Five things about SAP hybris you probably didn’t know

Invisible Number Sign

If you try to use the hash symbol in the input fields, with XSS on, the server will receive the truncated value, with this symbol removed. Untitled 4_.png It is so because of the default XSS rule settings (
please ensure that it is <2 and >3” will be transformed to “please ensure that it is 3” after the second rule is applied. It is also on by default. This filtering will work for all kind of fields, both regular and password fields. It means that if your password is “abc_123”, the following passwords will also work with authentication: “ab#c_123”, “abc####123″, “abc#########123″ etc. In order to use this sign in the configuration files, use backslashes:

Salt with pepper

Hybris uses “hybris blue pepper can be used to prepare delicious noodle meals” as a default salt for password (md5) Untitled 4_1.png

How Ronald Reagan becomes the President of Russia in Hybris tests

In de.hybris.platform.directpersistence.audit.impl.SaveAuditRecordsTest, a user named Ronald Reagan, described as the President of the United States, becomes the President of Russia. And removed after the transaction triply committed that makes the test happy. In the same class, the user named Margaret Thatcher comes into play as well. Screen Shot 2018-04-15 at 12.50.40 PM.png

HAC Easter Egg

I was waiting months for this year’s Easter to write about this. If you use HAC intensively, you are aware of it, but you likely don’t know how to turn it on once it is launched. If you press “J” and “ESC” in any order, your HAC will go crazy: If you haven’t saved your script in the form and want to restore the data, reloading the page is not a solution. There is a way how to fix it without reloading the page. Open the web console and type the following:
for (i=0;i<document.styleSheets[0].cssRules.length;i++) { if (document.styleSheets[0].cssRules[i].cssText.indexOf("transform")>0) { document.styleSheets[0].deleteRule(i); } }
It should help. In the latest version, this easter egg was removed.

Is the website built with Hybris?

In order to figure out whether the website is built with SAP hybris, just follow the link  http://DOMAIN/CONTEXT/view/NavigationBarComponentController. The context may be empty (it is so for the majority of hybris websites). For example, Untitled 4 Actually, you can use any controller name, but this one is OOTB and should be on for all hybris projects. If you see the response above and the normal 404 page looks different, the storefront is built with SAP hybris. But vice versa is not true: SAP hybris can be too deep and too customized to be revealed via this approach. However, it works for the majority of the websites.

Leave a Reply