{"id":32008,"date":"2022-11-24T09:45:51","date_gmt":"2022-11-24T08:45:51","guid":{"rendered":"https:\/\/www.usd.de\/?page_id=32008"},"modified":"2025-04-01T17:44:32","modified_gmt":"2025-04-01T15:44:32","slug":"sap-pentest","status":"publish","type":"page","link":"https:\/\/www.usd.de\/en\/pentest\/sap-pentest\/","title":{"rendered":"SAP Pentest"},"content":{"rendered":"<p>[et_pb_section fb_built=\"1\" _builder_version=\"4.16\" _module_preset=\"default\" custom_padding=\"0px||0px||true|false\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_row _builder_version=\"4.16\" _module_preset=\"default\" width=\"100%\" custom_padding=\"0px||||false|false\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_column type=\"4_4\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_text _builder_version=\"4.18.1\" _module_preset=\"default\" text_text_color=\"#FFFFFF\" text_font_size=\"30px\" text_line_height=\"1.2em\" header_font=\"Roboto||||||||\" header_text_color=\"#F07F1D\" header_font_size=\"50px\" background_image=\"https:\/\/www.usd.de\/wp-content\/uploads\/usd-security-analysis-header-sap-pentest.jpg\" custom_margin=\"-31px||0px||false|false\" custom_padding=\"166px|15px|62px|15px|false|true\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"]<\/p>\n<h1 class=\"x-text-content-text-primary\" style=\"text-align: center\">SAP Pentest<\/h1>\n<p style=\"text-align: center\">Protect Your Systems &amp; Applications<\/p>\n<p>[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_column type=\"4_4\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_text _builder_version=\"4.27.4\" _module_preset=\"default\" background_color=\"RGBA(0,0,0,0)\" custom_margin=\"0px|0px|0px|0px|true|true\" hover_enabled=\"0\" global_colors_info=\"{}\" theme_builder_area=\"post_content\" sticky_enabled=\"0\"]<\/p>\n<p>The company's own SAP systems are often one of the most critical areas for the IT security organization of a company. It is not uncommon for sensitive and highly critical business processes to be consolidated here. Exploiting a vulnerability in such an environment can therefore have serious and sometimes substantial consequences.\u00a0<\/p>\n<p>[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=\"4.27.0\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_column type=\"4_4\" _builder_version=\"4.27.0\" _module_preset=\"default\" border_color_all=\"#F07F1D\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_testimonial author=\"Nicolas Schickert\" job_title=\"usd Managing Security Analyst & Expert for SAP Pentests\" portrait_url=\"https:\/\/www.usd.de\/wp-content\/uploads\/Nicolas-Schickert_rund.png\" quote_icon_color=\"#F07F1D\" quote_icon_background_color=\"#FFFFFF\" font_icon=\"&#xe06a;||divi||400\" portrait_width=\"200px\" portrait_height=\"200px\" use_icon_font_size=\"on\" icon_font_size=\"35px\" _builder_version=\"4.27.4\" _module_preset=\"default\" background_color=\"RGBA(255,255,255,0)\" custom_padding=\"3%||2%||false|false\" animation_style=\"fade\" hover_enabled=\"0\" border_width_all=\"2px\" border_color_all=\"#F07F1D\" border_radii_portrait=\"on|100%|100%|100%|100%\" border_color_all_portrait=\"RGBA(255,255,255,0)\" box_shadow_style_image=\"preset4\" box_shadow_horizontal_image=\"0px\" box_shadow_vertical_image=\"0px\" global_colors_info=\"{}\" theme_builder_area=\"post_content\" title_text=\"Nicolas-Schickert_rund\" sticky_enabled=\"0\"]<\/p>\n<p><span style=\"font-size: 18px; font-weight: 300;\">SAP systems are often the backbone of a company and therefore an attractive target for cyber attacks. However, particularly critical, specific vulnerabilities are often not detected. Why? Because the pentest of SAP infrastructures differs significantly from that of any other system or application. It requires in-depth expertise and a fundamental understanding of SAP products. My colleagues and I have developed a methodology specifically tailored to this, supported by our \u201c<a href=\"https:\/\/github.com\/usdAG\/sncscan\" target=\"_blank\" rel=\"noopener\">sncscan<\/a>\u201d tool.<\/span><\/p>\n<p>[\/et_pb_testimonial][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=\"4.16\" _module_preset=\"default\" custom_padding=\"||3px|||\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_column type=\"4_4\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_divider _builder_version=\"4.16\" _module_preset=\"default\" custom_margin=\"||1px|||\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][\/et_pb_divider][et_pb_text _builder_version=\"4.16\" _module_preset=\"default\" header_3_text_color=\"#F07F1D\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"]<\/p>\n<h3>Common vulnerabilities include:\u00a0<\/h3>\n<p>[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=\"1_4,3_4\" _builder_version=\"4.16\" _module_preset=\"default\" custom_padding=\"||1px|||\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_column