XSS in SAP based web applications

When you think about SAP, most of you surely think about that kind of GUI client based black box. But SAP is more and more moving it’s application to browser based web applications.

There are several in the meantime: Web DynPro which was introduced with SAP Netweaver, SAP Solution Manager and others.

All of them having regular patch cycles and are maintained by SAP. But there are still issues within. I’ve discovered that for example the Solution Manager IT Service Management Application is not properly converting SVG attachments which can be added to tickets there.

When using a evil-SVG containing some more JavaScript than just the graphical part, uploaded to a SAP Solution Manager incident or service request it can be used to XSS from there. Compared to other portal solutions which are removing malicious parts from SVG while uploading, SAP SolMan is not. SAP accepted my report and assigned CVE-2018-2405.

On the other hand, there are so called “Z” transactions in SAP which are custom or customized applications. This applications can usually be identified as such by their prefix.

Example: https://somepage.some/sap/bc/bsp/sap/z_somename/somesite.htm

You can easily search for such transactions by googling for e.g. “inurl:bc/bsp/sap/z” and check them for vulnerabilities.

In reports OBB-533355 and OBB-533359 I’ve found two “Z” transactions vulnerable to XSS. But for sure there are many many more out in the wild.