cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

XSRF Protection in Portal Applications

former_member374335
Explorer

on ‎07-16-2018 7:11 AM

0 Kudos

Hi All,

We are having SAP Enterprise Portal 7.3 & 7.5 versions and custom Portal applications running in it. We tried to implement the XSRF protection for our custom PDK applications based on the SAP Note 1544240 - Unauthorized use of application functions in SAP NW Portal. We would like to know, Is it essential to implement the XSRF implementation for HTMLB Form Controls as well or Is it protected by default?

Kindly provide your comments/suggestions in this regard.

Regards,

Venkatesh K

Show replies
Show replies
former_member374335
Explorer
‎09-04-2018 7:28 AM
0 Kudos

Hi Folks,

Kindly provide your comments on the above query.

Regards,
Venkatesh K

Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

former_member21160
Participant
‎07-17-2018 11:40 AM
0 Kudos

Hi Venkatesh,

If you have ClickJacking on your systems then it would be necessary to have.
Clickjacking note for both AS ABAP and AS Java:
2319727 - Clickjacking protection framework in SAP Netweaver AS ABAP and AS Java
The note above covers a lot in details in terms of clickjacking.

In terms of HTMLB it mentions a note that needs to be applied:
2263656 - Whitelist based Clickjacking Framing Protection in HTMLB Java

Note 1544240 is quite old but there is another one as well that might be of help:
1669901 - Unauthorized use of application functions in personalization

Let me know if you have any other queries and I hope this was helpful.

Best Regards,
Jinnyre

Show replies
Show replies
former_member374335
Explorer
‎08-07-2018 7:46 AM
0 Kudos

Hi Jinnyre,

Thanks for your response. We haven't enabled ClickJacking on our AS Java System.

Also as I mentioned, we have PDK applications using html & hbj controls. We have implemented the XSRF Protection for html forms. Our only concern, Is it mandatory to do the XSRF Protection for HTMLB controls as well. Is HTMLB controls are vulnerable for XSRF attack? Kindly provide your inputs.

Regards,

Venkatesh K

Ask a Question