This XS application is not protected against CSRF (cross-site request forgery) because it either disables the protection or fails to enable the protection explicitly.
A web server that receives a request from a client without verifying that it was intentionally sent might be vulnerable to Cross Site Request Forgery (CSRF). An attacker can trick a client into making an unintended request to the web server that will be treated as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution.
SAP’s recommendation is to use CSRF protection for any request that could be processed by a browser client by normal users.
- If
XS Advancedis used, CSRF protection is configured with the"csrfProtection"property ofxs-app.json. It is enabled by default and should not be disabled. - If
XS Classicis used, CSRF protection is configured with the"prevent_xsrf"property of.xsaccess. It is disabled by default and should be enabled explicitly.
The following xs-app.json fragment disables CSRF protection of the application it configures.
"routes": [
{
"source": "/bad/(.*)",
"destination": "srv_api",
"csrfProtection": false,
...
},
...
]- SAP: XS Advanced Application Router Configuration Syntax, relavant to XS Classic applications.
- SAP: Application-Access File Keyword Options, prevent_xsrf, relevant to XS Advanced applications.
- SAP: Server-Side JavaScript Security Considerations.
- Common Weakness Enumeration: CWE-352.
- OWASP: Cross-Site Request Forgery (CSRF).