...
Table of Contents | ||||
---|---|---|---|---|
|
Supported Versions
ABAP - from 4.6C to 7.58
SAP S/4 HANA from 1511 to 2005
SAP NetWeaver from 7.0 to 7.5
SAP Mass Extractor
You do not have to download your ABAP custom code manually; Security Reviewer will help you with Mass Extractor tool, a program that recursively searches for code, metadata, documentation and data dictionary objects and then downloads them in either text (.abap) or HTML format. Mass Extractor program can download customer code at the push of a button to your local workstation or your system’s NFS. You don’t even need to provide the exact name of the program or object you want to download as you are able to filter objects by author as well.
...
Dead Code (defined fields never referenced, code never executed, subroutine never called)
Deprecated, Unsupported or Obsolete Functions
SQL Abuse (SQL Injection, SQL bad commands, System Variables manipulation, etc.)
Insecure Randomness
HTTP Abuse (Header, Session or Cookies manipulation)
HTTP Response Splitting/Tampering, URL Redirect, File Upload, File Download, etc.)
Information Leak, Privacy Violation, Password management/hardened mistakes
Authentication/hardened Credential mistakes
Code Injection, Command Injection, Resource Injection LDAP Injection, XPath Injection
XML Injection, File Injection, Mail Injection, PDF Injection, Cross-Site Scripting
Invalid Process Control, Kernel Calls, Dangerous ABAP commands
Denial Of Service (Connection-exceptions, Flood, XML, Shutdown, Lock, Sleep, SQL DoS, etc.)
Buffer Overflow
Log Forging
Path Manipulation, Directory Traversal
Database Access and Authorization mistakes
Unsecure Communications (missed SSL, Outgoing FTP, Phishing, etc.)
CSRF (Cross-Site Request Forgery)
Misconfiguration Mistakes
Insecure Cryptography, Invalid key Management
Poor Error handling/Logging, Poor Input Validation
Dynamic Code, Native Code/Library, Usrer-controlled dynamic calls/transactions
Test code/BREAK-POINT found in production
Abuse of System calls
Each vulnerability detected will be classified using OWASP Top 10 2021, OWASP Top 10 API 20192023, WASC, CVSS 3.1, PCI-DSS 4.0 and 3.2.1, BITEC and CWE 4.9 compliance standards. A graphical user interface provides navigation through detected vulnerabilities:
Security
Once the analysis is terminated, you can view and manage the results. You can mark some vulnerabilities as False Positive, Suppress Vulnerabilities, and you can add Notes or change the Vulnerability’ Status.
...
Dead Code, Best Practices and Possible Bugs
...