type=\"1_4\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_image src=\"https:\/\/www.usd.de\/wp-content\/uploads\/icon-schwachstelle-orange-003-1.png\" title_text=\"icon-schwachstelle-orange-003\" _builder_version=\"4.16\" _module_preset=\"default\" width=\"74%\" module_alignment=\"center\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][\/et_pb_image][\/et_pb_column][et_pb_column type=\"3_4\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_text _builder_version=\"4.18.1\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"]<\/p>\n<ul>\n<li>Lack of patches for published vulnerabilities in SAP software<\/li>\n<li>Misconfiguration of user permissions, RFC connections, system parameters, and encryption settings<\/li>\n<li>Use of outdated third-party software (e.g. for monitoring) with known vulnerabilities<\/li>\n<li>Security vulnerabilities in self-developed ABAP reports that allow privilege escalation or compromise of the system<\/li>\n<li>Insufficient demarcation between development, test and productive systems<\/li>\n<\/ul>\n<p>[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=\"4.16\" _module_preset=\"default\" custom_padding=\"27px||3px||false|false\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_column type=\"4_4\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_divider _builder_version=\"4.16\" _module_preset=\"default\" custom_margin=\"-3px||1px|||\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][\/et_pb_divider][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_column type=\"4_4\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_text _builder_version=\"4.27.4\" _module_preset=\"default\" hover_enabled=\"0\" global_colors_info=\"{}\" theme_builder_area=\"post_content\" sticky_enabled=\"0\"]<\/p>\n<h2>Our approach to SAP Pentests:<\/h2>\n<p>Our pentests are conducted according to a standardized <a href=\"https:\/\/www.usd.de\/en\/pentest\/pentest-approach\/\">approach<\/a>, which is enhanced by specific aspects for SAP Pentests. In our SAP pentest, our <a href=\"https:\/\/herolab.usd.de\/en\/our-experts\/\" target=\"_blank\" rel=\"noopener\">security analysts<\/a> comprehensively examine your SAP systems and FIORI web applications to identify potential gateways for attackers. We differentiate between the investigation of web-based SAP systems and the testing of SAP products at system level.<\/p>\n<p>&nbsp;<\/p>\n<h2>What checks are included in SAP Pentests?<\/h2>\n<p>These checks are included in pentests of SAP systems:<\/p>\n<ul>\n<li>Verification of standard services (SSH, SMB, NFS, management and monitoring software, etc.) as well as verification of SAP-specific services (such as Content Server, Message Server, Management Console, ICM, IGS, WebDispatcher, among others)<\/li>\n<li>Exemplary authorization check of a department user for unauthorized access to administrative transactions<\/li>\n<li>Verification of configured system parameters (such as, among others, standardized SAP hardening recommendations, the configuration of ACL lists, the reading of information from ICF web services or encryption for specific SAP protocols such as DIAG)<\/li>\n<li>Customization of available exploits (for example from Security Focus, Metasploit, PySAP or Core Impact) to exploit identified SAP-specific vulnerabilities<\/li>\n<\/ul>\n<p>[\/et_pb_text][et_pb_text _builder_version=\"4.18.1\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"]During pentests of FIORI web applications, we also perform the following checks:<\/p>\n<ul>\n<li>Input validation and processing verification<\/li>\n<li>Automated scanning of the web application using a state-of-the-art vulnerability scanner<\/li>\n<li>Attack scenarios based on the combination of several identified vulnerabilities<\/li>\n<li>Review of the authorization concept of the FIORI application, both in the web application directly and in the OData data model<\/li>\n<li>Automated and manual analysis of the OData data model<\/li>\n<\/ul>\n<p>[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=\"4.16\" _module_preset=\"default\" custom_padding=\"||0px|||\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_column type=\"4_4\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_divider _builder_version=\"4.16\" _module_preset=\"default\" custom_margin=\"||1px|||\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][\/et_pb_divider][et_pb_text _builder_version=\"4.27.4\" _module_preset=\"default\" hover_enabled=\"0\" global_colors_info=\"{}\" theme_builder_area=\"post_content\" sticky_enabled=\"0\"]<\/p>\n<h2>One step further with our SNC Scan<\/h2>\n<p>[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=\"1_3,2_3\" _builder_version=\"4.27.4\" _module_preset=\"default\" custom_padding=\"0px||1px|||\" hover_enabled=\"0\" global_colors_info=\"{}\" theme_builder_area=\"post_content\" sticky_enabled=\"0\"][et_pb_column