Home page logo
/

pen-test logo Penetration Testing mailing list archives

SAP Pen-testing - complexity - first ideas
From: Petr.Kazil () eap nl
Date: Tue, 13 Mar 2007 16:52:40 +0100

Since my previous SAP post I've read a bit more and talked with colleagues 
and played with some SAP transactions.
I will write a more structured post in the coming days, but here is some 
nice info:

A very good article on SAP password attacks:
http://www.openwall.com/lists/john-users/2005/12/13/1

A concise introduction into SAP Security, in German, but there may be an 
English version too on te same site:
http://www.bsi.bund.de/gshb/deutsch/baust/b05013.htm

Two alerts that sound ominous, but I've not found more details yet:
http://skiifwrald.com/pipermail/alertmailinglist_skiifwrald.com/2006-February/000119.html
http://skiifwrald.com/pipermail/alertmailinglist_skiifwrald.com/2005-November/000081.html

A list of potential Web insecurities in SAP, just all the common web 
risks:
http://searchsap.techtarget.com/originalContent/0,289142,sid21_gci1215841,00.html

Attempt to reverse engineer SAP protocol:
www.ccc.de/congress/2004/fahrplan/files/157-sap-slides.pdf

My feeling at the moment (but that may change):

- risks in underlying operating system (Unix/Windows) and database system 
(Oracle/SQLServer) are relatively easy to handle if you don't misconfigure 
anything, there are just a handful of tricky accounts and these need to be 
secured well

- as long as SAP is on an internal network without web-portal 
functionality risks seem to be acceptable, encrytion of network data can 
be strenghtened, but most organizations simply don't bother

- biggest risks in SAP web presence might be detectable by running a good 
web scanner like Appscan / Webinspect

- the biggest security risk comes from SAP itself, where there exist 
tharnsactions to manipulate the database itself and the underlying 
operating system, and there are so many transactions and so complex access 
rights to transactions, that a SAP-admin or often even a SAP-user (I'm 
told) can run dangerous code

So to make progress with SAP pentest you need to play around with SAP 
itself and not with the underlying network-, database- and OS- building 
blocks. (but this idea may change still)

I'm very curious about your opinions and any more interesting links. After 
all I'm still a SAP beginner ...

Sincerely yours, Petr Kazil

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault