software composition analysis
Product
SAST
Catch vulnerabilities as you develop DAST
Test live web applications like an attacker SCA
Secure open-source and supply chain MAST
Secure mobile apps from code to store Compliance
Align with standards while shipping secure code
Resources
Vulnerability database Healthy Package
Blog News
Documentation
Pricing Partners About Us Log In
software composition analysis

ABAP : Undocumented feature: special account

Classification

OWASP ASVS Malicious Code PCI DSS 4.0 6.5.6 CWE CWE-506 CWE-798 CWE-862 CWE/SANS Top 25 2011 CWE-798 CWE-862 CWE/SANS Top 25 2021 CWE-798 CWE-862

Overview

The application compares the value of the variable which stores the authentication data with a hardcoded value. This special account may be a part of a backdoor.

The application developer could have used a special account (possibly with elevated privileges) for debugging and he/she left the corresponding code sections in the final version, thus, retaining the access to the application functionality. An attacker can decompile the application, extract the hardcoded strings which specify the special account, and get access to the application.

Constant parameters (logins, passwords, keys) must not be stored in the source code of the application.

References

  1. CWE-798: Use of Hard-coded Credentials
  2. Hardcoded and Embedded Credentials - beyondtrust.com
  3. User-Dependent Program Flow
  4. AUTHORITY-CHECK
  5. CWE-506: Embedded Malicious Code

See also

ABAP : Hardcoded password
ABAP : Weak hashing algorithm
ABAP : Undocumented feature: network activity