type=\"1_3\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_image src=\"https:\/\/www.usd.de\/wp-content\/uploads\/snclogo_header.png\" title_text=\"snclogo_header\" _builder_version=\"4.27.4\" _module_preset=\"default\" width=\"100%\" module_alignment=\"center\" hover_enabled=\"0\" global_colors_info=\"{}\" theme_builder_area=\"post_content\" sticky_enabled=\"0\"][\/et_pb_image][\/et_pb_column][et_pb_column type=\"2_3\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_text _builder_version=\"4.27.4\" _module_preset=\"default\" hover_enabled=\"0\" global_colors_info=\"{}\" theme_builder_area=\"post_content\" sticky_enabled=\"0\"]<\/p>\n<p>Our in-house developed tool \u201cSNC Scan\u201d enables us to analyze the SAP Secure Network Communication (SNC) protocol and detect any insecure configurations.<\/p>\n<p>[\/et_pb_text][et_pb_button button_text=\"More information\" _builder_version=\"4.27.4\" _module_preset=\"default\" theme_builder_area=\"post_content\" button_url=\"https:\/\/github.com\/usdAG\/sncscan\" hover_enabled=\"0\" sticky_enabled=\"0\"][\/et_pb_button][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=\"4.16\" _module_preset=\"default\" custom_margin=\"22px|auto||auto||\" custom_padding=\"6px||3px|||\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_column type=\"4_4\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_divider _builder_version=\"4.16\" _module_preset=\"default\" custom_margin=\"-3px||1px|||\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][\/et_pb_divider][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=\"4.27.4\" _module_preset=\"default\" hover_enabled=\"0\" global_colors_info=\"{}\" theme_builder_area=\"post_content\" custom_padding=\"||0px|||\" sticky_enabled=\"0\"][et_pb_column type=\"4_4\" _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_text _builder_version=\"4.27.4\" _module_preset=\"default\" hover_enabled=\"0\" global_colors_info=\"{}\" theme_builder_area=\"post_content\" sticky_enabled=\"0\"]<\/p>\n<h2>More information on SAP Pentests<\/h2>\n<p>[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=\"1_2,1_2\" _builder_version=\"4.21.0\" _module_preset=\"default\" background_blend=\"multiply\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_column type=\"1_2\" _builder_version=\"4.21.0\" _module_preset=\"default\" background_color=\"rgba(46,53,61,0.86)\" background_image=\"https:\/\/www.usd.de\/wp-content\/uploads\/usd-ag-news-sap-pentest-1.jpg\" background_blend=\"multiply\" global_colors_info=\"{}\" background__hover_enabled=\"off|hover\" theme_builder_area=\"post_content\"][et_pb_text _builder_version=\"4.21.0\" _module_preset=\"2f9ba085-a5fa-4356-993b-05b9ace0780d\" custom_padding=\"47px|30px|25px|30px|false|true\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"]<\/p>\n<h3><span style=\"color: #ffffff\">Identify the Gateways in your SAP Environment in Time<\/span><\/h3>\n<p>[\/et_pb_text][et_pb_button button_url=\"https:\/\/www.usd.de\/en\/sap-pentest-identifies-gateways\/\" button_text=\"Learn more\" button_alignment=\"center\" _builder_version=\"4.21.0\" _module_preset=\"7244f902-5e49-458a-9554-eef332089ce2\" custom_margin=\"||26px||false|false\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][\/et_pb_button][\/et_pb_column][et_pb_column type=\"1_2\" _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>SAP Pentest Protect Your Systems &amp; ApplicationsThe company's own SAP systems are often one of the most critical areas for the IT security organization of a company. It is not uncommon for sensitive and highly critical business processes to be consolidated here. Exploiting a vulnerability in such an environment can therefore have serious and sometimes [&hellip;]<\/p>\n","protected":false},"author":112,"featured_media":32063,"parent":40183,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-32008","page","type-page","status-publish","has-post-thumbnail","hentry"],"_links":{"self":[{"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/pages\/32008","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/users\/112"}],"replies":[{"embeddable":true,"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/comments?post=32008"}],"version-history":[{"count":5,"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/pages\/32008\/revisions"}],"predecessor-version":[{"id":57348,"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/pages\/32008\/revisions\/57348"}],"up":[{"embeddable":true,"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/pages\/40183"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/media\/32063"}],"wp:attachment":[{"href":"https:\/\/www.usd.de\/en\/wp-json\/wp\/v2\/media?parent=32008"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}