Hello,
*** Default Header ***
With the intention to show why SAPUI5 developers (as most of them came from the ABAP world) need to upskill with “safe programming” knowledge and skills, i’ve decided to create the #SafeSAPUI5.
What is #SafeSAPUI5?
- A series of episodes with examples (of course with responsible disclosure, not showing names, servers, etc.) of security breaches that were exposed on SAPUI5 apps. The idea here is not to point fingers, but to educate as a “learned mistake” that someone made, to all. I think this is the first series that the creator “hopes” that it has fewer possible episodes
. - Encourage developers to also use the hashtag #SafeSAPUI5 around the web on interesting articles, courses (why not?), ebooks or even self made materials, that will help SAPUI5 developers to upskill their knowledge, specially for the security part, also bringing examples that some may had not thought about it.
I try to keep everything as short as possible here, but this researches, analyses, testing, contacting the customers, reporting and getting the bugs fixed takes a long time (not really described here).
SAP has an official bug bounty program, please read more on this link. If you would like to report an SAP vulnerability found, please use the official link here.
*** Default Header ***
Also keeping all the important topics on the matter here: safesapui5.web.app
Ok… So now for the Episode 6 
we have: “Beware of phishing attacks…“ 
:
This episode is not related on a real customers breach, but to demonstrate a sample attack that you could be receiving (and how to look out for them). Today we’re gonna talk about Phishing.
Phishing
Basically with phishing (read more about it here), scammers are always trying to get your sensitive information through many forms. As we’re talking about SAPUI5, today i’m going to simulate a phishing attack to obtain your FIORI login credentials, so with that the scammers could get sensitive customer information and warm the environment in many ways, as you can imagine.
If we think about the FIORI Launchpad, that is the URL used to enter the FIORI server, we would see URLs like this:
Launchpad URLs
Or based on Netweaver version:
NW Versions
Ok, so now let me play the scammers role… Let’s say that there is a company called My Company (not a real company!), that uses SAP FIORI and i want to steal their credentials to get sensitive data about the business. For that, i’m going to implement a phishing attack… how?
First, by creating a fake FIORI Launchpad (yes, this one is real and used in presentations):
Fake FIORI Launchpad – Kids don’t try this at home…
That captures the credentials inserted and store them on a cloud database (for POC purposes only, as you can image i’m not gonna disclose the full URL). As you can see, the remaining of the URL is the same one as a real NW 7.4: https://<SERVER>/sap/bc/ui5_ui5/ui2/ushell/shells/abap/Fiorilaunchpad.html (did this to look more realistic).
So now let’s say that, for the My Company customer, their actual FIORI Launchpad URL is:
https://mycompany.com.br/sap/bc/ui5_ui5/ui2/ushell/shells/abap/Fiorilaunchpad.html (again, this URL/Company does not exists in real life…).
Ok, so to make the users use my fake launchpad page instead of the actual one, i could send emails like the ones below:
Sample email phishing
Notice that the text of URL is describing the actual FIORI launchpad, but when you click it it’s not the actual URL. How is it possible? By creating hyperlinks, you could create any texts to point to any URL. So when the users click on the email link, it’s going to open my fake page, and not the “mycompany.com.br….” actual one… got it?
Example: Click here: google.com, you will see that the text says google but when you click it, goes to https://www.bing.com.
Now let me play the role of a “innocent user”, that received the email and open the URL to try to login:
Login
Or on my phone:
Mobile Login
The fake page never goes beyond the login screen, but when you select log on, already got what i wanted (your credentials).
Now switching back to the scammers role, went to my API Monitor to see the current list of users/passwords:
Monitoring API (Fake Users and Password) – Got you!
And as simples as that, got the credentials…
*** Again, i played both the scammers and users role, for POC purposes only ***
Ok, so what can be learned from this episode (and in general as well)?
- When you receive suspicious emails, always check the actual email ID (as most scammers send from their gmail accounts, not actual company email IDs).
- Always beware of links on email (as we saw here), social media, messaging apps, etc. And if you “have” to click it, always check that the full URL on your browser is the actual correct one. If you got any questions, contact your IT support to confirm URLs.
- Never provide password or any kind of sensitive data on non official channels, like on a telephone call, email, etc…Banks in general will never call you to ask for you password for example…
- Always beware on where you store you credit cards details, if it’s a trusted e-commerce site/app, etc.
- Always use 2 step verification, when available.
- If you want to see real life scammers in action, please follow this Youtube channel (Jim Browning).
PS: Please check episode 05, if you haven’t already.
Thanks.
#SafeSAPUI5
