What is SAP?

SAP (Systems, Applications and Products in Data Processing is a German company specialised in the development of business applications.

What is SAP Penetration Testing?

The common black-box SAP penetration testing:1. Penetration testers scan SAP systems in their scope trying to reveal as much system information as possible.
2. According to the information obtained from the first step, the PenTesters recognise database type, SAP version, and particular SAP modules. Finding the known vulnerabilities relevant to the target. Exploit the vulnerabilities to gain access.
3. Escalate Privileges to gain administrative access to control the whole SAP systems.Vulnerabilities in SAP xMII are particularly hazardous as it is a bridge between ERP (Enterprise Resource Planning), other enterprise applications and plant floor as well as OT (Operational Technology) devices. Any vulnerability affecting SAP xMII may be utilised as an initial point of a multi-stage adversary targetting to control over plant devices and manufacturing systems.

Threat Modelling or Risk Assessment

Analysing Risks for the target organisation

The information security risk assessment practitioner visualises the current stance of business processes of a typical target organisation, classifies the mission-critical assets and associated cyber and business risks. The gathered information aids a penetration tester to decide the level, complexity, scope and the time required to perform penetration testing.

Classify the the vital assets in SAP target organisation

A usual manufacturing company’s infrastructure comprises of numerous business-critical apps and industry-specific modules. Some of the list of the applications which common for the majority of manufacturing enterprises:

• Enterprise Resource Planning (ERP)
• Manufacturing Execution System (MES)
• Asset Lifecycle Management (ALM)
• Manufacturing Integration (xMII)
• Other standard systems: HR, CRM, PLM, SRM, BI/BW, SCM

Some of these systems such as xMII or ALM can be connected with Industrial Control Systems (ICS/SCADA) or plant floor, so a single vulnerability in them may raise a business risk for the entire organisation.

Revealing SAP Platforms for the mission-critical infrastructure

SAP systems can be based on different platforms: ABAP, Java, or HANA.

The main SAP platform is SAP NetWeaver, the enabling foundation for SAP and non-SAP applications.

The significant parts of SAP NetWeaver are SAP NetWeaver Application Server (AS). SAP NetWeaver AS includes the application server ABAP and Java. The primary programming language for SAP NetWeaver Application Server platform is ABAP and Java respectively.

The most common vulnerabilities in the SAP xMII component (e.g., Reflected XSS vulnerability, directory traversal vulnerability).

SAP

Attack Methodology

Information Gathering

Although a standard SAP installation is abundant in Information Disclosure vulnerabilities, however during our
pentesting the target SAP was so secure that we had to explore for 0-days.





Vulnerability Exploitation

The SAP NetWeaver J2EE application server has many vulnerabilities.
Verb Tampering vulnerability in the CTC web service and Invoker servlet to Authentication evasion, multiple XXEs, and SSRF vulnerability in J2EE web services) discovered ages ago. All of them persists in numerous SAP Implementation.

Privilege Escalation

The password is secured with encryption. Exploiting the HashWithIterations stored in PasswordHash.class gain elevated privileges.





Business Logic and Risk Presentation

Industrial control systems (ICS) were designed without security measures. The intruder gain unfathomable
access to all the controllers causing business disruption. We will present this in a contained environment without disrupting the business continuity.

Benefits of Pen Testing

SAP

Minimise the following risk
Plant Sabotage/Shutdown
Equipment damage
Production Disruption
Compliance violation (Such as pollution)
Safety violation (Death or injury)
Product Quality (Quality degradation)
Espionage
Sabotage
Fraud

more info