Skip to Content
0

Session hijacking in sap web channel on sap netweaver 7.3

Mar 10, 2017 at 09:41 AM

16

avatar image

Hi Experts,

We have found the issue in the sap web channel 3.0 vulnerable to session hijacking.

In order to mitigate the issue we have implemented the sap parameter

SessionIPProtectionEnabled to true

https://help.sap.com/saphelp_nw73/helpdata/en/44/691ccdce2a3675e10000000a114a6b/frameset.htm

The parameter is protecting the application when accessed through the IP or host name

But when application is accessed through sap web dispatcher the session hijacking by cookie stealing is possible.

Request you to please help us to mitigate the vulnerability when application accessed through sap web dispatcher.

Let me know if more details is required from my side.

Regards

Ravi Pandey

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

0 Answers