SAP NetWeaver AS ABAP Release 740, ©Copyright 2014 SAP AG. All rights reserved.
ABAP Keyword Documentation → ABAP - Security Notes → Further Security Risks →Obscuring ABAP Source Code
ABAP source code is obscured if tasks that can be performed directly are instead performed across diversions that disguise the real purpose. One common form of obscured code is found when information that could be specified statically is specified using dynamic programming techniques instead. Code can be obscured for one of the following reasons:
In general, any type of obscured code presents a security risk. Instead of bypassing static checks by using obscured code, false positives should be handled using other methods, such as exemptions. Obscured code can often only be detected using a two-man rule (code inspections).
Example
Maliciously obscured code in a user-dependent program flow, which can generally only be detected using code inspections.
Example
Code obscured without malicious intent. In a HTTP request handler, a HTML file is created by calling a method in which potential cross site scripting (XSS) has already been prevented. A static security check that ignores the called method can classify this as a security risk, however, and demand that the HTML is masked again. The dynamic assignment of the HTML to a field symbol is used to bypass the false positive raised by the security check.
The correct forma of the HTTP request handler would be:
If the security check raises a false positive, either an exemption or an improvement to the check should be requested.