ABAP Keyword Documentation → ABAP - Security Notes → Further Security Risks
Obscuring ABAP Source Code
ABAP source code is obscured if tasks that can be performed directly are instead performed across diversions that disguise the real purpose. One common form of obscured code is found when information that could be specified statically is specified using dynamic programming techniques instead. Code can be obscured for one of the following reasons:
- One form of obscured code (which is not directly malicious) is often used to bypass static checks, for example to disguise false positives.
- Code is obscured for malicious purposes to disguise back doors and other forms of attacks using injections.
In general, any type of obscured code presents a security risk. Instead of bypassing static checks by using obscured code, false positives should be handled using other methods, such as exemptions. Obscured code can often only be detected using a two-man rule (code inspections).
Other versions:
7.31 | 7.40 | 7.54
Example
Maliciously obscured code in a user-dependent program flow, which can generally only be detected using code inspections.
DATA(field) = `SY-UNAME`.
ASSIGN (field) TO FIELD-SYMBOL(<field>).
...
IF <field> = `...`.
...
ENDIF.
Example
Code obscured without malicious intent. In a HTTP request handler, a HTML file is created by calling a method in which potential cross site scripting (XSS) has already been prevented. A static security check that ignores the called method can classify this as a security risk, however, and demand that the HTML is masked again. The dynamic assignment of the HTML to a field symbol is used to bypass the false positive raised by the security check.
DATA(html) = cl_demo_html_provider=>get( ).
"XSS is prevented in cl_demo_html_provider
DATA(html_name) = `HTML`.
ASSIGN (html_name) TO FIELD-SYMBOL(<html>).
server->response->set_cdata( data = <html> ).
ENDMETHOD.
The correct forma of the HTTP request handler would be:
DATA(html) = cl_demo_html_provider=>get( ).
"XSS is prevented in cl_demo_html_provider
server->response->set_cdata( data = html ).
ENDMETHOD.
If the security check raises a false positive, either an exemption or an improvement to the check should be requested.