/support/notes/service/sap_logo.png){kind=logo}
SAP Knowledge Base Article - PreviewSymptom
You are running Enterprise Portal (EP) or NetWeaver Java system (AS Java) and notice it is possible to track sensitive data such as username/password with client side tool. For example: browser development tool or 3rd party tool.
With 3rd party tool, by changing request method from POST to GET, you notice hidden form data containing sensitive data such as username/password get appended to request URL as plain text and AS Java server accepts such GET request and process it normally.
You want to know if there is any way to encrypt such sensitive data thus they can't be tracked as plain text at client side. Also want to know if there is any way to configure AS Java to reject the GET request that contains sensitive data.
Example - Browser development tool:
Read more...
Environment
- SAP NetWeaver Java - AS Java
- SAP Enterprise Portal - EP
Product
Keywords
plain txt, protect, disclosure, expose, security vulnerability, security scan, get, post, http, https, discover, irj/portal, java engine, java server, j_username, j_password, risk, , KBA , BC-JAS-SEC , Security, User Management , EP-PIN-PRT , Portal Runtime , BC-JAS-SEC-LGN , Logon, SSO , Problem
About this page
This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).Search for additional results
Visit SAP Support Portal's SAP Notes and KBA Search.
/support/notes/service/facebook.svg)
/support/notes/service/twitter.svg)
/support/notes/service/youtube.svg)
/support/notes/service/linkedin.svg)
/support/notes/service/instagram2.svg)