­
Securing SAP Systems from XSS vulnerabilities Part 4: Defense for SAP HANA XS - All Articles - CISO Platform

Today’s post is the last in the series of articles about XSS vulnerabilities in SAP systems. The previous parts describe how to prevent XSS in SAP NetWeaver ABAP and SAP NetWeaver J2EE.

XSS is one of the most popular vulnerabilities and its effect can range from a petty nuisance to a significant security risk, depending on the sensitivity of the data. In SAP products, 628 XSS vulnerabilities were discovered that is almost 22% of all vulnerabilities found in SAP in 12 years.

From the developer’s perspective

There are several rules of protecting SAP HANA using SAP UI5 framework.

  • Validation of typed control properties - SAPUI5 core validates the value of properties set by the application against the type of the property. This guarantees that an int is always an int, and a sap.ui.core/CSSSize is a string representing a CSS size and does not contain a script tag. This also applies to enumerations and control IDs. The control renderer can rely on this check when writing the HTML.
  • Escaping - use helper methods to escape the value of a string property that is written to the HTML:
    • Use writeEscaped(oControl.getSomeStringProperty()) instead of just write(...) for writing plainly to the HTML.
    • Use writeAttributeEscaped(“someHtmlProperty”, oControl.getSomeStringProperty()) instead of just writeAttribute(...) for writing attributes.
    • Use jQuery.sap.escapeHTML(oControl.getSomeStringProperty()) for string properties where none of the other two options is possible to escape the string and then process it further.

From the administrator’s perspective

The administrator has to set the following parameters to improve security:

  • sessiontimeout = 900. Enable session timeout to minimize potential attack window.
  • HttpOnly cookie is enabled by Default.

From incident response perspective

To be able to identify the real attack happened because of the XSS vulnerability and also from some other web-based vulnerabilities, it is recommended to configure the following parameters.

  • To monitor all HTTP(s) requests processed in a SAP HANA system, you can set up the internal Web Dispatcher to write a standardized HTTP log for each request. To configure the Web Dispatcher to log all HTTP(s) requests, you add the property icm/http/logging _ 0:
    • set LOGFILE value to path_to_file Securing SAP Systems from XSS Vulnerabilities
    • Sеt PREFIX value to “/”. If URL prefix=”/” (root directory), or empty which means that all HTTP requests will be logged. If prefix value equal “/Directory”, the server will log only requests which call “/Directory” directory and subsequent.
    • Set FILEWRAP value to off. Old log files will be saved for future analysis.
  • global _ auditing _ state = true. The following configuration parameter for auditing is stored in global.ini, in the section auditing configuration. This can help you to log additional information such as logon’s logoffs and database requests which can be relevant for investigating XSS Attacks. You can find this configuration in SAP HANA Administration Console –> Security HDB –> Auditing Status menu.
Votes: 0
E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform

Join The Community Discussion

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)
 

 

 

CISO Platform Talks : Security FireSide Chat With A Top CISO or equivalent (Monthly)

  • Description:

    CISO Platform Talks: Security Fireside Chat With a Top CISO

    Join us for the CISOPlatform Fireside Chat, a power-packed 30-minute virtual conversation where we bring together some of the brightest minds in cybersecurity to share strategic insights, real-world experiences, and emerging trends. This exclusive monthly session is designed for senior cybersecurity leaders looking to stay ahead in an ever-evolving landscape.

    We’ve had the privilege of…

  • Created by: Biswajit Banerjee
  • Tags: ciso, fireside chat

CISO Talk (Chennai Chapter) - AI Code Generation Risks: Balancing Innovation and Security

  • Description:

    We’re excited to invite you to an exclusive CISO Talk (Chennai Chapter) on “AI Code Generation Risks: Balancing Innovation and Security” featuring Ramkumar Dilli (Chief Information Officer, Myridius).

    In this session, we’ll explore how security leaders can navigate the risks of AI-generated code, implement secure development guardrails, and strike the right balance between innovation and security. AI…

  • Created by: Biswajit Banerjee
  • Tags: ciso talk

CISO MeetUp: Executive Cocktail Reception @ Black Hat USA , Las Vegas 2025

  • Description:

    We are excited to invite you to the CISO MeetUp: Executive Cocktail Reception if you are there at the Black Hat Conference USA, Las Vegas 2025. This event is organized by EC-Council & FireCompass with CISOPlatform as proud community partner. 

    This evening is designed for Director-level and above cybersecurity professionals to connect, collaborate, and unwind in a relaxed setting. Enjoy…

  • Created by: Biswajit Banerjee
  • Tags: black hat 2025, ciso meetup, cocktail reception, usa events, cybersecurity events, ciso

6 City Playbook Round Table Series (Delhi, Mumbai, Bangalore, Pune, Chennai, Kolkata)

  • Description:

    Join us for an exclusive 6-city roundtable series across Delhi, Mumbai, Bangalore, Pune, Chennai, and Kolkata. Curated for top cybersecurity leaders, this series will spotlight proven strategies, real-world insights, and impactful playbooks from the industry’s best.

    Network with peers, exchange ideas, and contribute to shaping the Top 100 Security Playbooks of the year.

    Date : Sept 2025 - Oct 2025

    Venue: Delhi, Mumbai, Bangalore, Pune,…

  • Created by: Biswajit Banerjee