Skip links


🔥🔥🔥 Join us for our upcoming training session at Black Hat MEA: "Securing SAP Systems: Expert Insights and Penetration Testing Techniques" 🛡️🔍

What is SAP?

SAP is a German company that specializes in creating business applications and stands for Systems, Applications and Products in Data Processing.


SAP Penetration Testing (SAP Pentest) is a type of black-box/white-box/gray-box testing where testers scan SAP systems to uncover system information. They then identify the database type, SAP version, and specific modules to find known vulnerabilities relevant to the target. 

Once vulnerabilities are found, the testers exploit them to gain access and escalate privileges to gain administrative control over the entire SAP system. 

Vulnerabilities in SAP are particularly dangerous as they could be used as a starting point for multi-stage attacks targeting plant devices and manufacturing systems, as it serves as a bridge between ERP, enterprise applications, and business processes.

When it comes to protecting a company's valuable assets, it's important to assess all potential risks. That's why an expert in information security risk assessment takes a deep dive into a target organization's business processes, identifying any mission-critical assets and the potential cyber and business risks associated with them. 

All of this information is then used to help a penetration tester determine the best approach to testing - including the level of complexity, scope, and time required to get the job done right.

When safeguarding a company's assets, it is crucial to conduct a comprehensive evaluation of all possible risks. This is precisely why a specialist in information security risk assessment conducts a thorough analysis of a target organization's business processes, identifying any assets that are of paramount importance and the potential cyber threats and business risks that are associated with them.

The resulting information becomes instrumental in aiding a penetration tester to determine the most optimal approach to testing, which takes into account the level of complexity, scope, and time required to conduct the testing accurately and efficiently.

When it comes to SAP systems, there are different platforms to choose from, including ABAP, Java, HANA, S/4HANA, Business Objects, Business One. However, the main platform that serves as the foundation for both SAP and non-SAP applications is SAP NetWeaver.

Within SAP NetWeaver, the SAP NetWeaver Application Server (AS) plays a crucial role. This server includes both ABAP and Java application servers and uses ABAP and Java as its primary programming languages, respectively.

While SAP systems are generally reliable and secure, it's important to note that vulnerabilities can still arise. For example, the SAP ME components may be susceptible to common vulnerabilities like Parth traversal CVE-2022-39802 which RedRays R&D. has identified It's important to remain vigilant and take necessary precautions to ensure the safety and security of these mission-critical systems.

SAP Penetration Testing Steps

Step 1
Scope Definition and Preparation

During the initial request for SAP Penetration Testing, we engage in the following critical steps:

  1. Scope Discussion: We thoroughly discuss the scope of the penetration test, ensuring we understand your specific needs and objectives.
  2. NDA Signing: To protect your sensitive information, we sign a Non-Disclosure Agreement (NDA) before proceeding further.
  3. Contract Finalization: We prepare and sign the necessary contracts, clearly outlining the agreed-upon scope, timeline, and deliverables.

This preparatory phase ensures that both parties have a clear understanding of the project parameters and legal protections are in place before the technical work begins.

Step 2
Discovery & Reconnaissance

We begin by thoroughly mapping your SAP landscape, uncovering systems, IP addresses, and versions of operating systems, databases, and SAP services. This reconnaissance phase involves gathering crucial information such as:

  • SAP system configurations
  • Available services (ICM, WebDynpro)
  • Profile parameters
  • Logs and trace files
  • Instance properties
  • Clients and connected servers
  • RFC details

This detailed blueprint of your SAP ecosystem forms the foundation for subsequent testing phases.

Step 3
Architectural Evaluation

We review your high-level and low-level architecture design documents, ensuring alignment with SAP and industry best practices. Our analysis focuses on:

  • Data flows within the SAP environment and external interfaces
  • Overall integration of SAP components (core solutions, supporting components, data flows, protocols, ports, IP addresses, network structure, RBAC roles)
  • Disaster recovery implementation (if applicable)

This evaluation identifies potential security weaknesses stemming from architectural design choices.

