Web services play a key role on the SAP NetWeaver platform for enabling application components to be offered as services. The flexibility and richness enabled by Web services to integrate disparate applications, SAP or non-SAP, increases the potential for security breaches and information leaks. An integral part of the rollout and management of a SAP NetWeaver based Web service includes understanding the risk posture of the exposed service. It is through vulnerability assessment of Web services that a risk posture assessment can be made. Such vulnerability evaluation has become an essential task for SAP Security Managers.
Before investigating what it means to perform vulnerability assessment on SAP Web services, we need to understand the SAP NetWeaver technology platform and its Web services offering. SAP NetWeaver is a technology platform that drives the Enterprise Services Architecture (ESA), a blueprint for how applications are offered as services. SAP NetWeaver is a comprehensive integration and application platform and is the foundation for all SAP solutions. The two key layers that are Web services-aware in the SAP NetWeaver stack are the application platform and the process integration. The other layers are also Web services aware, but the application platform and process integration play the most significant role in facilitating the SAP application integration based on Web services.
The Web services-aware SAP Web Application Server (SAP Web AS), based on the Java 2 platform Enterprise Edition (J2EE), drives the application platform layer. ABAP developers can develop ABAP (Advanced Business Application Programming) code and wrap custom business functionality in a BAPI call (Business Application Programming Interface). BAPI calls, both custom and pre-canned, are then readily exposed as Web services from the application platform layer. This flexibility provides rapid integration of core SAP functionality with other applications and external trading partner systems.
The process integration layer is the SAP NetWeaver Exchange Infrastructure (SAP NetWeaver XI), an integration broker based on open standards like Extensible Markup Language (XML) that enables various SAP applications or components to be stitched. The SAP NetWeaver XI can be used to enable SAP applications to be Web services-aware. Even if the SAP applications lack native Web services capability, SAP XI can act as proxy to legacy SAP applications. The clients of legacy SAP applications can invoke a Web service call to the SAP NetWeaver XI proxy that in turn makes a native call to SAP applications via a native adapter.
Detecting security flaws
Now that we understand some of the SAP components that harness Web services, it’s necessary to understand what it means to perform vulnerability assessment on Web services. Web services security vulnerabilities can be categorized in vendor vulnerabilities and customer vulnerabilities.
Vendor vulnerabilities relate to security flaws in a specific vendor’s component exposed as a Web Service. XML parser is a prime example of a vendor component that is used in parsing SOAP/XML messages (Simple Object Access Protocol/ Extensible Markup Language). It can be susceptible to a Buffer Overflow attack thus causing an XML Denial of Service or simply a disruption of a Web service.
Customer Application Vulnerabilities are security flaws that might appear in Web service applications due to programming flaw in the business logic. Loosely defined XSD (XML Schema Definition) schemas that expose the structure of Web service applications contain a wealth of information about how a service will consume the incoming request. Malformed inputs directed specifically at the data formats and input parameters can expose application vulnerabilities. Such exposures can lead to disruption of Web services or in leakage of sensitive data. Weak access control and non-standard based authentication schemes can also be areas of exposure that can result in application vulnerability exposure.
The threat of Web services in the SAP NetWeaver environment being disrupted by malicious client applications is highly unlikely for several reasons.
- In the SAP NetWeaver environment Web services are tightly coupled with identity management solutions that mitigate the risk of a rogue application trying to disrupt services in a B2B environment.
- Web services based on SAP NetWeaver are running on a J2EE platform that further mitigates the risk of Buffer Overflow type attacks since Java Virtual Machines (JVMs) have tight memory bounds checking to prevent these types of security flaws.
- The notion of a malicious user or a hacker in a B2B environment trying to disrupt a Web service is more of a myth than reality. The reality is that any user today in a competitive economic environment will not disrupt a Web service for notoriety but rather make an effort to steal sensitive information via a Web service.
Strong access control is essential
So then, where is the threat for Web services enabled applications in the SAP NetWeaver enironment? The threat primarily emanates from trading partners or consumers of Web services in the form of privileged path exploitation. This means a consumer of a Web service can be a trusted application with strong credentials, like Secure Sockets Layer (SSL) Client Certificate or SAP Logon Tickets. But via that consumer application it’s possible to abuse the credentials to access resources that it is not authorized to access. Such exposures are a consequence of weak access control and can result in leakage of sensitive data from improperly protected Web service’s WSDL (Web Services Definition Language). This problem can become acute when the SAP NetWeaver platform integrates disparate applications within a large enterprise and to its external trading partners.
As Web services become the main stay of SAP NetWeaver, it is imperative for an SAP Security Manager to mitigate the risk for exploitation in their Web services enabled applications by performing automated vulnerability assessment. One important goal of the vulnerability assessment should be to ensure all access control policies are thoroughly tested for each published SAP NetWeaver based Web services operation. This requires SAP Security Manager to test all the WSDLs produced by the SAP NetWeaver, SAP NetWeaver XI, J2EE, or ABAP components. The Security Manager must iterate through each WSDL operation to ensure proper controls are in place.
Web services support numerous identities and a SAP Security Manager can suffer from identity fatigue if there is no automated plan to test for various identities across the SAP NetWeaver platform. The Security Manager should focus on both positive and negative testing of identities.
Comprehensive security testing needs automated processes
Another goal of the vulnerability assessment is testing all the facets of the XML schema published to clients. This would require a SAP Security Manger to auto-generate comprehensive attack vectors that could be derived from the XML schema. Such tests provide visibility into information leak of sensitive data from mishandled error conditions at the application layer. The analysis of response data from a multiple SAP NetWeaver XI, Web services, J2EE, or ABAP will require an automatic filtration process to reduce false positives and false negatives.
And at least for a vulnerability assessment it is important to perform risk assessment and risk mediation. This involves producing summary reports that indicate various forms of vulnerabilities discovered during the testing period, and categorizing vulnerabilities in terms of their severity level. The summary report should recommend the fixes, risk remediation, and identify where the Web services operations are exploitable. Such comprehensive testing across complex SAP deployments cannot be achieved manually. Only through automated processes and tools, detailed and accurate security assessment of an enterprise SAP deployment is possible.
A responsible SAP Security Manager must deploy comprehensive testing of various SAP NetWeaver based Web services to ensure the reliability and robustness of the SAP applications in a large enterprise.