SAP Security for Beginners: How to Safely Upload Files into Your SAP System
Mar 16, '22 by Joerg Schneider-Simon
File uploads are a necessary part of doing business, particularly these days when so many employees are working remotely.
And SAP is no different. SAP applications used to manage suppliers, procurement, recruiting, finances, and dozens of other areas of business require users to upload files like bids, purchase orders, resumes, spreadsheets and more.
But that’s where the problem comes in, because file uploads are a popular threat vector for malicious actors.
Why Hackers Are So Attached to File Attachments
Cyberattacks that use files or user input to deliver their payloads are known as content-based attacks. There are two types of content: structured, and unstructured.
Structured content is anything a user enters into a form, whether it’s a Dynpro form, a WebDynpro, a BSP or a Fiori web-based application. The content is structured because the application understands what each input field is called, and the type of data it contains (the First_Name field, for example, contains the user’s first name). SAP applications extract and process such structured content.
Unstructured content is anything found in files that users upload to an SAP application. SAP applications do not extract this data from the files, and they do not process the content either. They simply treat the files as objects and store them somewhere.
Hackers love file-based attacks because SAP applications are often just the front door to a host of other applications behind these applications (the enterprise portal or the NetWeaver gateway, for example). Hackers know that a successful attack on an SAP application often gives access to data stored on backend systems (on-premise or further down into a corporate network).
File-based attacks typically take one of five forms.
1. Viruses and malware
When users upload a file that’s infected with a virus or malware, they threaten the receiving end of a business process. When the recipient screens this file or extracts it, they might be hit by the virus or the malware. The malware doesn’t affect the SAP application itself because the application doesn’t process the content.
2. File-type filter evasion
File-type filter evasion attacks target SAP applications by circumventing SAP's native file-type filters. Hackers typically do this simply by changing the file’s extension (the “file type”). They take an executable file (like notepad.exe for example), rename it “notepad.pdf,” and upload the file to an SAP application. SAP recognizes this file as a PDF file, not an .exe file, and next thing you know, you have executable content being uploaded into your SAP applications (and really ruining your day).
3. Active content
Active content is content that’s embedded in files and that triggers an action whenever the file is displayed or used. Macros are one example of active content. Despite most users becoming aware of dangers associated with Macros, hackers use clever social engineering techniques to entice recipients of the files to click the “Enable Content” button, which activates macros stored in the document. Then, as seen in recent months, a ransomware runs in the background and encrypts the content of the hard disk.
4. Chameleon files
Chameleon files, also called polyglot files, satisfy the identification criteria of two or more file types. Hackers, for example, can combine a GIF image with a Java archive. GIFs are benign. Java archives are not. These “GIFAR files” combine the GIF image and the Java archive in such a way that browsers display the files as images, but when invoked as an applet, or via an OBJECT or EMBED tag, execute the Java classes. Worse yet if the file can be invoked on the server.
5. Archive attacks
The fifth and final type of file-based attack are archive-based attacks, for example (but not limited to) using SAP’s proprietary SAR archive format. SAP administrators inherently trust SAP’s proprietary SAPCAR/SAR archive format. But their trust is misplaced because virus scanners cannot see into and analyze the content of those archives, making them a potent threat vector for malware and file-based directory traversal attacks.
SAP Security for Beginners: 9 Steps to Safer File Uploads
Step 1: Use a VSI-compliant virus scanner
Install and run a VSI compliant virus scanner in your landscape. VSI is SAP’s Virus Scan Interface used to integrate virus scanning capabilities with SAP applications. For standard file-transfer methods, SAP provides this integration out-of-the-box. SAP S/4HANA, for example, invokes the Virus Scan Interface automatically during multiple stages of processing (upload, download and passage through the Gateway). You customize this interface using SAP’s virus scan profiles.
Step 2: Scan all file uploads
Scan for viruses and malware every time potentially polluted data is imported through input channels into the SAP system. These channels include:
- File upload via SAP-GUI
- File upload via Web-enabled applications (Web-Dynpro, BSP, UI5/FIORI)
- Import from non-SAP applications via PI/PO, Web-Services, etc.
- Import/Processing from existing file repositories (DMS, Content Server, or even the file-system)
Step 3: Enable download file scanning if necessary
Some scan profiles take effect at download time. One benefit of scanning at download time is that if a virus signature is updated since upload, it can be caught at download time. So, if a compromised file is uploaded, it is discovered at download. However, download scanning can impact performance. That is because a file is uploaded only once, but it may be downloaded many times (Source: SAP).
Step 4: Use MIME-type checks to ensure SAP file format integrity
SAP’s built-in file-type filtering relies solely on the extension of the filename. But this can be hacked by changing the file extension. Prevent malicious file uploads with a scanner (like our Anti-Virus for SAP Solutions) that uses MIME-type checks to ensure SAP file format integrity.
Step 5: Scan for active content in Microsoft 365 documents
Your accounts receivable, HR, procurement and other departments handle large volumes of file uploads, particularly Microsoft 365 (formerly Microsoft Office) files. The files that users tend to trust most are the ones to analyze for malicious active content. Scan all Word documents, PowerPoint decks, PDF files and Excel spreadsheets for JavaScript, Java Archives, Flash, Silverlight and other active content.
Step 6: Use whitelists for common file types
Limit uploads to only those file types required by individual applications. This automatically blocks file types that you don’t normally use, reducing your risk. If one particular team in your organization needs a specific file type, then create an exception for those team members only.
Step 7: Quarantine malicious files
Never simply delete malicious files. Quarantine them instead. Your organization must retain forensic evidence and give itself the ability to reconstruct data in the event of a false-positive. Just make sure the quarantine is adequately protected with encryption and passwords so that no one can inadvertently access malicious files blocked by the security solution.
Step 8: Focus on recurrent training
The weakest link you have in your cybersecurity fencing is your people. Hackers know this—and take advantage of it. They send your employees emails bearing irresistible subject lines. They send your staff email attachments that appear to come from trusted senders (a well-known supplier, for example).
The way to strengthen your human defenses is through ongoing cybersecurity awareness training. Never give up training your staff on how to recognize and avoid phishing attacks.
Step 9: Think beyond the desktop
When your staff think of file uploads, they likely think of uploading a file from their desktop PC or laptop to a corporate SAP application or server. But files reach SAP applications in many ways. Organizations need to consider vectors like email processing in the SAP system, Web-services and integrations with other applications.
Safer File Uploads and a Safer SAP System
Safely uploading files into your SAP systems is two parts technology and one part training.
If you have the right tools in place to scan your SAP systems for viruses and malware, if you deploy software to protect your SAP applications against content-based attacks, and if you keep your cybersecurity training fresh and frequent, you will protect your SAP systems and data from attacks—and the damage they cause.
Share this on social: