Tuesday, 08 June 2021 12:45

#SafeSAPUI5 – EP10

Written by Jose Sequeira
Rate this item
(0 votes)
Source https://blogs.sap.com/2021/06/09/safesapui5-ep10/
“© 2020. SAP SE or an SAP affiliate company. All rights reserved.” “Used with permission of SAP SE”


*** Default Header ***

With the intention to show why SAPUI5 developers (as most of them came from the ABAP world) need to upskill with “safe programming” knowledge and skills, i’ve decided to create the #SafeSAPUI5.

What is #SafeSAPUI5?

  1. A series of episodes with examples (of course with responsible disclosure, not showing names, servers, etc.) of security breaches that were exposed on SAPUI5 apps. The idea here is not to point fingers, but to educate as a “learned mistake” that someone made, to all. I think this is the first series that the creator “hopes” that it has fewer possible episodes ☺️.
  2. Encourage developers to also use the hashtag #SafeSAPUI5 around the web on interesting articles, courses (why not?), ebooks or even self made materials, that will help SAPUI5 developers to upskill their knowledge, specially for the security part, also bringing examples that some may had not thought about it.

I try to keep everything as short as possible here, but this researches, analyses, testing, contacting the customers, reporting and getting the bugs fixed takes a long time (not really described here).

SAP has an official bug bounty program, please read more on this link. If you would like to report an SAP vulnerability found, please use the official link here.

*** Default Header ***

Also keeping all the important topics on the matter here: safesapui5.web.app

Ok… So now for the Episode 10 ? we have: “Work hard, test hard… ⚠️⚠️⚠️:


In previous episodes i’ve mentioned the Dos/DDos attack, but never went “deeper” on it. I’m not going to perform a real attack on someone just to prove a point or to create an episode, but we can use some tools to “simulate” something similar and demonstrate the impact.

Ok, so now i’ve a HUB FIORI IDES environment to be used on this simulation, just to remember what a HUB FIORI implementation looks like:

Standalone (Central Hub) Deployment of SAP Fiori Front-End Server - SAP Help Portal

So to get a little more technical, i’ve an OData services that exposes a backend RFC (that selects sample data).

So basically a Dos (Denial of Service) attack is someone trying to stop regular users of being able to use your application/server (by taking the server down, use all of it’s memory, etc). And DDos (Distributed Denial of Service) would be the same thing but from multiple sources…

In order to “simulate” multiple connection attempts (like

Continue reading here
Read 49 times

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.