Skip to content
sql injection vulnerability

SQL Injection vulnerability in ABAP/4

Ivan Mans
CTO
February 8, 2023
4 min read
Chapters

Share Article

One sort of security flaw known as SQL Injection is present in many software programs, including those created in ABAP/4. This article is part of a series that aims to explain individual vulnerability types commonly addressed by SAP Security Notes.  

Today’s topic, however, is the SQL Injection vulnerability. This is one of the most frequent issues that SAP security experts encounter, and it is essential to understand the underlying mechanisms and ways to prevent such attacks. In this article, we will describe SQL Injection, how it works, and what measures can help prevent it. 

What is SQL Injection?

SQL Injection is an attack type that exploits vulnerabilities in the application layer targeting to reach information hosted in the database. The attacker injects malicious code into the SQL statements in the application, i.e., via the SAP GUI selection screen or any Fiori application, which the database executes. The malicious code can alter the application’s intended behavior, allowing unauthorized access to sensitive data or modifying the database itself.

How does SQL Injection work?

SQL Injection exploits the vulnerabilities in the application’s handling of user-supplied data. For example, an application that takes user input and uses it in an SQL statement without properly sanitizing it could be vulnerable to SQL Injection. The attacker could then supply malicious input executed by the database as part of the SQL statement.

Here is an example:

Imagine a simple ABAP/4 program that allows an end-user to search for customer records based on their last name. The program takes the user input, connects it with the SQL statement, and executes the query.

data: lv_last_name type string,
lt_customers type table of customers.

* get user input for last name
lv_last_name = request->get_form_field( ‘last_name’ ).

* build the SQL statement
select * from customers into table lt_customers
where last_name = lv_last_name.

* execute the query
execute.

However, the program does not properly validate or sanitize the user input, and it is possible for an attacker to inject malicious code into the SQL statement. For example, an attacker could supply the following input for the last name:

‘ OR ‘1’=’1

This would modify the SQL statement to the following:

select * from customers into table lt_customers

where last_name = ” OR ‘1’=’1′.

This modified statement would return all the records in the customer’s table, allowing the attacker to access sensitive information.

To avoid such an attack, the program must validate and sanitize user input before using it in the SQL statement. Additionally, using prepared statements and parameter binding can further reduce the risk of a successful attack.

How to prevent SQL Injection vulnerabilities?

To prevent SQL Injection, you can take several measures. Besides the pure prevention measures, it is crucial to outline that finding all vulnerable coding snippets may be the biggest challenge for SAP customers. The SAP standard does come with the so-called ABAP Test Cockpit (ATC), which supports ABAP/4 code scan. However, it lacks the functionality to scan for SQL Injection vulnerabilities along with other security flaws in the code. 

Once identified, correcting it is simple as it includes proper input validation, sanitization, the use of prepared statements, and database-level access controls implementation. When it comes to the SAP standard codebase, it is for the manufacturer to correct. Here it is essential to keep SAP software and SAP security patches up to date to address known vulnerabilities. 

Which products can help?

The SAP ATC delivered by default cannot detect security-related code vulnerabilities. SAP offers the SAP Code Vulnerability Scan, a commercial product, to address this issue. However, it operates as a standalone solution without integration with threat detection or vulnerability and risk assessment tools. On the other hand, the SecurityBridge Platform offers an advanced Code Vulnerability Scanner that extends the coverage of the ATC test by incorporating desired security checks. The SecurityBridge Platform provides all capabilities for a holistic cybersecurity strategy for SAP.

Conclusion

SQL Injection is a critical issue that can lead to significant security breaches in ABAP/4 applications. We’d like to help you better understand how it works and take the necessary measures to prevent it. Organizations can reduce the risk of a successful attack and protect their sensitive data only if they understand their risk situation. A recommendation to read is our recent article explaining the Cyber Risk Appetite. It is essential to stay vigilant and keep up-to-date with security best practices to ensure your critical assets are protected.