Skip to main content
SAP Pentest Playbook
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  2. /
  3. SAP ABAP Platform
  4. /
  5. Known Attack Vectors
  6. /
  7. How to perform code review in an on-premise ABAP environment
Edit page

How to perform code review in an on-premise ABAP environment

Description

This process describes how to perform an ABAP code review as part of white box security assessment.

Prerequisites

  • Researcher:

    • You should be familiar with ABAP, e.g. understand the content of SAP courses BC400/BC402

  • Authorizations:

    • Developer read authorizations (S_DEVELOP etc) with access to development transactions, examples: SE80, ADT software, SCI, SLIN, ABAP test cockpit
    • If available: access to static code analysis results like SAP CVA , SCI, ATC etc.

Options

  • Use report RS_ABAP_SOURCE_SCAN

    • This report can be used to scan ABAP artifacts for a search pattern; this is like using a “search” function in a text editor. It’s not possible to perform an automated data flow analysis. Therefore for all patterns defined there will be large number of false positives. Nevertheless, this report will often reveal critical vulnerabilities in systems with a significant amount of custom code that in a very short time frame. We recommend focussing on customer and 3rd party name spaces unless you want to perform 0day research.

    • How to: define code scanning scope - select all custom and 3rd party name spaces. Custom name spaces are Y* and Z*, you may add $tmp, /0CUST/ and your own name space like /<your_company_name/ if available. Also there are many old customer name spaces like MP9* or DMP9* that you may consider for the scope. Available namespaces are defined in the tables trnspace and trnspacet (transportable). Review the list and preferably remove SAP and generated name spaces. Use the selected name spaces in scope and fill out the input value fields in report RS_ABAP_SOURCE_SCAN like package, function groups, classes, reports, etc. Optionally, you may focus on individual repository object types to reduce the run time. Then increase the number of shown lines before and after your search pattern from 2 to 5 or your personal preferred value. Afterwards select your search string.

    • Pattern examples to search for (search string): Use the following table to identify interesting positions in ABAP coding related to critical vulnerabilities. This list is a start list and is not exhaustive. Thus, there are many more patterns. A simple way to expanding the list is to If the client has a secure coding guideline that covers more requirements than “just implement authorization checks” feel free to expand your pattern search list. When you search for pattern sometime naming conventions help speeding up the review process, for example a critical statement using a variable name like p_tabname is a good indicator that p_tabname is a parameter and is user controlled. And similarly, gc_string is likely a constant. However, the devil is in the detail ;) and you will see things that you never expected. Also note that often the presence of “#EC CI*” is an indicator that code inspector and/or ATC have been used by a developer. This pseudo comment is used to suppress findings. As mentioned before, if there is heavy usage of those comments it’s likely that in some cases a finding is related to is some developers to not have the required security background or there may have been a tight go-live guideline that was creatively approached by suppressing last minute findings in a secure software development lifecycle.

Vulnerability classSearch patternComment
ABAP Command Injection 1.INSERT REPORTSee minimal example coding below
ABAP Command Injection 2.GENERATE SUBROUTINE POOL
System Command Injection 1.CALL ‘SYSTEM’
System Command Injection 2.SXPG_To cover usage of SXPG_ related functions like SXPG_COMMAND_EXECUTE etc.
Generic Table Reader 1.SELECT (
Generic Table Reader 2.SELECT * FROM (
Generic Table Reader 3.SELECT FROM (
Generic Table Writer 1.INSERT INTO
Generic Table Writer 2.FROM (
Generic Table Writer 3.FROM TABLE (
Generic Table Deletion.DELETE FROM (
Directory Traversal 1. (r+w)OPEN DATASET
Directory Traversal 2. (w)TRANSFER
Directory Traversal 3. (r)READ DATASET

Minimal example for a generic ABAP command injection.

REPORT Z_FW_ABAPCMDINJECTION.
PARAMETERS: report LIKE trdir-name.

TYPES text   TYPE c LENGTH 255.
DATA: tab TYPE TABLE OF text.

READ REPORT report INTO tab.
EDITOR-CALL FOR tab.
IF sy-subrc EQ 0.
 INSERT REPORT report FROM tab.
ENDIF.
  • Use SAP code inspector via transaction SCI, you have to define an inspection, an object set and a variant
  • Use SLIN to run an extended program check
  • Use SAP CVA or a third party ABAP code scanner, this requires an additional commercial license that must be present. SAP CVA can be used for free in the cloud, thus if a system is connected

Outcome

[You should now have an idea how to perform an ABAP code review] Please keep in mind that this list is just a starter, there are many more places where artefacts are stored that beyond the scope of this quick guide, e.g. LSMW, macros/trmac, and newer concepts like checking for authorizations in CDS views etc.

References