Security Note: Session Forwarding by URL
[forwarding] [ip forwarding] [port forwarding] [Riding] [Security] [session] [url forwarding] [vulnerability]
Symptom
An URL, which has been received for example by e-mail, enables a user to connect with the SAP system.
Other terms
Security vulnerability, Session Riding
Reason and Prerequisites
The system is not configured for the HTTP Security Session, see transaction SICF_SESSIONS.
The application, which can be accessed, uses the “stateful-http-communication”. This means the session with the backend is kept [...]