Code Security Vulnerabilities – ABAP Injection

ABAP injection allows malicious ABAP code to be injected to vulnerable programs installed on SAP ABAP systems. An attacker may take complete control of the SAP ABAP stack if it can inject ABAP code. Therefore, ABAP injection is rated as critical by the BIZEC APP/11 standard.

The injection is typically done by exploiting programs which use GENERATE SUBROUTINE POOL or INSERT REPORT statements for generating and executing dynamic code.

In the following cases if PP_CTX contents can be manipulated, malicious code may be executed:

GENERATE SUBROUTINE POOL PP_CTX NAME IX_CONTEXT.
PERFORM MAIN IN PROGRAM (IX_CONTEXT) TABLES PP_CTX.

The main difference between GENERATE SUBROUTINE POOL and INSERT REPORT is that GENERATE SUBROUTINE POOL creates dynamic code in memory where INSERT REPORT is used for manipulating programs actually installed on the SAP systems, or for installing new ones. Both are equally dangerous. So, similar can be accomplished by INSERT REPORT like the following example:

INSERT REPORT IX_CONTEXT FROM PP_CTX.
GENERATE REPORT IX_CONTEXT.
SUBMIT (IX_CONTEXT).

How can ABAP injection be prevented?

We recommend avoiding dynamic code or having proper input filtering to prevent ABAP injection vulnerabilities.