on 08-19-2021 3:30 PM
My security team flagged my Fiori logoff service because they are able to add a redirect to the end of the URL. They didn't use the Fiori app, they just googled to get the logoff string and entered the URL into the browser. So how do I prevent this?
https://<yadayada./sap/public/bc/icf/logoff?redirecturl=https://example.com
Hi Mary Jane
What a coincidence. We also had a similar security concern raised against malicious use of the SAP standard redirecturl parameter on any genuine public Internet service (ICF) logoff redirected to a dubious site.
E.g. https://example.com/sap/public/bc/icf/logoff?redirecturl=https://www.FakeLogonSite.com
In the logoff class method it makes use of an URL whitelist for ICF logoff services (if the whitelist is maintained). For each SAP ABAP system this is maintained in the table HTTP_WHITELIST: by adding allowed whitelist redirection entries:
ENTRY_TYPE: 21 (Redirect URL for ICF Logoff)
PROTOCOL: * (all protocols or particular protocols)
HOST: example.com (allowed host names to redirect to)
PORT: 0 (all ports or particular ports only)
URL: * (all allowed URL paths or particular URL masks).
Whitelisted redirect URLs are recommended to secure your SAP system as you may only want to redirect to the same SAP system or another single sign-on system to re-authenticate and nothing else after logoff..
Kind Regards
David
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Excellent. Thanks for the info. I knew there had to be a way.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
90 | |
10 | |
10 | |
10 | |
7 | |
7 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.