Link Search Menu Expand Document
×
Topics

SQL Injection in ABAP

Play SecureFlag Play ABAP Labs on this vulnerability with SecureFlag!

SAP ABAP Open SQL is a set of ABAP statements that perform operations on the database independently from the underlying database system. Open SQL allows the construction of dynamic SQL queries and can introduce SQL Injection vulnerabilities.

Vulnerable example

The following snippet contains an Open SQL query to select data depending on the field:

PARAMETERS input TYPE string.
DATA table1 TYPE string.
DATA fieldlist TYPE string.

DATA (sql_cond) = `field = '` && input && `'`.
SELECT fieldlist
    FROM table1
WHERE (sql_cond).

Since the SQL query is built concatenating the user-provided input, an attacker could manipulate the query to return all the records from the table.

For example, by injecting ' OR 1=1 in the input parameter, the query becomes:

SELECT fieldlist FROM table1 WHERE field = '' OR 1=1

The manipulated query returns any entry in the table with an empty field, or if 1 equals 1. Since the statement is always true, all the records are returned. More complex attacks can be mounted, such as accessing other tables using the UNION clause.

Prevention

The following controls may be helpful to prevent SQL injection attacks:

  • Refactor your code to avoid using dynamically generated statements.
  • If dynamically generated statements are necessary, allow only a restricted set of characters, e.g., numbers and letters, and quote the dynamic parts via the CL_ABAP_DYN_PRG class’ QUOTE_STR and QUOTE special methods.
  • Configure error reporting.

References

CWE - CWE-89: Improper Neutralization of Special Elements used in an SQL Command

OWASP - SQL Injection

OWASP - SQL Injection Prevention Cheat Sheet

SAP Secure Programming - SQL Injection