ABAP Dynamic Code constructs are subjects to code injection attacks, for instance, when dynamic code generated could be affected by external inputs.

Such dynamic code constructs cannot be fully tested, and don’t have traces, cause code exists in memory (it is generated at runtime). It could be used to code a backdoor that may pass security audits.

The following dynamic programming features will be cause for concern:

Extract code to internal table: READ REPORT prog INTO itab.
Generate program from internal table: INSERT REPORT prog FROM itab.
Removing a program: DELETE REPORT prog.
Loading a program: LOAD REPORT prog PART part INTO itab.
Edit the program: EDITOR-CALL FOR REPORT prog.
Generate (temporary) subroutines from internal table: GENERATE SUBROUTINE POOL itab NAME prog.
Generate program (internal use): GENERATE REPORT prog.
Generate screen/dynpro (internal use): GENERATE DYNPRO h f e m ID dynpro_id.
Exporting dynpro: EXPORT DYNPRO h f e m ID dynpro_id.
Importing dynpro: IMPORT DYNPRO h f e m ID dynpro_id.
Performing table contents syntax check: SYNTAX-CHECK FOR itab MESSAGE msg LINE | WORD w PROGRAM prog.
Performing dynpro syntax check: SYNTAX CHECK FOR DYNPRO h f e m.
Tokenize code and store it into the repository: SCAN ABAP-SOURCE itab1 TOKENS INTO itab2.
Inserting textpool into repository: INSERT TEXTPOOL prog FROM itab LANGUAGE lang.
Reading textpool from repository: READ TEXTPOOL prog INTO itab LANGUAGE lang.
Removing textpool from repository: DELETE TEXTPOOL prog LANGUAGE lang.
SYNTAX-CHECK FOR DYNPRO.

The generated ABAP code may be invoked later (via SUBMIT or PERFORM).

Note: GENERATE REPORT / GENERATE DYNPRO are intended for internal use only.

ABAP : Command injection

DerScanner Severity Score

Do you want to fix ABAP : Command injection in your application?

See also