Step 4
Infrastructure & Configuration Deep Dive

We conduct a thorough assessment of your SAP infrastructure and configuration, including:

  • Network Vulnerability Scanning & Benchmark Testing
  • Vulnerability Assessment & Penetration Testing (VAPT)
  • Hardening Reviews
  • Configuration Reviews
  • Specific Tests & Analysis (e.g., network-based spoofing attacks, SSL spoofing attacks, OS misconfigurations)
  • In-depth analysis of various SAP services for vulnerabilities and misconfigurations
  • Exploiting identified vulnerabilities to assess potential impact on business data
Step 5
Application Security Testing

Our application security testing focuses on uncovering vulnerabilities within your SAP applications:

  • Static Application Security Testing (SAST)
  • API & RFC Security Testing
  • Dynamic Application Security Testing (DAST)
  • Configuration Reviews
  • Vulnerable Software Component Identification

Focus Areas include OWASP Top 10 vulnerabilities, SAP J2EE engine security assessment, HTTP service vulnerability analysis, and exploiting various web application vulnerabilities.

Step 6
Privilege Escalation & Beyond

We attempt to escalate privileges within your SAP environment using various techniques, including:

  • User to DB, OS, and across SAP systems
  • DB to OS, connected DBs, and other SAP systems
  • OS to other OS
  • ABAP Code Security Review
  • Assessment of access and privileged user management
Step 7
Reporting & Remediation

We provide a comprehensive report and collaborate on remediation:

  • Detailed report of all identified vulnerabilities, including risk ratings, descriptions, and remediation recommendations
  • Prioritization of findings based on severity and potential business impact
  • Collaboration with your SAP team to develop and implement remediation plans
  • Recommendations for appropriate security controls and best practices to mitigate identified risks

SAP Penetration Testing Example

In November 2023, we presented a SAP Penetration Testing Example. The demonstration showcased our ability to compromise SAP systems by discovering six zero-day vulnerabilities. We were able to compromise SAP Cloud and SAP On-Premises landscape using Low Privileged User on the network.

Advantages of Conducting SAP Penetration Testing

There are several benefits to having SAP Penetration Testing:
  • Firstly, by conducting SAP Penetration Testing, you can minimize the risks of plant sabotage, equipment damage, production disruption, compliance violations, safety violations, product quality degradation, espionage, sabotage, and fraud. This helps to keep your operations safe and secure.

  • Secondly, SAP Penetration Testing helps to identify vulnerabilities and weaknesses in security controls, allowing you to strengthen them proactively. This helps to enhance your security and prevent potential problems before they occur.

  • Thirdly, SAP Penetration Testing can help you demonstrate compliance with industry regulations and standards. This is important to ensure that your operations are legal and ethical.

  • Fourthly, by demonstrating a proactive approach to security, SAP Penetration Testing can build trust with your customers. This can help to increase their confidence in your business and improve your reputation.

  • Fifthly, SAP Penetration Testing can help you prevent financial losses, legal liabilities, and reputational damage. By identifying potential security risks, you can take steps to mitigate them before they cause harm.

  • Finally, SAP Penetration Testing provides valuable feedback for enhancing security measures and staying ahead of evolving threats. This helps to ensure that your security remains strong and effective over time.

Difference of Penetration testing and Vulnerability Assessment

Penetration testing

  • Determines the scope of an attack
  • Tests sensitive data collection.
  • Gathers targeted information and/or inspect the system.
  • Cleans up the system and gives final report.
  • It is non-intrusive, documentation and environmental review and analysis.
  • It is ideal for physical environments and network architecture.
  • It is meant for critical real-time systems.
  • Makes a directory of assets and resources in a given system.
  • Discovers the potential threats to each resource.
  • Allocates quantifiable value and significance to the available resources.
  • Attempts to mitigate or eliminate the potential vulnerabilities of valuable resources.
  • Comprehensive analysis and through review of the target system and its environment.
  • It is ideal for lab environments.
  • It is meant for non-critical systems.
Service Request Form
Please enable JavaScript in your browser to complete this form.
What services are you looking for?