Skip links
RedRays - Your SAP Security Solution
Services

SAP PENETRATION TESTING

What is SAP?

SAP is a German company that specializes in creating business applications and stands for Systems, Applications and Products in Data Processing.

 

SAP Penetration Testing (SAP Pentest) is a type of black-box/white-box/gray-box testing where testers scan SAP systems to uncover system information. They then identify the database type, SAP version, and specific modules to find known vulnerabilities relevant to the target. 

Once vulnerabilities are found, the testers exploit them to gain access and escalate privileges to gain administrative control over the entire SAP system. 

Vulnerabilities in SAP are particularly dangerous as they could be used as a starting point for multi-stage attacks targeting plant devices and manufacturing systems, as it serves as a bridge between ERP, enterprise applications, and business processes.

When it comes to protecting a company's valuable assets, it's important to assess all potential risks. That's why an expert in information security risk assessment takes a deep dive into a target organization's business processes, identifying any mission-critical assets and the potential cyber and business risks associated with them. 

All of this information is then used to help a penetration tester determine the best approach to testing - including the level of complexity, scope, and time required to get the job done right.

When safeguarding a company's assets, it is crucial to conduct a comprehensive evaluation of all possible risks. This is precisely why a specialist in information security risk assessment conducts a thorough analysis of a target organization's business processes, identifying any assets that are of paramount importance and the potential cyber threats and business risks that are associated with them.

The resulting information becomes instrumental in aiding a penetration tester to determine the most optimal approach to testing, which takes into account the level of complexity, scope, and time required to conduct the testing accurately and efficiently.

When it comes to SAP systems, there are different platforms to choose from, including ABAP, Java, HANA, S/4HANA, Business Objects, Business One. However, the main platform that serves as the foundation for both SAP and non-SAP applications is SAP NetWeaver.

Within SAP NetWeaver, the SAP NetWeaver Application Server (AS) plays a crucial role. This server includes both ABAP and Java application servers and uses ABAP and Java as its primary programming languages, respectively.

While SAP systems are generally reliable and secure, it's important to note that vulnerabilities can still arise. For example, the SAP ME components may be susceptible to common vulnerabilities like Parth traversal CVE-2022-39802 which RedRays R&D. has identified It's important to remain vigilant and take necessary precautions to ensure the safety and security of these mission-critical systems.

SAP Penetration Testing Methodology

Executive Summary

This page outlines our proposed methodology for conducting a comprehensive penetration test of your SAP environment. Our approach is designed to identify and assess vulnerabilities within your SAP systems, applications, and infrastructure, providing actionable insights to enhance your overall security posture.

Phase 1: Discovery & Reconnaissance

We begin by thoroughly mapping your SAP landscape, uncovering systems, IP addresses, and versions of operating systems, databases, and SAP services. This reconnaissance phase involves gathering crucial information such as:

  • SAP system configurations
  • Available services (ICM, WebDynpro)
  • Profile parameters
  • Logs and trace files
  • Instance properties
  • Clients and connected servers
  • RFC details

This detailed blueprint of your SAP ecosystem forms the foundation for subsequent testing phases.

Phase 2: Architectural Evaluation

We review your high-level and low-level architecture design documents, ensuring alignment with SAP and industry best practices. Our analysis focuses on:

  • Data flows within the SAP environment and external interfaces
  • Overall integration of SAP components (core solutions, supporting components, data flows, protocols, ports, IP addresses, network structure, RBAC roles)
  • Disaster recovery implementation (if applicable)

 

This evaluation identifies potential security weaknesses stemming from architectural design choices.

Phase 3: Infrastructure & Configuration Deep Dive

We conduct a thorough assessment of your SAP infrastructure and configuration, including:

  • Network Vulnerability Scanning & Benchmark Testing: Employing tools like Nessus or OpenVAS to identify network vulnerabilities and deviations from security benchmarks.
  • Vulnerability Assessment & Penetration Testing (VAPT): Performing comprehensive testing on all in-scope assets to uncover exploitable vulnerabilities.
    Hardening Reviews: Evaluating infrastructure and network components against CIS and SAP best practices to ensure a hardened security posture.
  • Configuration Reviews: Scrutinizing network component configurations for adherence to security best practices.

