Ansicht
Dokumentation

ABENXSS_SCRTY - XSS SCRTY

Cross Site Scripting

Cross site scripting (XSS) is a way of attacking a Web server using a Web application, for example using a manipulated HTML page displayed in a browser. Cross site scripting is a wide-ranging topic that cannot be covered in full here and ABAP application developers are not usually concerned with creating Web pages directly. These pages are normally wrapped in frameworks such as SAPUI5, Web Dynpro or Web Services and these frameworks are responsible for the necessary security.

An ABAP program is itself responsible for security only in the very rare cases where it is not part of one of these frameworks and generates HTML pages itself, for example directly using Internet Communication Framework (transaction SICF). The built-in function escape is most often used to do this. Other escape methods, such as the classes CL_HTTP_UTILITY, CL_HTTP_SERVER, and CL_HTTP_CLIENT are obsolete and should no longer be used.

Note

Business Server Pages (BSP) are an exception to the rule above: When Business Server Pages are created, ABAP application developers can also be faced with HTML pages and must take the appropriate security precautions. More specifically, the attribute <htmlb:content forceEncode="ENABLED"> must be set in the HTMLB Library and obsolete values such as CLASSIC or DESIGN2002 can no longer be specified in the attribute design.

• The example String Functions, escape for XSS demonstrates simple cross site scripting possible when input is not escaped and is used on a generated HTML page.

• In the ICF Services example, the class CL_HTTP_EXT_SERVICE_DEMO uses the built-in function escape to prevent cross site scripting.