How to search for SAP error codes and messages?

Companies that have implemented SAP products have spent a large amount of resources on client refinement of solutions. However, do these developments introduce additional risks into your business processes? SAP guarantees the quality of the code in its applications through manual audits of the supplied code and the use of the most modern mechanisms for statistical and dynamic analysis of its products for various vulnerabilities.

A study was carried out at the University of Saarbrücken (Germany), the purpose of which was to analyze the SAP product codes (e-commerce solutions) with the most modern statistical analysis tools. The conclusions were as follows - the quality of the code is quite high.

SAP software code undergoes manual and automated analysis, thousands of special test cases. Client code often cannot be fully analyzed, especially in the face of tight project deadlines. It's worth considering the quality of the client code on your systems.

The  SAP system   simplifies doing business at the system level, as well as conducting analysis and analytics of activities. But if there are SAP errors in the company's program code, then they must be corrected immediately for the correct operation of the program and, accordingly, the business.

It is important to understand that checking user authorization (a synonym for SAP security for many enterprises) will not help prevent the use of this kind of errors, since the user using errors in the code is beyond the authority defined by the system administrator.

Let's consider the errors that may be present in the client code.

Code injection

Reserved code injection is one of the most common and most dangerous vulnerabilities according to the OWASP classification. Most of the well-known vulnerabilities, including OpenSSL Heartbleed and the Ebay hack, are related to the inadvertently left injecting user input into a program.

The danger of such errors lies in the practically unpredictable results of the execution of vulnerable programs. The result of an injection of SQL code can be both a leak of passwords and the complete removal of all system data.

An additional problem with such vulnerabilities is the difficulty of finding them with automated tools. Search based on rules and patterns will not give a positive result due to the large number of mistakenly formulated assumptions.

The only truly effective way to find errors can be static analysis of the data stream entering the program. Static analysis of the data flow allows you to trace what data is going to potentially dangerous points of assumption about the presence or absence of a code injection vulnerability.

Directory traversal

Another dangerous programming error is inadvertently leaving input spoofing, which allows directory traversal.

An attacker who exploits this vulnerability gains the ability to read or write data outside the predefined directory. Thus, critical system settings can be read or configuration files overwritten, which can disable the system for a fairly long period of time.

There are quite specific options for using this error. For example, a call to the OPEN DATASET dset FILTER iv_filter statement, which opens a file for reading, on a Unix system supplies data from the file being read to a predefined process that can perform unexpected actions at the operating system level.

Thus, incorrect OS configuration and vulnerable code that do not have errors separately can lead to critical consequences when working together.

Authorization errors

Are your programmers guided by the concept of authority when developing their applications? According to this concept, access to any function block of a program should be denied until otherwise specified.

Unfortunately, on many projects, access control occurs at the transaction level, which makes it possible to combine various existing permissions in order to access prohibited information. For example, using the CALL TRANSACTION statement (which is widely used by developers) on projects with transactional access control is unsafe. Without WITH AUTHORITY-CHECK, the CALL TRANSACTION statement allows you to branch through any other transaction.

It is also possible that there is an authorization check, but it was done incorrectly. Such cases also need to be found and corrected.

Backdoors

Before that, we looked at some cases of vulnerabilities, when programmers made unintentional mistakes, as a result of which the code became vulnerable. However, there are also cases when the programmer deliberately changes the program execution flow for certain users (undocumented features), or does not leave the so-called backdoor at all, which allows you to bypass all checks set by the system.

A developer can create a backdoor without malicious purposes, such as obtaining SAP_ALL authority to work more efficiently on an implementation project. Obviously, this does not detract from the risks that the presence of backdoors introduces.

There are many examples of such backdoors on the web that can be easily copied and transferred to a production system. It is very difficult to catch the presence of undocumented features and backdoors, firstly, because of the huge amount of client code, and secondly, because of the peculiarities of the SAP programming language. ABAP allows you to execute code on the fly and is stored in the DBMS, that is, it can be hidden very, very deep.

How to find SAP errors?

There are several different ways to find vulnerabilities in code, the most advanced of which is static data flow analysis.

SAP Netweaver AS has a module that analyzes the data flow for the presence or absence of vulnerabilities (Code Vulnerability Analysis). There are certified partner solutions that allow you to scan application code for vulnerabilities.

SAP Code Vulnerability Analysis (CVA) is based on the Code Inspector tool, which has been able to check client code for potentially dangerous constructs for many years, but unlike Code Inspector, it uses data flow analysis in its work. It is most expedient to use CVA from the very first stage of the project - one hundred development stage (before the development is transferred further along the landscape), since making corrections later (for example, during productive operation) is more complicated and costly.

The introduction of CVA implies not only finding and fixing errors, but also changing the very approach to development standards in the enterprise.

The introduction of any new development into a production system must be authorized by an expert who is guided in his work by the most modern development analysis tools.

One of the ways to find errors is such a tool. Not everyone is aware that SAP contains over one million error messages. You can use this simple and most importantly free tool to quickly find any error code and SAP message.

A SAP error code such as AA729 or a keyword such as asset must be entered into the dedicated window to find all related SAP error messages.

Frequently Asked Questions

What does Directory traversal mean?

This is a programming error SAP about inadvertently leaving input spoofed to allow directory traversal. This can read critical system settings or overwrite configuration files, which can bring the system down for quite a long period of time.

What are effective methods for troubleshooting SAP error codes and messages?

Troubleshooting SAP error codes and messages effectively involves using SAP support portals, consulting SAP documentation, and engaging with SAP user communities for insights and solutions.