Skip links
RedRays - Your SAP Security Solution
Picture of Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

SAP Security on Udemy
SECURITY CHALLENGE · MAY 30 – 31, 2026

RedRays ABAP Security Challenge 2026

Write valid ABAP code with a real, exploitable vulnerability that our scanner fails to detect. Prove the exploit on SAP, submit, and win.

$500 prize pool plus merch
Register How it works

How It Works

Get access to a sandboxed SAP system, write your ABAP code, prove the exploit works, submit it for scanner judgement.

1

Register

Sign up with email and nickname. Receive SAP credentials for our sandbox CAL system by email.

2

Write ABAP

Connect to SAP via SAP GUI or ADT. Create Z_YOURNAME_* programs targeting one of the 6 categories.

3

Prove Exploit

Execute the program in SAP. Capture proof (screenshot or short video) showing the exploit works.

4

Submit

Enter the program name on the contest portal. Our backend reads the code and runs the scanner. If the scanner misses the vulnerability, you score points.

The 6 Categories In Scope

Only bypasses against these categories count toward the leaderboard.

SQL Injection

Dynamic WHERE clauses, Native SQL (EXEC SQL), string concatenation into ABAP Open SQL where user input controls the query.

Dynamic Table Access

SELECT, UPDATE, INSERT, DELETE on a table name resolved at runtime from user input. Includes access to sensitive tables (USR02, T000, etc.).

Path Traversal

OPEN DATASET, file operations or path manipulation where user input controls the file path, allowing access outside the intended directory.

Missing Authorization Check

Sensitive operations (CALL TRANSACTION, RFC-enabled FMs, financial table updates) executed without AUTHORITY-CHECK or with weak access control.

Remote Code Execution

CALL 'SYSTEM', SXPG_COMMAND_EXECUTE or similar mechanisms running operating-system commands controlled by attacker input.

ABAP Code Injection

GENERATE SUBROUTINE POOL, INSERT REPORT, dynamic CALL FUNCTION/METHOD/PERFORM/SUBMIT with identifiers from user input that execute attacker code on the application server.

Prizes

Top three contestants by total points get cash. Positions four through ten get RedRays merch.

🥇
1ST PLACE
$250
plus merch and credit in scanner release notes
🥈
2ND PLACE
$150
plus merch and release notes credit
🥉
3RD PLACE
$100
plus merch and release notes credit
🎁
4TH TO 10TH
Merch
T-shirts, stickers, swag

The Rules

Short version. Full terms published on the portal at registration.

You earn points when

  • You target one of the 6 listed categories
  • Exploit source is real attacker input (selection screen, RFC, ICF handler, OData, dynpro, etc.)
  • The exploit fires on SAP, proven by screenshot or video
  • Your program name follows the convention Z_YOURNICK_*
  • Our scanner runs successfully and does not flag the targeted category

You are disqualified when

  • The vulnerable line is commented out (* in column 1)
  • Dead code (LEAVE PROGRAM executed before the exploit)
  • Submitting another contestant's program
  • Vulnerability category is outside the 6 listed
  • Attacks against the CAL system, portal, or judging team

Join the Competition

Contest runs May 30 – 31, 2026. Registration closes May 28, 23:59 UTC. Slots on the CAL sandbox are limited.

Explore More

SAP Security Patch Day – May 2026

May 12, 2026

SAP has released its May 2026 security patch package containing 15 security notes addressing vulnerabilities across enterprise SAP environments. This release includes