Skip links
RedRays - Your SAP Security Solution
Services

SAP PENETRATION TESTING

What is SAP?

SAP is a German company that specializes in creating business applications and stands for Systems, Applications and Products in Data Processing.

 

SAP Penetration Testing (SAP Pentest) is a type of black-box/white-box/gray-box testing where testers scan SAP systems to uncover system information. They then identify the database type, SAP version, and specific modules to find known vulnerabilities relevant to the target. 

Once vulnerabilities are found, the testers exploit them to gain access and escalate privileges to gain administrative control over the entire SAP system. 

Vulnerabilities in SAP are particularly dangerous as they could be used as a starting point for multi-stage attacks targeting plant devices and manufacturing systems, as it serves as a bridge between ERP, enterprise applications, and business processes.

When it comes to protecting a company's valuable assets, it's important to assess all potential risks. That's why an expert in information security risk assessment takes a deep dive into a target organization's business processes, identifying any mission-critical assets and the potential cyber and business risks associated with them. 

All of this information is then used to help a penetration tester determine the best approach to testing - including the level of complexity, scope, and time required to get the job done right.

When safeguarding a company's assets, it is crucial to conduct a comprehensive evaluation of all possible risks. This is precisely why a specialist in information security risk assessment conducts a thorough analysis of a target organization's business processes, identifying any assets that are of paramount importance and the potential cyber threats and business risks that are associated with them.

The resulting information becomes instrumental in aiding a penetration tester to determine the most optimal approach to testing, which takes into account the level of complexity, scope, and time required to conduct the testing accurately and efficiently.

When it comes to SAP systems, there are different platforms to choose from, including ABAP, Java, HANA, S/4HANA, Business Objects, Business One. However, the main platform that serves as the foundation for both SAP and non-SAP applications is SAP NetWeaver.

Within SAP NetWeaver, the SAP NetWeaver Application Server (AS) plays a crucial role. This server includes both ABAP and Java application servers and uses ABAP and Java as its primary programming languages, respectively.

While SAP systems are generally reliable and secure, it's important to note that vulnerabilities can still arise. For example, the SAP ME components may be susceptible to common vulnerabilities like Parth traversal CVE-2022-39802 which RedRays R&D. has identified It's important to remain vigilant and take necessary precautions to ensure the safety and security of these mission-critical systems.

Join the companies trusting US

Our SAP Penetration Testing Methodology

Comprehensive security evaluation of your SAP S/4HANA environment

1

SAP Discovery & Reconnaissance

Complete SAP environment mapping including system identification, service detection (DIAG, RFC, Gateway, Message Server), SAP profile parameters analysis, client enumeration, and RFC external server discovery.

2

SAP Core Services Security

Gateway Testing

RFC exploits, fake RFC registration, REGINFO disclosure

Message Server

Fake app server registration, remote exploits

ICM/ICF Services

SOAPRFC exploitation, ICF service vulnerabilities

Web Dispatcher

Default credentials, DIAG protocol exploits

3

ABAP Code Security Assessment

Static analysis of custom ABAP code including authorization checks (missing/insufficient authority checks, cross-client access), backdoors detection (hardcoded credentials, generic function calls), and vulnerability scanning (SQL/OS command injection, directory traversal, buffer overflow).

4

S/4HANA-Specific Testing

SAP HANA database security assessment, Fiori applications and Launchpad testing, integration component evaluation (PO/PI, CPI), Solution Manager connectivity analysis, and third-party application interface security.

5

SAP Privilege Escalation

Testing escalation paths from SAP user to database/OS via SAP functions, RFC trust exploitation, decryption of SAP user passwords and SecStore keys, database to OS escalation, and OS to SAP lateral movement through configuration file analysis.

Our SAP Penetration Testing Example

In November 2023, we presented a SAP Penetration Testing Example. The demonstration showcased our ability to compromise SAP systems by discovering six zero-day vulnerabilities. We were able to compromise SAP Cloud and SAP On-Premises landscape using Low Privileged User on the network.

Advantages of Conducting SAP Penetration Testing

There are several benefits to having SAP Penetration Testing:
  • Firstly, by conducting SAP Penetration Testing, you can minimize the risks of plant sabotage, equipment damage, production disruption, compliance violations, safety violations, product quality degradation, espionage, sabotage, and fraud. This helps to keep your operations safe and secure.

  • Secondly, SAP Penetration Testing helps to identify vulnerabilities and weaknesses in security controls, allowing you to strengthen them proactively. This helps to enhance your security and prevent potential problems before they occur.

  • Thirdly, SAP Penetration Testing can help you demonstrate compliance with industry regulations and standards. This is important to ensure that your operations are legal and ethical.

  • Fourthly, by demonstrating a proactive approach to security, SAP Penetration Testing can build trust with your customers. This can help to increase their confidence in your business and improve your reputation.

  • Fifthly, SAP Penetration Testing can help you prevent financial losses, legal liabilities, and reputational damage. By identifying potential security risks, you can take steps to mitigate them before they cause harm.

  • Finally, SAP Penetration Testing provides valuable feedback for enhancing security measures and staying ahead of evolving threats. This helps to ensure that your security remains strong and effective over time.

Difference of Penetration testing and Vulnerability Assessment

Penetration testing

  • Determines the scope of an attack
  • Tests sensitive data collection.
  • Gathers targeted information and/or inspect the system.
  • Cleans up the system and gives final report.
  • It is non-intrusive, documentation and environmental review and analysis.
  • It is ideal for physical environments and network architecture.
  • It is meant for critical real-time systems.

Vulnerability Assessment

  • Makes a directory of assets and resources in a given system.
  • Discovers the potential threats to each resource.
  • Allocates quantifiable value and significance to the available resources.
  • Attempts to mitigate or eliminate the potential vulnerabilities of valuable resources.
  • Comprehensive analysis and through review of the target system and its environment.
  • It is ideal for lab environments.
  • It is meant for non-critical systems.