Situación de los RCD en la ciudad de Barranquilla

Slide 3) Lecturer

By now, everyone should have successfully created a Gateway service that can perform the read-only operations QUERY and READ.

Slides 5-13) Lecturer

The process described by these slides is self-explanatory, but the important thing here is that you show the students the steps in the ABAP editor, not just in PowerPoint.

Slide 15)

This slide introduces the concept that trust relationships that exist between browsers and web servers can be exploited.

Simply using a modern browser blocks an XSS attack – it is not SAP’s responsibility to prevent this type of attack since it is an exploitation of the trust a browser (or user) places in a web server.

However, a CSRF attack exploits the trust a web server places in a supposedly authenticated user.

The vendor of the server-side software must protect against this type of attack. Therefore SAP provides such a protection mechanism.

Slide 16)

Lecturer

An explanation of the Cross-Site Scripting (XSS) attack is presented for completeness.

This type of attack cannot be prevented by any software written by SAP. It is the browser vendor’s responsibility to detect and prevent this type of attack.

Slide 17)

Lecturer

This type of attack cannot be prevented by any software written by SAP. It is the browser vendor’s responsibility to detect and prevent this type of attack.

Slide 18)

A Cross-Site Request Forgery (CSRF) presents both Web users and service providers with a potentially serious exploitation possibility.

Once a user has provided a website with valid authentication credentials, that server considers to user to be authenticated and trusts all subsequent communication from the authenticated browser session.

Slide 19)

Lecturer

A CSRF attack exploits the trust a server places in an authenticated browser session.

If the user can be convinced to click on a web address that directs him to the hacker’s website, the attack can potentially be launched.

Slide 20)

Lecturer

Prevention of a CSRF attack is easy enough to achieve. The server side software must generate a random token that provides additional authentication that, combined with the session cookie, can distinguish the genuinely authenticated user from a user trying to exploit the authentication.

Slide 21)

Lecturer

Both XSS and CSRF attacks are real threats to the security of Web based business applications, but both can be defeated by a combination of modern browsers together with the X-CSRF-Token protection mechanism provided by the SAP NetWeaver Gateway server.

The SAP NetWeaver Gateway system prevents CSRF attacks by issuing a token value to the browser that must be returned whenever an operation is performed that alters a server-side resource (e.g.

UPDATE, CREATE or DELETE etc).

The token value itself is simply a string of random characters, but the important point is that such a string cannot be guessed by a third party attacker, since the attacker’s fraudulent URL is generated on a server that knows nothing of the token value.

Slides 23-27)

These slides are self-explanatory.

Slide 28)

Lecturer

In SP3, the OData software that underlies the Gateway software layer was completely replaced with a fully compliant layer that implemented the full OData standard.

The only problem here is that now all XML elements for properties of data type Edm.String are no longer allowed to be null. In other words, an element such as <d:bank_group/> is no longer valid.

Instead, the parameter m:null='true' must be added.

If you do not use the m:null='true' parameter, and SAP Note 1690310 has not been applied to a Gateway 2.0 SP3 system, you will get a “Malformed URI syntax” error.  

The problem here is that when you perform a READ operation, the XML you receive will contain null XML elements for any properties that have no value. Therefore, in order for this XML to form the valid input to a subsequent UPDATE or CREATE operation, it must be checked and adjusted to ensure that no properties of type Edm.String are left implicitly null.

The problem for OData SDKs here is that the actual XML needs to be edited before it becomes valid.

SAP Note 1690310 implements a relaxation of this requirement for fields of type Edm.String.

SAP strongly recommends that this note be applied in all Gateway 2.0 SP3 systems. This relaxation is standard in SP4.

Fields of data types other than Edm.String, may not be left null. Instead, a suitable initial value must be supplied.

SAP Note 1690310 has been applied to the GW100 training system, so the use of this extra parameter is not needed during the exercises.

Slide 29)

This slide is self-explanatory

Slide 30)

Lecturer

For the initial READ operation, the HTTP header field X-­‐CSRF-­‐Token must be set to Fetch. Once the CSRF token has been returned to the client, this value must be returned to the SAP NetWeaver Gateway server on all subsequent requests that could change the state of a server-side resource.

The RESTClient does not allow copy and paste from its display areas, so in order to access this value, a query string parameter must be added to the request.

Alternatively, if you have performed the READ operation with Firebug running, then you will be able to copy the value from the Header response section of the Net tab.

Slide 31)

Lecturer

There are several important points you should emphasise concerning the sap-­‐ds-­‐debug=true query string parameter:

1. It will have no effect if added to the URL of a Gateway service built using either:

a. Gateway 2.0 SP2

b. Generic Channel runtime framework 2. It should only be used on READ operations

3. Using this query string parameter on UPDATE or CREATE operations will result in an error.

Slides 32 & 33)

These slides are self-explanatory.

Slide 34)

Lecturer

It is very important that the students do not interpret an “HTTP 200” status code (seen after a successful GET request) to mean that the PUT request (UPDATE operation) was successful.

Somewhat counter-intuitively, for an OData UPDATE or CREATE operation, an HTTP status code of 200 means “Nope, something went wrong”.

The correct response to look for is HTTP 204 “No Content”.

Slides 35, 37-41)

These slides are self-explanatory.