What is SAP?
SAP (Systems, Applications and Products in Data Processing is a German company specialised in the development of business applications.
2. According to the information obtained from the first step, the PenTesters recognise database type, SAP version, and particular SAP modules. Finding the known vulnerabilities relevant to the target. Exploit the vulnerabilities to gain access.
3. Escalate Privileges to gain administrative access to control the whole SAP systems.Vulnerabilities in SAP xMII are particularly hazardous as it is a bridge between ERP (Enterprise Resource Planning), other enterprise applications and plant floor as well as OT (Operational Technology) devices. Any vulnerability affecting SAP xMII may be utilised as an initial point of a multi-stage adversary targetting to control over plant devices and manufacturing systems.
Analysing Risks for the target organisation
The information security risk assessment practitioner visualises the current stance of business processes of a typical target organisation, classifies the mission-critical assets and associated cyber and business risks. The gathered information aids a penetration tester to decide the level, complexity, scope and the time required to perform penetration testing.
Classify the the vital assets in SAP target organisation
A usual manufacturing company’s infrastructure comprises of numerous business-critical apps and industry-specific modules. Some of the list of the applications which common for the majority of manufacturing enterprises:
• Enterprise Resource Planning (ERP)
• Manufacturing Execution System (MES)
• Asset Lifecycle Management (ALM)
• Manufacturing Integration (xMII)
• Other standard systems: HR, CRM, PLM, SRM, BI/BW, SCM
Some of these systems such as xMII or ALM can be connected with Industrial Control Systems (ICS/SCADA) or plant floor, so a single vulnerability in them may raise a business risk for the entire organisation.
Revealing SAP Platforms for the mission-critical infrastructure
SAP systems can be based on different platforms: ABAP, Java, or HANA.
The main SAP platform is SAP NetWeaver, the enabling foundation for SAP and non-SAP applications.
The significant parts of SAP NetWeaver are SAP NetWeaver Application Server (AS). SAP NetWeaver AS includes the application server ABAP and Java. The primary programming language for SAP NetWeaver Application Server platform is ABAP and Java respectively.
The most common vulnerabilities in the SAP xMII component (e.g., Reflected XSS vulnerability, directory traversal vulnerability).
Benefits of Pen Testing
Minimise the following risk
Compliance violation (Such as pollution)
Safety violation (Death or injury)
Product Quality (Quality degradation)