Skip links
Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

[PoC] SAP PING PONG – XSS and URL Redirection Vulnerabilities

Recently, SAP released a security update for SAP NetWeaver AS for ABAP and ABAP Platform, addressing multiple vulnerabilities related to cross-site scripting (XSS) and URL redirection. One of the affected components is the demo application “SAP Ping Pong,” which uses ABAP Push Channels.

These vulnerabilities could allow attackers to craft malicious links that, when clicked by users, could compromise system security, granting access to sensitive information or redirecting users to malicious websites. Although these programs are intended for demonstration purposes and are not meant for productive environments, they can still serve as entry points for attacks if not properly addressed.

Description of Vulnerabilities

  1. Cross-Site Scripting (XSS) — CVE-2023-23859 Cross-site scripting allows attackers to create links that execute malicious scripts in the user’s browser. These scripts can be used to steal data, session information, or other confidential data. CVSS Score: 6.1.

  2. URL Redirection Vulnerability — CVE-2023-23860 This vulnerability enables attackers to create malicious links that redirect users to fake websites. This could lead to phishing attacks or data exposure. CVSS Score: 6.1.

Proof of Concept for URL Redirection (PoC)

Attackers could use the following URL to demonstrate the URL redirection vulnerability:

http://%your_sap.com%/sap/bc/apc_test/sohbat?redirect=https://redrays.io/sap-security-platform-for-penetration-testers/?poc&tcode=1&fcode=1&command=1

When a user clicks this link, they will be redirected to a website that could potentially have malicious content, leading to information disclosure or other attacks.

Impact and Risks

Both vulnerabilities are due to improper input validation in demo programs like SAP Ping Pong and Sohbat. Even though these programs are not intended for use in productive environments, they can still be targeted if not deactivated.

In systems where these services are active, attackers could exploit these vulnerabilities to execute cross-site scripting or redirect users to malicious websites. This could result in data leakage, session hijacking, and other security compromises.

Recommendations for Mitigating the Vulnerabilities

  1. Apply the Fixes SAP has released patches for the affected components, including the ABAP Push Channels demo programs. Ensure that these patches are applied as soon as possible.

  2. Deactivate Unnecessary Services Demo services such as /sap/bc/apc_test/ping_pong/game, /sap/bc/apc_test/ping_pong/player, and others under the APC and Sohbat frameworks should be deactivated through the SICF transaction. This will help prevent potential attacks on these vulnerable services.

  3. Review Your SAP Landscape Conduct a full audit of your system to ensure that any unused services, particularly demo programs, are disabled. This will minimize the attack surface and reduce the risk of exploitation.

Conclusion

SAP Ping Pong and other ABAP Push Channels demo programs provide attackers with potential entry points through XSS and URL redirection vulnerabilities. While these programs are not intended for productive environments, it is important to deactivate them to safeguard your system.

It is highly recommended to apply the SAP-provided patches as soon as possible and deactivate the demo services. This will significantly reduce the likelihood of attacks related to these vulnerabilities.

For more information on these vulnerabilities or assistance in securing your SAP environment, contact us at RedRays. We offer comprehensive solutions to protect SAP systems from vulnerabilities and cyberattacks.

Explore More

RedRays AI for ABAP Code Security

Empowering Secure, Efficient, and Compliant SAP ABAP Development—in Real Time and Without Data Retention In today’s rapidly evolving business landscape, organizations increasingly

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series.