Specific Tests & Analysis:

  • Network-based spoofing attacks (ARP poisoning, DNS spoofing)
  • SSL spoofing attacks
  • Unnecessary services and related vulnerabilities
  • OS misconfigurations related to SAP (e.g., open NFS shares)
  • Database security assessment (default passwords, misconfigurations)
  • SAP ABAP engine security assessment
  • In-depth analysis of various SAP services (Web Dispatcher, Gateway, Message Server, ICM, ITS, Enqueue, SAP Router, IGS, SAPHostControl) for vulnerabilities and misconfigurations.
  • Exploiting identified vulnerabilities to assess potential impact on business data.
Phase 4: Application Security Testing

Our application security testing focuses on uncovering vulnerabilities within your SAP applications:

  • Static Application Security Testing (SAST): Analyzing custom developed code (ABAP, HTML5, JavaScript, CSS etc.) for security flaws.
  • API & RFC Security Testing: Assessing the security of all integration points.
  • Dynamic Application Security Testing (DAST): Identifying vulnerabilities in running applications.
  • Configuration Reviews: Reviewing application configurations for alignment with security best practices.
  • Vulnerable Software Component Identification: Detecting the use of unsupported, expired/EOL, or vulnerable software components.

Focus Areas:

  • OWASP Top 10 vulnerabilities
  • SAP J2EE engine security assessment
  • HTTP service vulnerability analysis
  • Brute-forcing web services, webdynpros, and web applications
  • Exploiting various web application vulnerabilities (Verb Tampering, information disclosure, Invoker Servlet, XML services, SSRF)
  • Analyzing P4, SDM, SMD, LogViewer, and Telnet services for vulnerabilities and misconfigurations
  • Accessing business data through identified vulnerabilities
Phase 5: Privilege Escalation & Beyond

We attempt to escalate privileges within your SAP environment using various techniques, including:

  • User to DB, OS, and across SAP systems: Exploiting vulnerabilities to gain elevated access.
  • DB to OS, connected DBs, and other SAP systems: Leveraging database vulnerabilities for further privilege escalation.
  • OS to other OS: Analyzing potential pathways for privilege escalation across different operating systems.

ABAP Code Security:

  • Review ABAP code for insecure authorization checks, backdoors, and software vulnerabilities like command injection, buffer overflow, SQL injection, directory traversal, and insecure coding practices.
  • Assess access and privileged user management.
Phase 6: Reporting & Remediation

We provide a comprehensive report detailing all identified vulnerabilities, including risk ratings, descriptions, and remediation recommendations. Our report prioritizes findings based on severity and potential business impact.

 

We collaborate with your SAP team to develop and implement remediation plans, recommending appropriate security controls and best practices to mitigate identified risks.

SAP Penetration Testing Example

In November 2023, we presented a SAP Penetration Testing Example. The demonstration showcased our ability to compromise SAP systems by discovering six zero-day vulnerabilities. We were able to compromise SAP Cloud and SAP On-Premises landscape using Low Privileged User on the network.

Advantages of Conducting SAP Penetration Testing

There are several benefits to having SAP Penetration Testing:
  • Firstly, by conducting SAP Penetration Testing, you can minimize the risks of plant sabotage, equipment damage, production disruption, compliance violations, safety violations, product quality degradation, espionage, sabotage, and fraud. This helps to keep your operations safe and secure.

  • Secondly, SAP Penetration Testing helps to identify vulnerabilities and weaknesses in security controls, allowing you to strengthen them proactively. This helps to enhance your security and prevent potential problems before they occur.

  • Thirdly, SAP Penetration Testing can help you demonstrate compliance with industry regulations and standards. This is important to ensure that your operations are legal and ethical.

  • Fourthly, by demonstrating a proactive approach to security, SAP Penetration Testing can build trust with your customers. This can help to increase their confidence in your business and improve your reputation.

  • Fifthly, SAP Penetration Testing can help you prevent financial losses, legal liabilities, and reputational damage. By identifying potential security risks, you can take steps to mitigate them before they cause harm.

  • Finally, SAP Penetration Testing provides valuable feedback for enhancing security measures and staying ahead of evolving threats. This helps to ensure that your security remains strong and effective over time.

Difference of Penetration testing and Vulnerability Assessment

Penetration testing

  • Determines the scope of an attack
  • Tests sensitive data collection.
  • Gathers targeted information and/or inspect the system.
  • Cleans up the system and gives final report.
  • It is non-intrusive, documentation and environmental review and analysis.
  • It is ideal for physical environments and network architecture.
  • It is meant for critical real-time systems.

Vulnerability Assessment

  • Makes a directory of assets and resources in a given system.
  • Discovers the potential threats to each resource.
  • Allocates quantifiable value and significance to the available resources.
  • Attempts to mitigate or eliminate the potential vulnerabilities of valuable resources.
  • Comprehensive analysis and through review of the target system and its environment.
  • It is ideal for lab environments.
  • It is meant for non-critical systems.
Service Request Form
Please enable JavaScript in your browser to complete this form.
Name
What services are you looking for?