HTTP Header Injection

Injections are vulnerabilities that occur when an application provides no or a bad user input validation. An attacker can inject malicious data, thus performing non-intended actions in a system. Such vulnerability may result in the major SAP risks (Espionage, Sabotage, and Fraud).

We continue considering Injections from the list that we discussed in our Introduction to Secure ABAP Development Guide.

Earlier we spotlighted the following subtypes of Injections:

  1. SAP SQL Injections
  2. SAP OS Command Injection
  3. ABAP Code Injection

Now it’s HTTP Header Injection’s turn.

HTTP Header Injection is a vulnerability which appears when Hypertext Transfer Protocol (HTTP) headers are dynamically generated based on a user input. For example, in ABAP ‘set_cookie’ method of ‘IF_HTTP_ENTITY’ class is used for setting a cookie to a browser. If data comes from an untrusted source to a cookie response, it will be possible for an attacker to manipulate a user cookie.

DATA: url TYPE STRING.
 url = request->get_form_field( 'url' ).
 IF url IS NOT INITIAL.
   response->redirect( url ).
   navigation->response_complete( ).
 ENDIF.

author = request->get_form_field( 'author' ).
response->set_cookie( name = 'author' value = author ).

In this case, the data specified by user passes from a request directly to the ‘set_cookie’ method without filtering. The attacker will be able to take over the user’s session and perform actions on his behalf or gain access to sensitive information. It may lead to serious business risks including espionage or fraud.

Remediation

The best remediation for this vulnerability is to avoid storing any confidential data in a cookie. System IDs, host names, non-public IP addresses of target servers can become a target of an attack. If storing such information in a cookie is necessary for your system, use a hash procedure for one-way encryption. In addition, in order to improve the general security level of the system, set the icm/HTTP/logging_0 parameter as LOGFILE=path_to_file to perform the HTTP-requests logging.

Further Steps

Use authority checks to increase the security of your code. It does not guarantee the complete safety as of injections, but it can sometimes prevent attacks. For example, check user access rights before the execution of INSERT REPORT. For this purpose, use the AUTHORITY-CHECK command:

AUTHORITY-CHECK OBJECT 'S_DEVELOP'
    ID 'ACTVT' FIELD '02'
    ID 'DEVCLASS' FIELD devclss
    ID 'OBJNAME' FIELD objname
    ID 'OBJTYPE' FIELD 'PROG'
    ID 'P_GROUP' FIELD *.

IF sy-subrc <> 0.
    LEAVE PROGRAM.
ENDIF.

APPEND u_input TO src.
INSERT REPORT prg_name FROM src.

'ACTVT' is for operations that a user is allowed to execute. Value '02' means that a user has rights to change the program.

This is all for today and we hope the article has clarified all your questions concerning HTTP Header Injection.

Keep in touch and subscribe to our newsletter, follow us on Twitter, Facebook, and LinkedIn and get more information on different vulnerability types from our ERPScan Research team.

The post HTTP Header Injection appeared first on ERPScan.



This is a Security Bloggers Network syndicated blog post authored by Research Team. Read the original post at: Blog – ERPScan