Solved: Is the Goto Statement in Debugging a security risk...

JL23 · ‎07-25-2014

Hi,

In debugging ABAP code we have the option to jump to a certain statement via the GOTO STATEMENT from the menu.

Is there any security risk in doing this.

It is now controlled in the 02 Activity of the authorization object, which was formerly only used for changing values with the debugger.

Former Member · ‎07-25-2014

It is often misunderstood as forward and backward navigation instead of stepping in the debugger and always checked actvt 02 - but in earlier releases was not as obvious to find and did not write a system log message. You can now also right-click the location to GOTO.

But it is just as dangerous if not more so that changing a variable in the debugger and more than just display. Reason is that between the current code line and the code line "jumped to", the code in between is not executed at all...

So you can jump over authority-checks instead of having to change the sy-subrc result. Changes can be made without the calls to change documents and logs being made. All other forms of validations or checks can be jumped over, including statements which were created not to be able to debug them (such as kernel calls) then you don't need to be able to change anything in the debugger if you can steer wide of it.

It is functionally equivalent to being able to create a program and execute it, regardless of your other authorizations, developer key or even if the system is closed for changes.

So... very naughty. Only for developers in development systems and even in emergency situations it should not really be used in production either.

Cheers,

Julius

Former Member · ‎07-25-2014

It is often misunderstood as forward and backward navigation instead of stepping in the debugger and always checked actvt 02 - but in earlier releases was not as obvious to find and did not write a system log message. You can now also right-click the location to GOTO.

But it is just as dangerous if not more so that changing a variable in the debugger and more than just display. Reason is that between the current code line and the code line "jumped to", the code in between is not executed at all...

So you can jump over authority-checks instead of having to change the sy-subrc result. Changes can be made without the calls to change documents and logs being made. All other forms of validations or checks can be jumped over, including statements which were created not to be able to debug them (such as kernel calls) then you don't need to be able to change anything in the debugger if you can steer wide of it.

It is functionally equivalent to being able to create a program and execute it, regardless of your other authorizations, developer key or even if the system is closed for changes.

So... very naughty. Only for developers in development systems and even in emergency situations it should not really be used in production either.

Cheers,

Julius

martin_voros · ‎07-25-2014

I just want to add that even read only access to debugger can be an issue. It can leak some sensitive information.

Cheers

Former Member · ‎07-25-2014

This is particularly critical when web services follow the urban legend that they should be equipped with authorizations for a technical user of type SERVICE. The GUI can be attached to them in the debugger and display access is enough to set an external breakpoint, switch to the system debugger and single-step the call into the RFC debugger.

You will then battle a bit with commands to open a new session, but you should not give up too easily if the debugging of the service user leg of the call is authorized for the debugger as well.

But the ABAP debugger is truely a wonderful tool for developers in development systems - that is undeniable.

Cheers,

Julius

Is the Goto Statement in Debugging a security risk?