Skip links
RedRays - Your SAP Security Solution
Services

SAP BTP and Cloud Penetration Testing

What is SAP Cloud Penetration Testing?

SAP Cloud Penetration Testing is a targeted security assessment of an organization’s SAP cloud footprint — S/4HANA (Public / Private Cloud or HANA Enterprise Cloud), SAP Business Technology Platform (BTP), SAP Build Work Zone, SAP Cloud Identity Services (IAS / CIS), and SAP Cloud Connector — designed to identify exploitable vulnerabilities before attackers do.

Unlike on-premise SAP environments, SAP Cloud landscapes mix multiple trust zones: a cloud control plane (BTP), an identity provider (IAS) federated with the corporate IdP, an externally exposed launchpad (Build Work Zone), and a bridge back to on-premise systems (Cloud Connector). A misconfiguration in any of these can give an attacker a path from the public internet straight into the ERP backend.

RedRays’ grey-box methodology covers all four attacker models (external without credentials, external with credentials, internal without credentials, internal with credentials) and all privilege levels (anonymous, standard user, power user, administrator).

Join the companies trusting US

Cloud Systems We Test

SAP S/4HANA (Cloud)

ABAP stack, Gateway, Message Server, ICM, Web Dispatcher, HANA 2.0 database security and authorization model — including FFID and debug-access populations.

SAP BTP

GOur SAP BTP penetration testing covers global account, subaccounts, Entitlements, Destinations, Role Collections, XSUAA, trust setup with IAS, Cloud Foundry / Kyma / ABAP environment.

SAP Build Work Zone

External Fiori Launchpad: sites, roles, content providers, tile visibility, trust with S/4HANA content provider, custom extensions.

SAP IAS / CIS

Identity Authentication Service: authentication policies, SAML / OIDC trust, shadow users, JIT provisioning, token validation and session lifecycle.

SAP Cloud Connector

OS-layer host pentest, Secure Storage (SSFS), system mappings, resource rules, trust store, Admin UI exposure, LPE and NTLM relay scenarios.

SAP CPI & Integrations

Per-iFlow review, sender / receiver adapters, Security Material, principal propagation, RFC / REST / SOAP / OData interfaces, SAP Router.

Our SAP Penetration Testing Example

In November 2023, we presented a SAP Penetration Testing Example. The demonstration showcased our ability to compromise SAP systems by discovering six zero-day vulnerabilities. We were able to compromise SAP Cloud and SAP On-Premises landscape using Low Privileged User on the network.

Our SAP Cloud Pentest Methodology

A structured engagement across eleven technical phases, executed by senior SAP security consultants:

1

Discovery & Reconnaissance

Environment mapping across S/4HANA application servers, all BTP subaccounts, BWZ and IAS tenants, and Cloud Connector. Service / version detection, profile parameters, ICM services, destination and entitlement enumeration, client / mandant discovery.

2

SAP S/4HANA Core Services Assessment

Web Dispatcher, Gateway (RFC execution, fake RFC registration, reginfo / version disclosure), Message Server (fake application server registration), and ICM / ICF (brute-forcing public services, SOAPRFC and dangerous service abuse).

3

Supporting Services Assessment

SAP Router (SAP Support connectivity), IGS, SAPHostControl and Enqueue service vulnerabilities and misconfigurations.

4

Application & Integration Testing

API & RFC security on all integration points, DAST across application components, OWASP Top 10 and SAP-specific frameworks, REST / SOAP / OData web service security, EOL / vulnerable component identification.

5

SAP CPI Deep iFlow Review

Tenant-level config audit (roles, Role Collections, IdP trust, API exposure), per-iFlow review (sender / receiver adapters, routing, content modifier, message mapping), Security Material (User Credentials, OAuth2, JKS), Cloud Connector integration and principal propagation correctness.

6

Standard Fiori Authorization Review

Fiori app catalog and group review, tile-level and target-mapping authorization checks, Launchpad role assignments (embedded on S/4HANA + Build Work Zone), OData service exposure (mass assignment, function import abuse, broken object-level authorization, $expand chains).

7

SAP BTP Penetration Testing - Configuration & Lateral Movement

Global account audit (Entitlements, members, security settings), per-subaccount review (roles, Role Collections, Destinations auth methods and ProxyType, space-level privileges), XSUAA scopes and JWT signature validation, IdP trust, subaccount-takeover and BTP-to-on-premise lateral movement scenarios.

8

SAP CIS Penetration Testing (IAS Identity Provider)

Authentication policies and conditional access rules, SAML / OIDC trust with S/4HANA, BTP and BWZ, token validation (signature algorithms, audience binding, replay protection), session and lifecycle review, principal propagation certificate and key handling.

9

SAP Cloud Connector Deep Test (incl. OS-layer)

Local OS / installation hardening, LPE, NTLM relay (Windows), SAP Host Control interaction, Secure Storage (SSFS) configuration and key extraction, system mappings, resource rules (URL / RFC allowlists), trust store / CA validation, Admin UI access control, version-specific known CVEs.

10

SAP Build Work Zone & HANA + OS-layer

BWZ tenant audit (sites, roles, content providers, trust with content provider, external exposure, custom tile / extension security). HANA 2.0 instance security, user and role assignment review, SQL trace / audit logs, OS-layer SAP-specific configuration (file permissions on /usr/sap, sapadm restrictions, transport directory).

11

Privilege Escalation Testing

User → DB (via SAP functions), User → OS (via SAP functions), cross-system escalation via trusted RFC, password / key decryption, DB → OS and trusted-link pivots, and cross-stack escalation (BTP → Cloud Connector → S/4HANA). Particular focus on FFID and debug-access populations.

What You Get

Technical Report

  • Executive summary with key findings
  • Per-system findings (Critical / High / Medium / Low)
  • PoCs and step-by-step exploitation
  • CVSS scoring & business impact
  • Remediation with SAP Notes, T-Codes, profile parameters
  • Cross-system attack path analysis (BTP → CC → S/4HANA)

Business Report

  • Technical findings translated to business risk
  • Espionage, sabotage, and fraud attack scenarios
  • Strategic recommendations

Executive Presentation

  • Board-level PowerPoint deck
  • Security posture overview per system
  • Prioritized action plan
  • Investment justification for remediation

Free Retest

  • Unlimited retest cycles within 6 months
  • All findings re-verified (Fixed / Partial / Not Fixed)
  • Automatic trigger after go-live
  • Retest report addendum included

Difference of Penetration testing and Vulnerability Assessment

Penetration testing

  • Determines the scope of an attack
  • Tests sensitive data collection.
  • Gathers targeted information and/or inspect the system.
  • Cleans up the system and gives final report.
  • It is non-intrusive, documentation and environmental review and analysis.
  • It is ideal for physical environments and network architecture.
  • It is meant for critical real-time systems.

Vulnerability Assessment

  • Makes a directory of assets and resources in a given system.
  • Discovers the potential threats to each resource.
  • Allocates quantifiable value and significance to the available resources.
  • Attempts to mitigate or eliminate the potential vulnerabilities of valuable resources.
  • Comprehensive analysis and through review of the target system and its environment.
  • It is ideal for lab environments.
  • It is meant for non-critical systems.