Skip links

Initiating SAP Penetration Testing

►   Pentest, short for penetration testing, refers to a set of processes that simulate an attacker’s actions to identify security vulnerabilities. Companies usually hire third-party security experts to conduct penetration testing and provide them with the address(es) of the server(s) they should examine. There are two types of pentests – white-box pentest and black-box pentest.

White-box pentests are conducted when experts are given background information about the system. On the other hand, black-box pentests are executed when experts do not have access to the background system information.

The pentesting process of the first model, when pentesters are outside the internal network and have no privileges, includes the following steps:

  • Acquiring information about the company, its systems, and users.
  • Exploiting vulnerabilities to access the system with minimal user privileges.
  • Exploiting vulnerabilities and escalating privileges to access the database and critical business information.
  • Acquiring administrative access to the operating system.

During a white-box pentesting, a client company provides a pentester with the infrastructure information, a computer network diagram, explains specific features of protecting mechanisms, and sometimes provides access to the source code.

Both types of pentests may include manual and automatic works. For example, examining source code for vulnerabilities is simplified by using ready-made pentesting tools available on the Internet or custom programs written on their own. Numerous tools can come in handy during pentesting, such as those that automate system analysis and exploitation of SQL injection, XSS, or RCE vulnerabilities.

However, it is impossible to conduct a successful penetration testing with automated programs only because every company has its specific features, and pentesters have to modify programs adapting to each individual client.

►   SAP Penetration Testing is a process that aims to identify vulnerabilities in an SAP system in order to protect it from potential attacks. An SAP system contains critical information and business processes, making it an attractive target for hackers. Additionally, if a particular SAP module controls industrial technologies, such as oil exploitation or transportation, it is crucial to ensure that the system is secure and not vulnerable to interference.

A typical black-box SAP penetration testing involves scanning the SAP system to obtain as much information as possible. From this information, the testers identify the database, SAP version, and specific SAP modules in use and search for vulnerabilities that the version is susceptible to. By exploiting these vulnerabilities, the testers gain minimal access rights to the system, such as a guest user. They then escalate their privileges and gain administrative access to the system.

It is important to note that SAP software has unique features, and these must be taken into account during an SAP Penetration testing. For example, passwords for an administrator, database, and connection scheme are encrypted and stored in the SecStore.properties file, while the decryption key is stored in the SecStore.key file. If a system is configured poorly, it is possible to read files from a server by exploiting a vulnerability such as Directory Traversal or XXE.

Today, SAP security is a focus for many organizations’ security teams, and the vendor has implemented new protective mechanisms in its products. As a result, compromising an entire SAP system by exploiting a single vulnerability is unlikely. A pentester must exploit a chain of security issues to achieve the desired results. 

SAP Pentest vs. SAP Security Audit:

When it comes to assessing the security of an SAP system, there are two main options: SAP Pentest and SAP Security Audit.

During a Pentest, a security expert tries to hack into the system within a specific period of time. If the expert fails to do so, it doesn’t guarantee that the system is secure. This is because if hackers have more time, they may succeed in breaking into the system.

On the other hand, a Security Audit involves a group of experts who are given full access to the system, source code, and internal network. They analyze the system’s security thoroughly and discover vulnerabilities that may not be detected during a Pentest.

Threat Modelling:

Threat Modelling is a crucial step in conducting a successful penetration test. During this stage, a cybersecurity expert gets an overview of the business processes of a typical company and identifies the most critical assets and associated risks.

Manufacturing companies are attractive targets for cybercriminals due to their significant contribution to a country’s economy. Any interference in their work can lead to revenue loss.

►   To identify the most important risks for the manufacturing industry, a cybersecurity expert must analyze the potential consequences of a cyberattack such as plant sabotage/shutdown, equipment damage, production disruption, quality degradation, compliance violation, and safety violation.

SAP systems are widely used in the manufacturing industry, and cyberattacks on these systems can lead to espionage, sabotage, or fraud. Due to trust connections in SAP systems responsible for asset management and technology networks, cyberattacks can be more lethal for the manufacturing industry than other industries.

Manufacturing companies typically use various business applications and industry-specific modules. Some of the most common applications used by the majority of manufacturing enterprises include Enterprise Resource Planning (ERP), Manufacturing Execution System (MES), Asset Lifecycle Management (ALM), Manufacturing Integration (xMII), and other standard systems such as HR, CRM, PLM, SRM, BI/BW, SCM.

Some of these systems, such as xMII or ALM, can be connected with Industrial Control Systems or plant floors. A single vulnerability in these systems may pose a risk for the entire company.

SAP systems can be based on different platforms, such as ABAP, Java, S/4HANA or cloud solutions. The main SAP platform is SAP NetWeaver, which is the foundation for SAP and non-SAP applications.

SAP NetWeaver Application Server (AS) includes the application server ABAP and Java. The main programming language for SAP NetWeaver AS ABAP platform is ABAP and, correspondingly, for SAP NetWeaver AS Java is Java.

SAP xMII is a critical application linked to the production network, based on the Java platform. It is often used in industrial enterprises to manage and automate their processes. This module extends the functionality of SAP NetWeaver AS Java to use it in production. SAP xMII provides a direct connection between shop-floor systems and business operations, ensuring that all data related to manufacturing is visible in real-time. SAP customers can also link their enterprise processes and master data to manufacturing processes to run their business based on a single version.

Vulnerabilities in SAP xMII are particularly hazardous because this solution is a bridge between ERP, other enterprise applications, plant floor, and OT devices. Any vulnerability affecting SAP xMII can be used as a starting point of a multi-stage attack aiming to gain control over plant devices and manufacturing systems.

A brief look at public sources indicates that there are a couple of notable vulnerabilities in the SAP xMII component, such as Reflected XSS vulnerability, directory traversal vulnerability and RCE.

Now that we know what the risks are and which systems are the most important, we need to analyze the platform in terms of security first. The final preparation step is to find out the most important vulnerabilities in this platform, how common they are, and what versions are the most widespread. These factors influence the chances of successfully performing a penetration test. Such an analysis will show us if we need to add additional resources to the team, such as researchers who will look for 0-day vulnerabilities in the platforms in case information about those SAP systems is not available.

How to detect over 4100 vulnerabilities in SAP Systems?

More to explorer

SAP Security Patch Day RedRays

May 2024 SAP Security Patch Day

Vulnerability: Multiple vulnerabilities in SAP CX Commerce SAP Component: CEC-SCC-PLA-PL CVE ID: CVE-2019-17495 CVSS Score: 9.8 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Category: Program error