Skip links
Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

Cross Site Request Forgery Protection for ITS, SAP security note 1481392

Description

Cross Site Request Forgery is an attack that targets web applications. For details about this attack please see this wikipedia article: http://en.wikipedia.org/wiki/XSRF.

This SAP note describes a generic protection scheme to protect ITS services against this kind of attack. Please note that in order to activate the XSRF protection for custom ITS Services not delivered by SAP, you have to configure each of your custom ITS services as described below.

This SAP note is only relevant for you, if you are using ITS services provided by SAP or if you developed your own custom ITS services. If this is not the case, you can ignore this SAP note.

***********************************************************************
*********************** W A R N I N G *********************************
***********************************************************************
SAP recommends to apply the following support packages:
6.40 SAPKB64027 (*) (**)
7.00 SAPKB70023
7.01 SAPKB70108
7.02 SAPKB70206
7.10 SAPKB71012
7.11 SAPKB71107
7.20 SAPKB72004

The SAP kernel (dw-Patch) needs to be updated as well to a patchlevel at least as mentioned in den SP patchlevel section of this note.

If you cannot apply the support packages recommended above, you can use the transport files attached to SAP note 1529098 for the releases 6.40, 7.00, 7.01, 7.10 and 7.11. But please be aware, that after importing the transports you will no longer be able to apply SNOTE corrections for objects you imported with one of these transports, as long as you do not apply one of the support packages listed above.

Example:
You have a system with SAPKB70020 and you applied the transport. If you decide to upgrade the system to a higher SP level it is required to apply SAPKB70021, SAPKB70022 and SAPKB70023. Otherwise due to the transport the objects which are part of the transport might remain an inconsistent state.

The recommendation is therefore to apply the support package and not to use the transport files.

(*) Although the service pack section of this note mentions SAPKB64028 for release 6.40 (which is not yet available), SAPKB64027 contains the basic XSRF protection.
(**) If your are using a system SAP_BASIS 6.20 plus SAP kernel 6.40 like R/3 Enterprise together with ITS 6.20, you will have to wait for an update version of this SAP note. For ITS 6.20 the XSRF protection is not yet available.

***********************************************************************
***********************************************************************
***********************************************************************

Available fix and Supported packages

  • BC-FES-ITS | 620 | 620
  • SAP_BASIS | 620 | 640
  • SAP_BASIS | 700 | 702
  • SAP_BASIS | 710 | 730
  • SAP_BASIS 702 | SAPKB70205 |
  • SAP_BASIS 710 | SAPKB71011 |
  • SAP_BASIS 711 | SAPKB71106 |
  • SAP_BASIS 720 | SAPKB72004 |
  • SAP_BASIS 640 | SAPKB64027 |
  • SAP_BASIS 700 | SAPKB70023 |
  • SAP_BASIS 701 | SAPKB70108 |
  • SAP_BASIS 730 | SAPKB73001 |
  • SAP_BASIS 702 | SAPKB70206 |
  • SAP_BASIS 730 | SAPKB73002 |
  • SAP_BASIS 710 | SAPKB71012 |
  • SAP_BASIS 702 | SAPKB70207 |
  • SAP_BASIS 711 | SAPKB71107 |
  • SAP_BASIS 720 | SAPKB72005 |
  • SAP_BASIS 640 | SAPKB64028 |
  • SAP_BASIS 700 | SAPKB70024 |
  • SAP_BASIS 701 | SAPKB70109 |
  • SAP ITS 6.20 | SP038 | 000038
  • SAP ITS 6.20 | SP041 | 000041
  • SAP ITS 6.20 | SP042 | 000042
  • SAP KERNEL 6.40 32-BIT | SP351 | 000351
  • SAP KERNEL 6.40 32-BIT | SP352 | 000352
  • SAP KERNEL 6.40 32-BIT UNICODE | SP351 | 000351
  • SAP KERNEL 6.40 32-BIT UNICODE | SP352 | 000352
  • SAP KERNEL 6.40 64-BIT | SP351 | 000351
  • SAP KERNEL 6.40 64-BIT | SP352 | 000352
  • SAP KERNEL 6.40 64-BIT UNICODE | SP351 | 000351
  • SAP KERNEL 6.40 64-BIT UNICODE | SP352 | 000352
  • SAP KERNEL 6.40_EX2 32-BIT | SP351 | 000351
  • SAP KERNEL 6.40_EX2 32-BIT | SP352 | 000352
  • SAP KERNEL 6.40_EX2 32-BIT UC | SP351 | 000351
  • SAP KERNEL 6.40_EX2 32-BIT UC | SP352 | 000352
  • SAP KERNEL 6.40_EX2 64-BIT | SP351 | 000351
  • SAP KERNEL 6.40_EX2 64-BIT | SP352 | 000352
  • SAP KERNEL 6.40_EX2 64-BIT UC | SP351 | 000351
  • SAP KERNEL 6.40_EX2 64-BIT UC | SP352 | 000352
  • SAP KERNEL 7.00 32-BIT | SP267 | 000267

Affected component

    BC-FES-ITS
    SAP Internet Transaction Server

CVSS

Score: 0

PoC

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/1481392

TAGS

#XSRF
#Cross-Site-Request-Forgery
#Security

Explore More

RedRays AI for ABAP Code Security

Empowering Secure, Efficient, and Compliant SAP ABAP Development—in Real Time and Without Data Retention In today’s rapidly evolving business landscape, organizations increasingly

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series.