XSJSAuthentication.md

Authentication not enforced in HANA XS application

This HANA XS application does not enforce authentication on the requests it handles.

Overview

SAP HANA XS applications are called via HTTP requests to process a connected HANA database, and this makes it critical to authenticate the sender of the request. Failing to do so allows attackers to impersonate users and gain access to underlying systems and data.

Recommendation

Use the built-in SAP HANA XS authentication mechanism and session management (cookies).

• If XS Advanced is used, authentication is enabled by default, and the authenticationMethod property indicates which authentication will be applied. However, avoid setting the property to something else than none, as doing so turns off all authentication on all routes.
• If XS Classic is used, authentication is not enabled by default, so the authentication property in the application's .xsaccess file should be set to enable authentication. Set the value of the property according to the method you want to implement (LogonTicket, Form, or Basic).

Example

The fragment from an xs-app.json file shows the application in question having its authentication explicitly disabled.

{
  "welcomeFile": "index.html",
  "authenticationMethod": "none",
  ...
}

References

• SAP: Server-Side JavaScript Security Considerations.
• SAP: XS Advanced Application Router Configuration, relevant to XS Advanced applications.
• SAP: Application-Access File Keyword Options: Authentication, relevant to XS Classic applications.
• Common Weakness Enumeration: CWE-306.