SAP Pentest
Protect Your Systems & Applications
What are entry points for attackers?
The company's own SAP systems are often one of the most critical areas for the IT security organization of a company. It is not uncommon for sensitive and highly critical business processes to be consolidated here. Exploiting a vulnerability in such an environment can therefore have serious and sometimes substantial consequences. Particularly critical, specific vulnerabilities in SAP infrastructures are often not detected because the pentest of SAP infrastructures differs significantly from that of a system or an application in terms of the procedure for investigation.
During our SAP pentest, our our consultants comprehensively examine your SAP systems and FIORI web applications to identify potential entry points for attackers.
Common vulnerabilities include:
- Lack of patches for published vulnerabilities in SAP software
- Misconfiguration of user permissions, RFC connections, system parameters, and encryption settings
- Use of outdated third-party software (e.g. for monitoring) with known vulnerabilities
- Security vulnerabilities in self-developed ABAP reports that allow privilege escalation or compromise of the system
- Insufficient demarcation between development, test and productive systems
Our approach to SAP Pentests:
Our pentests are conducted according to a standardized approach, which is enhanced by specific aspects for SAP Pentests:
Pentesting SAP infrastructures requires in-depth expertise and fundamental understanding of SAP products. When analyzing SAP products, we distinguish between the examination of web-based SAP systems and the testing of SAP products at the system level.
What checks are included in SAP Pentests?
These checks are included in pentests of SAP systems:
- Verification of standard services (SSH, SMB, NFS, management and monitoring software, etc.) as well as verification of SAP-specific services (such as Content Server, Message Server, Management Console, ICM, IGS, WebDispatcher, among others)
- Exemplary authorization check of a department user for unauthorized access to administrative transactions
- Verification of configured system parameters (such as, among others, standardized SAP hardening recommendations, the configuration of ACL lists, the reading of information from ICF web services or encryption for specific SAP protocols such as DIAG)
- Customization of available exploits (for example from Security Focus, Metasploit, PySAP or Core Impact) to exploit identified SAP-specific vulnerabilities
- Input validation and processing verification
- Automated scanning of the web application using a state-of-the-art vulnerability scanner
- Attack scenarios based on the combination of several identified vulnerabilities
- Review of the authorization concept of the FIORI application, both in the web application directly and in the OData data model
- Automated and manual analysis of the OData data model
An increasing number of attacks on SAP systems can be traced back to security vulnerabilities in self-programmed ABAP code. Patterns of "classic" code analyses for e.g. buffer overflow or code injection vulnerabilities are not applicable to an ABAP-based program. With our ABAP Quick Check, we therefore offer you an optional check of up to 100,000 ABAP reports for conspicuous or dangerous patterns.
Are your systems protected against attackers?
We would be happy to advise you on your options for having your SAP infrastructure checked by our security analysts. Just get in touch with us.
