Click to edit Master text styles - Virtual Forge · PDF fileClick to edit Master text styles ... Dr. Markus Schumacher 2014 March 18, Heidelberg SAP Security 2014 – Protecting Your

© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

Click to edit Master text styles

Second level

Third level

Fourth level

Fifth level


Dr. Markus Schumacher


March 18, Heidelberg

SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage

Ten golden rules for coding authorization checks in ABAP

Andreas Wiegenstein



Second level

Third level

Fourth level

Fifth level

© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

Andreas Wiegenstein (Twitter: @codeprofiler)

Founder of Virtual Forge (Heidelberg), responsible for R&D

SAP Security Researcher, active since 2003

Received Credits from SAP for 66 reported 0-day Vulnerabilities

Speaker at international Conferences

SAP TechEd (USA & Europe), DSAG (Europe)

BlackHat (Europe), Hack in the Box (Europe)

Troopers (Europe), IT Defense (Europe), RSA (USA)

Co-Author of „Sichere ABAP Programmierung" (SAP Press, 2009)

Co-Author of "ABAP Best Practices Guideline (DSAG, 2013/2014)

Created training class WDESA3 (ABAP Security) @ SAP University

My car, my house, my boat, …



Second level

Third level

Fourth level

Fifth level


Authorizations in Custom Code

Ongoing survey, results as of March 12, 2014



Second level

Third level

Fourth level

Fifth level


Golden Rule #1

Perform authority checks

General advice

Check with your business department, if (and which) authorizations

are required in order to execute the business logic you provide.

As a fallback, analyze code that is similar to your business process for

authorization checks.

If authority checks are required for your custom business logic, add

them to your code.

On average there are 866 missing authority checks in custom code.



Second level

Third level

Fourth level

Fifth level


Golden Rule #1

Perform authority checks (cont’d)

Specific advice

Don't rely on S_RFC authorizations. They only determine, *if* a function module can be

invoked remotely. They are by no means related to the specific business logic of your

custom code. You don't want users with S_RFC * authorizations to be able to issue

purchase orders or to raise someone's salary. Auditors don't like this either...

Don't rely on authorization groups assigned to reports. They are usually coarse

grained, as the same authorization group is used for multiple programs. And they are not

necessarily related to the specific business logic of your custom code.

Always check start authorizations when using CALL TRANSACTION, as no implicit start

authorization check is performed by the kernel.

Function module AUTHORITY_CHECK_TCODE

Since 740: CALL TRANSACTION … WITH AUTHORITY-CHECK



Second level

Third level

Fourth level

Fifth level


Golden Rule #2

Perform authority checks according to SAP standard functionality

General advice

Always use functionality based on the ABAP command AUTHORITY-

CHECK in order to perform authorization checks.

(A common bad practice is to base authorizations on usernames.)

On average there are 187 hard-coded username checks in custom code.



Second level

Third level

Fourth level

Fifth level


Golden Rule #3

Check the result of an authority check

General advice

Always check the result of sy-subrc after you perform an

AUTHORITY-CHECK. sy-subrc with value zero means authorization

sufficient.

Since other ABAP commands also change sy-subrc, make sure to

perform the sy-subrc check *immediately* after the AUTHORITY-

CHECK.

On average there are 13 broken authority checks in custom code.



Second level

Third level

Fourth level

Fifth level


Golden Rule #4

Perform authority checks for the user that is actually logged on

General advice

Only check the authorization of the currently logged on user

(by avoiding the optional parameter FOR USER).

On average there are 2 ‘alias’ authority checks in custom code.



Second level

Third level

Fourth level

Fifth level


Golden Rule #5

Always use APIs instead of AUTHORITY-CHECK, if they exist

General advice

Always use specialized API functions for authorization checks instead of

AUTHORITY-CHECK.

Specific advice

Use AUTHORITY_CHECK_TCODE instead of S_TCODE

Use AUTHORITY_CHECK_DATASET instead of S_DATASET / S_PATH

On average there are 92 insufficient authority checks in custom code.



Second level

Third level

Fourth level

Fifth level


Golden Rule #6

Declare all fields of the authorization object

General advice

Always use specialized API functions for authorization checks instead of

AUTHORITY-CHECK.

Specific advice

Always make sure to specify all fields of the authorization object you check.

If there are fields you don't want to check, mark them as DUMMY in order to

make your intentions explicit.

No meaningful statistical information available at this time.



Second level

Third level

Fourth level

Fifth level


Golden Rule #7

Don't use DUMMY values in important fields

General advice

Do not use DUMMY values in important authorization fields like 'ACTVT'

On average there are 8 DUMMY authority checks (ACTVT) in custom code.



Second level

Third level

Fourth level

Fifth level


Golden Rule #8

Don't program privileging authorization checks

AUTHORITY-CHECK OBJECT 'S_DEVELOP'

ID 'DEVCLASS' FIELD '*'

ID 'OBJTYPE' FIELD 'PROG'

ID 'OBJNAME' FIELD lv_prog

ID 'P_GROUP' DUMMY " Field not required in this context

ID 'ACTVT' FIELD '03'.

IF sy-subrc = 0.

READ REPORT lv_prog INTO lt_code.

ENDIF.

General advice

Avoid "*" values in authorization fields, as they force administrators to grant

unnecessarily high privileges to users

On average there are 2 privileging authority checks (ACTVT) in custom code.



Second level

Third level

Fourth level

Fifth level


Golden Rule #9

Make authorization checks early in your business logic

General advice

If an authorization check is required for a given business logic, it should be

checked as early as possible




Second level

Third level

Fourth level

Fifth level


Golden Rule #10

Perform authorization checks in order to avoid dumps

Specific advice

Always make sure to test for S_DATASET and S_PATH authorizations before

you open a server-side file.




Second level

Third level

Fourth level

Fifth level


Further Information

Blog Post “Ten golden rules for ABAP authorization checks”

https://www.virtualforge.com/en/blog/post/ten_golden_rules_authorizations_en.html

https://www.virtualforge.com/en/blog/post/ten_golden_rules_authorizations_en.html



Second level

Third level

Fourth level

Fifth level


Twitter: @codeprofiler


Thank you for your attention

Andreas Wiegenstein

CTO



Second level

Third level

Fourth level

Fifth level


Disclaimer

SAP, R/3, ABAP, SAP GUI, SAP NetWeaver and other SAP products and services mentioned herein as well as

their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

All other product and service names mentioned are the trademarks of their respective companies. Data contained

in this document serves informational purposes only.

The authors assume no responsibility for errors or omissions in this document. The authors do not warrant the

accuracy or completeness of the information, text, graphics, links, or other items contained within this material.

This document is provided without a warranty of any kind, either express or implied, including but not limited to the

implied warranties of merchantability, fitness for a particular purpose, or non-infringement.

The authors shall have no liability for damages of any kind including without limitation direct, special, indirect, or

consequential damages that may result from the use of this document.

No part of this document may be reproduced without the prior written permission of Virtual Forge GmbH.

© 2014 Virtual Forge GmbH.

Documents

Click to edit Master text styles - Virtual Forge · PDF fileClick to edit Master text styles ... Dr. Markus Schumacher 2014 March 18, Heidelberg SAP Security 2014 – Protecting Your