2. SAPUI5 framework
3. Security vulnerabilities in SAPUI5 framework
4. Vulnerable SAPUI5 frontend application
App.view.xml contains elements that will be visible on the web page. In this case we have input textbox and submit button.
App.controller.js is a main application controller which will contain the program code and the application logic.
index.html file where the content will be displayed.
When we run our vulnerable SAPUI5 application, the web visitor will be presented with the following web page. As we can see, the vulnerable application is asking a user to input his username in the input box and click on submit button ‘Say Hello’ to process it.
When we enter DefenseCode as a user input we will get a response shown below.
5. Security vulnerabilities present in our vulnerable SAPUI5 application
Our vulnerable SAPUI5 application consists of two common security vulnerabilities, DOM Based Cross Site Scripting and Code Injection vulnerabilities. Let’s take a brief look into these security vulnerabilities.
- DOM Based Cross Site Scripting security vulnerability as described on OWASP web page: “DOM Based XSS (or as it is called in some texts, “type-0 XSS”) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.” Basically, an attacker is able to modify DOM structure, so he is able to modify the look of web page or even execute arbitrary code within its context.
- Code Injection security vulnerability as described on OWASP web page: “Code Injection is the general term for attack types which consist of injecting code that is then interpreted/executed by the application. This type of attack exploits poor handling of untrusted data. These types of attacks are usually made possible due to a lack of proper input/output data validation“.
To identify security vulnerabilities in our SAPUI5 vulnerable application we will demonstrate the usage of DefenseCode ThunderScan® SAST solution in order to identify security vulnerabilities and their details. First, we need to login into the DefenseCode ThunderScan® SAST main interface.
Once we are logged in with valid credentials, we will initiate a new scan on our vulnerable SAPUI5 application. To select a source code target, we have multiple options, we can upload the source code in a ZIP archive, alternatively select GIT, SVN, TFVC or S3 repository where the source code is located, or select the local directory on the hard drive (which is disabled in ThunderScan configuration by default but can be changed). For this demonstration we will upload the source code as a ZIP archive.
6. DOM Based Cross Site Scripting Vulnerability
Let’s first examine the details of the previously discovered DOM Based Cross Site Scripting vulnerability. On the picture below we can see the details of DOM Based Cross Site Scripting under the CWE entry 79. We can see a vulnerable document.write() sink method that reflects user input directly in the web page DOM structure from the user input textbox retrieved from getValue() method from our vulnerable SAPUI5 application.
If we scroll down the right part of the window we can see the details about vulnerable project file and details about the specific vulnerability along with the vulnerability description, security compliance standards violation and mitigation recommendations.
We can further inspect the vulnerability in the ThunderScan® user interface down to the vulnerable source code line in the file app.controller.js. As we can see, highlighted line 8 contains vulnerable document.write() method sink where user input from the textbox is reflected directly on the web page.
We can further examine the user input and functions data flow to identify related variables and functions involved in the manifestation of the DOM Based Cross Site Scripting vulnerability, as presented on the picture below. As we can see on the screenshot, user input flow is starting from textbox getValue() method, gets copied into the variable user and later passed as an argument to the vulnerable document.write() sink method.
We can now try to exploit our SAPUI5 application vulnerable to the now verified DOM Based Cross Site Scripting by injecting some test HTML code into it.
To prevent DOM Based Cross Site Scripting vulnerability in the previously presented vulnerable application, user input should be escaped with (for example) jQuery.sap.escapeHTML() method. In that case, secure version of embedding the user input in the DOM would be: document.write (“User name is: ” + jQuery.sap.escapeHTML(user));
Another very common way to introduce a DOM Based Cross Site Scripting vulnerability in the source code is through SAPUI5 rendering controls. Screenshot presented below is demonstrating another vulnerability discovered by DefenseCode ThunderScan SAST when a developer is using user input for dynamically constructing an <A HREF> link using sap.ui.core.RenderManager write() method. To prevent DOM Based Cross Site Scripting in the code below, developer should sanitize the user input with writeEscaped() or writeAttributeEscaped() SAPUI5 methods.
There are of course numerous ways to introduce DOM Based Cross Site Scripting vulnerabilities in SAPUI5 framework code. Two methods that should be used carefully on HTML elements are sap.ui.getCore.byId.setContent() and sap.ui.getCore.byId.setDOMContent().
7. Code Injection Vulnerability
One of the most dangerous and often a hackers favorite include Code Injection vulnerabilities. Code Injection vulnerability occurs when program code is evaluated (usually) in real-time and consisting of some user input embedded into the evaluated code, without a proper sanitization of user input. Our SAPUI5 vulnerable application has one Code Injection vulnerability by CWE 94 as identified by DefenseCode ThunderScan® SAST and presented below.
User input gets copied into user variable on program line 7 as presented on the data flow snippet below.
Later on, the very security failure of the developer of this application is appending the user input into the userhello variable where the user input is just stacked as the parameter of document.write() method that will be evaluated dynamically, as presented in the screenshot below on the line 9.
In the end, document.write() dynamically evaluated user-controlled code stored in userhello variable, on the line 10 of file app.controller.js as presented on the screenshot below.
As we can see, when our input is concatenated to the userhello variable, it will actually become like this:
var userhello = 'document.write("<br><br>Hello user " + alert("DefenseCode Code Injection") + "");
It is very important not to include parts of the user input from URL, Input boxes, HTTP Headers or any other source that an attacker can tamper with into the portion of the code that will be dynamically evaluated on the web page.