Skip to content

ABAP Keyword Documentation →  ABAP - Security Notes →  Further Security Risks 

Obscuring ABAP Source Code

ABAP source code is obscured if tasks that can be performed directly are instead performed across diversions that disguise the real purpose. One common form of obscured code is found when information that could be specified statically is specified using dynamic programming techniques instead. Code can be obscured for one of the following reasons:

  • One form of obscured code (which is not directly malicious) is often used to bypass static checks, for example to disguise false positives.
  • Code is obscured for malicious purposes to disguise back doors and other forms of attacks using injections.

In general, any type of obscured code presents a security risk. Instead of bypassing static checks by using obscured code, false positives should be handled using other methods, such as exemptions. Obscured code can often only be detected using a two-man rule (code inspections).

Other versions: 7.31 | 7.40 | 7.54


Example

Maliciously obscured code in a user-dependent program flow, which can generally only be detected using code inspections.

DATA(field)  = `SY-UNAME`.
ASSIGN (field) TO FIELD-SYMBOL(<field>).
...
IF <field> = `...`.
  ...
ENDIF.


Example

Code obscured without malicious intent. In a HTTP request handler, a HTML file is created by calling a method in which potential cross site scripting (XSS) has already been prevented. A static security check that ignores the called method can classify this as a security risk, however, and demand that the HTML is masked again. The dynamic assignment of the HTML file to a field symbol is used to bypass the false positive raised by the security check.

METHOD if_http_extension~handle_request.
  DATA(html) = cl_demo_html_provider=>get( ).
  "XSS is prevented in cl_demo_html_provider
  DATA(html_name) = `HTML`.
  ASSIGN (html_name) TO FIELD-SYMBOL(<html>).
  server->response->set_cdata( data = <html> ).
ENDMETHOD.

The correct form of the HTTP request handler would be:

METHOD if_http_extension~handle_request.
  DATA(html) = cl_demo_html_provider=>get( ).
  "XSS is prevented in cl_demo_html_provider
  server->response->set_cdata( data = html ).
ENDMETHOD.

If the security check raises a false positive, either an exemption or an improvement to the check should be requested.