cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Cross Scripting(Xss) Vulnerability Check to Logon Module

Former Member

on ‎11-09-2015 2:41 PM

0 Kudos

Hi Experts,

Please let me know and suggest with any example, if any of you applied and solved Xss Vulnerability Check to Login Page of SAP EP Portal.

Below example shows for customized portal application.

https://scn.sap.com/community/enterprise-portal/blog/2014/10/07/an-approach-to-web-security-issues-o...

I am checking for login page of portal , i.e passing of this type of javascript values to parameters

https://<host>:<port>/irj/portal?j_username=Test&"onmouseover="location.href='https://www.google.com'"

shouldnot work, even on setting "Disable" value for Enable XSS Filter in Internet Explorer(IE) browser settings under security tab.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

former_member193577
Active Contributor
‎11-10-2015 5:44 AM
0 Kudos

Hi,

XSS happens when unvalidated input from user is coming back to response without any proper encoding.

Basically you should not be able to reproduce this issue with the standard login page, since it should be protected against that (also with IE XSS Filter).

The recommended component for such output encoding (whether HTML or javascript encoding) is the com.sap.security.core.server.csi.XSSEncoder

Best regards,

Tal

Show replies
Show replies
Former Member
‎11-12-2015 7:37 AM
0 Kudos

Hi,

We have modified login page with branding customization and able to cross-check issue with url

https://<host>:<port>/irj/portal?j_username=Test&"onmouseover="location.href='https://www.google.com'"

which doesn't allow user to enter password.

1. Encoding to all Request Parameters or only to few parameters on the login page?

2. Is decoding required again? If so, how and where it should be?

Please let me know how this com.sap.security.core.server.csi.XSSEncoder can be used for the customized login page with any samples.

former_member193577
Active Contributor
‎11-12-2015 10:09 AM
0 Kudos

Hi Ravi,

Basically for any response that you write (output) that takes request parameters, you should check.

Any parameters that can pass from request and come back to user as response without proper encoding / validation is XSS vulnerable.

So to your question ,all parameters that you output back to response should be encoded using the XSSEncoder.

no decoding is needed,since the browser does that already.

Thanks,

Tal

hemanth2
Product and Topic Expert
Product and Topic Expert
‎11-09-2015 2:53 PM
0 Kudos

Dear Ravi,

Hope you are doing good.

You  can find the list of all SOS checks in our media library at <https://service.sap.com/sos> -> Media Library. Look there for the files “Security Optimization Service - ABAP Checks” and “Security Optimization Service - JAVA Checks”.  This has all the information that you need in such scenarios. Also do have a look at the guide in the note 1450166: To protect applications from XSRF attacks they need to be adopted to theXSRF Protection Framework, as described in the attached guide.
Hope this helps.

_ _ _ _ _ _ _ _ _

Kind Regards,

Hemanth
SAP Active Global Support

_ _ _ _ _ _ _ _ _

Show replies
Show replies
Ask a Question