SAP Knowledge Base Article - Preview

3232109 - Sensitive data such as password can be tracked via client side tool for AS Java

Symptom

You are running Enterprise Portal (EP) or NetWeaver Java system (AS Java) and notice it is possible to track sensitive data such as username/password with client side tool. For example: browser development tool or 3rd party tool.

With 3rd party tool, by changing request method from POST to GET, you notice hidden form data containing sensitive data such as username/password get appended to request URL as plain text and AS Java server accepts such GET request and process it normally.

You want to know if there is any way to encrypt such sensitive data thus they can't be tracked as plain text at client side. Also want to know if there is any way to configure AS Java to reject the GET request that contains sensitive data.

Example - Browser development tool:

browser_developer_tool.png


Read more...

Environment

  • SAP NetWeaver Java - AS Java
  • SAP Enterprise Portal - EP

Product

SAP NetWeaver all versions

Keywords

plain txt, protect, disclosure, expose, security vulnerability, security scan, get, post, http, https, discover, irj/portal, java engine, java server, j_username, j_password, risk, , KBA , BC-JAS-SEC , Security, User Management , EP-PIN-PRT , Portal Runtime , BC-JAS-SEC-LGN , Logon, SSO , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.