Skip to Content
avatar image
Former Member

Session hijacking in sap web channel on sap netweaver 7.3

Hi Experts,

We have found the issue in the sap web channel 3.0 vulnerable to session hijacking.

In order to mitigate the issue we have implemented the sap parameter

SessionIPProtectionEnabled to true

https://help.sap.com/saphelp_nw73/helpdata/en/44/691ccdce2a3675e10000000a114a6b/frameset.htm

The parameter is protecting the application when accessed through the IP or host name

But when application is accessed through sap web dispatcher the session hijacking by cookie stealing is possible.

Request you to please help us to mitigate the vulnerability when application accessed through sap web dispatcher.

Let me know if more details is required from my side.

Regards

Ravi Pandey

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

0 Answers