Penetration Testing SAP Applications: Your Questions Answered
Sep 2, '20 by Joerg Schneider-Simon
When is the last time you invited a stranger to attack your network and penetrate your SAP applications?
This is not a trick question.
If you care about the security of your SAP applications, you should care about penetration testing. Penetration testing reveals security risks in your networks, machines, software and more.
Here are answers to the top questions that organizations ask about penetration testing SAP applications.
What is penetration testing?
Penetration testing is the practice of checking computer networks, machines and applications for security vulnerabilities. Also called pen testing and ethical hacking, penetration testing employs tactics that are indistinguishable from real-world cyberattacks. The only difference is that pen testing does no harm.
Individuals who conduct penetration testing are commonly called pen testers or white-hat hackers.
Pen testing is usually done manually, where individuals or teams try one technique after another (phishing, denial-of-service attacks, drive-by-downloads and more) to gain access to networks, but often aided by software tools designed to conduct multiple tests automatically.
The main objective of pen testing is to identify security weaknesses. But it is also used to test other links in the security chain such as:
- security policies
- adherence to compliance requirements
- employee security awareness
- the ability to identify security threats and respond to security incidents
Why is pen testing critical for protecting SAP applications?
Businesses use SAP to manage their most sensitive business processes, from enterprise resource planning to procurement, from engineering to human resources management.
But while SAP helps businesses operate more efficiently through streamlined business processes, its complexity means it presents a significant attack surface for hackers. Plus, traditional security practices don't extend to securing SAP.
As more businesses migrate systems to the cloud (with SAP S/4 HANA Cloud or HANA Enterprise Cloud (HEC), for example), they must be aware of current and potential vulnerabilities so they can protect vital business information and system data.
SAP pen testing is one way to discover how well an organization is prepared to withstand attacks on its SAP applications. It simulates the actions attackers perform to gain access to critical SAP data. It also tests the reliability of current security measures.
What are the steps to pen testing SAP applications?
SAP pen testing is time consuming and resource intensive. You need sufficient resources and specific knowledge to conduct successful SAP pen tests.
Here is how to pen test SAP applications:
- Hire an experienced tester
- Identify your most critical SAP vulnerabilities
- Identify entry points
- Attempt to break in
- Document your findings
- Take remedial action
Let’s look at these steps in more detail.
Step 1: Hire an experienced tester
Finding a specialist to do your penetration test is step one. A general penetration tester won’t have the extensive knowledge of SAP systems that you need. You need an SAP specialist who speaks fluent SAP. Reputable companies offering SAP-specific penetration testing services are Layer Seven Security, ERPScan, ERNW, and Onapsis. Also an increasing number of audit companies offer SAP pen testing as part of their SAP audits, further emphasizing the business risk of a SAP system that is not properly secured against cyberattacks.
SAP specialists know the various environments and vulnerabilities that are unique to SAP applications. They know what security architecture to cover, and they understand what the optimal project scope for your organization is.
Step 2: Identify your most critical SAP vulnerabilities
Next, check your systems against the most common SAP vulnerabilities. These include:
- standard users who are still using default passwords
- missing SAP security patches
- unsecured SAP message servers
- unencrypted SAP communications
- dangerous SAP web applications
- unsecured SAP gateways
- insecure SAP RFC interfaces
- insecure IoT devices
Step 3: Identify entry points
Once you understand where you are vulnerable, you must identify how hackers are likely to attack your SAP systems. Common attack vectors include:
- SQL injection (attackers interfere with the queries that an SAP application makes to its database)
- Infected email attachments (containing active content embedded in Microsoft Office files, trojans, viruses, ransomware, keyloggers and other ransomware)
- Malicious links in emails (which take victims to web pages where thy inadvertently download trojans, viruses, ransomware, keyloggers and other ransomware)
- Pivoting (attackers execute remote function modules on a critical system from lower systems)
- Portal attacks (attackers exploit vulnerabilities in the SAP J2EE User Management Engine to create backdoors)
- OS command injection (attackers execute operating system commands under the privileges of a user and exploit vulnerabilities in the SAP RFC Gateway)
Step 4: Attempt to break in
Manually or using automated tools, try to exploit the vulnerabilities you’ve documented. Try following these steps for each vulnerability you’ve identified:
- Gain access to connected systems via RFC links and other trusted connections.
- Decrypt user passwords and test them on other systems.
- Use your successful techniques to break into connected systems.
- Gain access to business-critical data.
There are many penetration testing tools that can be used for SAP pen testing. Some we recommend are:
- pySAP – pysap is an open source Python library that provides modules for crafting and sending packets using SAP's NI, Diag, Enqueue, Router, MS, SNC, IGS, RFC and HDB protocols.
- Bizploit – Although no longer supported and maintained, Bizploit is still very useful for pen testing SAP systems.
- MetaSploit – The world’s most used penetration testing framework also has a few SAP-specific modules as described in this article.
- PowerSAP – PowerSAP is a powershell re-implementation of popular and effective attack modules of other publicly available tools, and can only run from a Windows Powershell.
- ERPScan SAP – This is a freeware for pen testers to use without needing the professional ERPScan Security Scanner product.
- hashcat – Now supports SAP's password hashing algorithm B, F and H-type for running dictionary and brute-forcing attacks on SAP password hashes.
- Wireshark plugin – For reverse-engineering, there's a powerful SAP dissector plugin to decode proprietary SAP protocols.
Step 5: Document your findings
Make a comprehensive list of all the vulnerabilities you successfully exploited. List the attack vectors you employed and describe how you exploited each SAP system. Document the business risks you face for each exploited vulnerability.
Step 6: Take remedial action
The final step in effective SAP penetration testing is taking measures to fix the vulnerabilities you find. These steps will include:
- Installing SAP security patches
- Installing anti-virus software designed for SAP applications
- Training staff on how to recognize and avoid phishing attacks
- Making changes to system configurations
- Installing software to protect your SAP systems against content-based attacks (cross-site scripting, SQL injections, directory traversals)
- Revising security policies
Companies around the globe are connecting their SAP systems to the internet to monitor production, manage data, improve processes, collaborate in teams, recruit talent and work with suppliers. But in doing so, these companies are exposing themselves to cybersecurity threats that can take down their entire enterprise.
One way to protect your enterprise from cyberattacks is to do penetration testing on your SAP systems. If you hire an experienced tester, identify your most critical SAP vulnerabilities, identify entry points, test your systems and document your findings, you will be in the best position to remediate your vulnerabilities.