Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Table of Contents
minLevel1
maxLevel7

Supported Versions

  • ABAP - from 4.6C to 7.58

  • SAP S/4 HANA from 1511 to 2005

  • SAP NetWeaver from 7.0 to 7.5

SAP Mass Extractor

You do not have to download your ABAP custom code manually; Security Reviewer will help you with Mass Extractor tool, a program that recursively searches for code, metadata, documentation and data dictionary objects and then downloads them in either text (.abap) or HTML format. Mass Extractor program can download customer code at the push of a button to your local workstation or your system’s NFS. You don’t even need to provide the exact name of the program or object you want to download as you are able to filter objects by author as well.

...

  •       Dead Code (defined fields never referenced, code never executed, subroutine never called)

  •       Deprecated, Unsupported or Obsolete Functions

  •       SQL Abuse (SQL Injection, SQL bad commands, System Variables manipulation, etc.)

  • Insecure Randomness   

  •       HTTP Abuse (Header, Session or Cookies manipulation)

  • HTTP Response Splitting/Tampering, URL Redirect, File Upload, File Download, etc.)

  •       Information Leak, Privacy Violation, Password management/hardened mistakes

  •       Authentication/hardened Credential mistakes

  •       Code Injection, Command Injection, Resource Injection LDAP Injection, XPath Injection

  • XML Injection, File Injection, Mail Injection, PDF Injection, Cross-Site Scripting

  •       Invalid Process Control, Kernel Calls, Dangerous ABAP commands

  •       Denial Of Service (Connection-exceptions, Flood, XML, Shutdown, Lock, Sleep, SQL DoS, etc.)

  •       Buffer Overflow

  •       Log Forging

  •       Path Manipulation, Directory Traversal

  •       Database Access and Authorization mistakes

  •       Unsecure Communications (missed SSL, Outgoing FTP, Phishing, etc.)

  •       CSRF (Cross-Site Request Forgery)

  •       Misconfiguration Mistakes

  •       Insecure Cryptography, Invalid key Management

  •       Poor Error handling/Logging, Poor Input Validation

  •       Dynamic Code, Native Code/Library, Usrer-controlled dynamic calls/transactions

  • Test code/BREAK-POINT found in production

  • Abuse of System calls

Each vulnerability detected will be classified using OWASP Top 10 2021, OWASP Top 10 API 20192023, WASC, CVSS 3.1, PCI-DSS 4.0 and 3.2.1, BITEC and CWE 4.9 compliance standards. A graphical user interface provides navigation through detected vulnerabilities:

Security

Once the analysis is terminated, you can view and manage the results. You can mark some vulnerabilities as False Positive, Suppress Vulnerabilities, and you can add Notes or change the Vulnerability’ Status.

...

Dead Code, Best Practices and Possible Bugs

...