Hi Experts,
We have found the issue in the sap web channel 3.0 vulnerable to session hijacking.
In order to mitigate the issue we have implemented the sap parameter
SessionIPProtectionEnabled to true
https://help.sap.com/saphelp_nw73/helpdata/en/44/691ccdce2a3675e10000000a114a6b/frameset.htm
The parameter is protecting the application when accessed through the IP or host name
But when application is accessed through sap web dispatcher the session hijacking by cookie stealing is possible.
Request you to please help us to mitigate the vulnerability when application accessed through sap web dispatcher.
Let me know if more details is required from my side.
Regards
Ravi Pandey
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.