One of the ways to interact with a database in SAP systems is Native Structured Query Language (SQL). It allows developers to use specific database statements in their ABAP programs. In this section, we will discuss a few critical statements that relate to Native SQL.
Potential Backdoor using CLIENT SPECIFIED statement
The CLIENT SPECIFIED parameter of SELECT statement allows to turn automatic client determination off and gain access to the other clients (others than you currently logged on).
- This implementation allows an attacker to assign to sy-mandt the variable thus obtain the data of any client.
- A programmer can leave a similar code intentionally to collect data without being detected.
SELECT SINGLE ... FROM dbtab CLIENT SPECIFIED WHERE mandt = @sy-mandt AND ... INTO …
SELECT * FROM pa0001 CLIENT SPECIFIED INTO TABLE hr_contents WHERE client = '007'.
CLIENT SPECIFIED option allows a malicious person to implement a backdoor by accessing production client. Attackers can collect data about client and use it in further attacks or they can get access to business-related information.
The only way to avoid the potential danger related to CLIENT SPECIFIED parameter is not to use this construction as SAP provides client data separation automatically.
Use of ABAP Managed Database Procedures (AMDP)
ABAP Managed Database Procedures (AMDP) allow using Native SQL code via methods of ABAP class. Then these methods can be used in ABAP programs. When AMDP method is invoked for the first time, the stored procedure is created on a database server. Currently, AMDP supports only the HANA database. Example:
CLASS cl_dyn_amdp IMPLEMENTATION. METHOD increase_seatsocc BY DATABASE PROCEDURE FOR HDB LANGUAGE SQLSCRIPT. EXEC 'UPDATE sflight SET seatsocc = seatsocc + ' || :seats; ENDMETHOD. ENDCLASS.
The existence of this statement in a program is a potential security hole. The parameter controlled by the user that will lead to a SQL injection can get to the SQL query.
SAP recommends using AMDP only in cases specific to HANA database or if data too much for transfer between the DBMS and the server of application. In remaining cases use OpenSQL.
Use of critical ADBC call
According to SAP documentation, ADBC (ABAP Database Connectivity) is an API for the Native SQL interface of the AS ABAP that is based on ABAP Objects. The ADBC methods can be used to pass Native SQL statements to the database interface. It is possible via
- sending database-specific SQL commands to a database system and processing the result;
- establishing and administering database connections.
In ADBC queries can be executed using the instance methods of the CL_SQL_STATEMENT class:
It’s obvious that every function or method that executes SQL query can be the source of security risks, for example, if it contains user input. Then it opens a bunch of possibilities to perform an attack of different types ranging from espionage to sabotage.
If you using these statements in your application, make sure that there is no user controlled parameters in SQL query or they are filtered properly.
That’s it for Native SQL. The next ‘Critical Calls’ entry of Secure ABAP Development Guide section will cover SAP Technology Development Statements.