sensitive information. Web-based SAP applications are at great risk because firewalls and intrusion detection systems give a false sense of security, according to Andreas Wiegenstein, who serves as chief technology officer of Germany-based application security firm Virtual Forge.
"With applications, it's all about the side effects that you don't think about," Wiegenstein said.
In a presentation at the SAP TechEd 2006 conference, Wiegenstein highlighted the top five application security threats and how NetWeaver developers can avoid them.
An attacker could execute arbitrary SQL commands remotely on applications that directly create and execute SQL statements, Wiegenstein said. Hackers could manipulate SQL requests to change the content of a database table. The vulnerability also allows hackers to execute a shell command on a Web server leaking potentially sensitive data, Wiegenstein said.
Prepared statements should be used as a countermeasure where possible. A prepared statement gets a placeholder for data input, enabling an application to better protect itself, Wiegenstein said.
All applications that create HTML GUIs are vulnerable to cross-site scripting, Wiegenstein said. This type of attack tricks a server into believing a hacker is a legitimate user.
To avoid cross- site scripting, HTML should be rendered through Web Dynpro, a programming model for user interfaces. Wiegenstein suggests that companies concerned about this issue should consult a security expert.
"This is a very difficult problem to solve," he said. "No company has succeeded in solving this problem themselves."
There are false assumptions that cookies can't be manipulated, according to Wiegenstein, but a good hacker can trick application logic by changing a cookie value.
SAP customers should avoid storing important information, such as an item price, in a server-side cookie, he said. The use of Web Dynpro also helps alleviate this problem, he said.
If an attacker is not using a browser or a modified tool to gain remote access to a company's systems, applications that rely on client-side validation are at high risk, Wiegenstein said. A hacker can trick the application logic by manipulating a validated value, he said.
Companies should not rely on client-side validation to avoid this problem, he said. Validation should also be repeated on the server.
With forceful browsing, a hacker can trick the application logic enabling buttons or other resources within an application menu that should be unavailable, Wiegenstein said. In a demonstration, Wiegenstein showed how an attacker could enable an edit function on a bill of sale, which is only available to an administrator
"An attacker can cause a server to skip the same validations," he said.
The use of Web Dynpro and authority checks for actions originating from a client will alleviate the vulnerability, Wiegenstein said.
The most important countermeasures for all five attacks is for a company to be proactive with security, Wiegenstein said. Start planning by setting a security policy, get help from experts and hold security trainings to avoid the most common security mistakes among employees, he said.
"Many companies fail to build in security when developing an application," Wiegenstein said. "You can't just build something and add on security like it's glue. That doesn't work."