SAP Pen-testing - complexity - first ideas

From: Petr.Kazil@eap.nl
Date: Tue Mar 13 2007 - 10:52:40 EST

• Next message: Gadi Evron: "Re: Info about Pen Testing - how to tackle complexity?"
• Previous message: SD List: "[Tool Updated] : SSA, Security System Analyzer version 1.5.1 released"
• In reply to: Shreyas Zare: "Re: Winzip and Due Diligence"
• Next in thread: Carl Jongsma: "Re: SAP Pen-testing - complexity - first ideas"
• Maybe reply: Carl Jongsma: "Re: SAP Pen-testing - complexity - first ideas"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Since my previous SAP post I've read a bit more and talked with colleagues
and played with some SAP transactions.
I will write a more structured post in the coming days, but here is some
nice info:

A very good article on SAP password attacks:
http://www.openwall.com/lists/john-users/2005/12/13/1

A concise introduction into SAP Security, in German, but there may be an
English version too on te same site:
http://www.bsi.bund.de/gshb/deutsch/baust/b05013.htm

Two alerts that sound ominous, but I've not found more details yet:
http://skiifwrald.com/pipermail/alertmailinglist_skiifwrald.com/2006-February/000119.html
http://skiifwrald.com/pipermail/alertmailinglist_skiifwrald.com/2005-November/000081.html

A list of potential Web insecurities in SAP, just all the common web
risks:
http://searchsap.techtarget.com/originalContent/0,289142,sid21_gci1215841,00.html

Attempt to reverse engineer SAP protocol:
www.ccc.de/congress/2004/fahrplan/files/157-sap-slides.pdf

My feeling at the moment (but that may change):

- risks in underlying operating system (Unix/Windows) and database system
(Oracle/SQLServer) are relatively easy to handle if you don't misconfigure
anything, there are just a handful of tricky accounts and these need to be
secured well

- as long as SAP is on an internal network without web-portal
functionality risks seem to be acceptable, encrytion of network data can
be strenghtened, but most organizations simply don't bother

- biggest risks in SAP web presence might be detectable by running a good
web scanner like Appscan / Webinspect

- the biggest security risk comes from SAP itself, where there exist
tharnsactions to manipulate the database itself and the underlying
operating system, and there are so many transactions and so complex access
rights to transactions, that a SAP-admin or often even a SAP-user (I'm
told) can run dangerous code

So to make progress with SAP pentest you need to play around with SAP
itself and not with the underlying network-, database- and OS- building
blocks. (but this idea may change still)

I'm very curious about your opinions and any more interesting links. After
all I'm still a SAP beginner ...

Sincerely yours, Petr Kazil

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

• Next message: Gadi Evron: "Re: Info about Pen Testing - how to tackle complexity?"
• Previous message: SD List: "[Tool Updated] : SSA, Security System Analyzer version 1.5.1 released"
• In reply to: Shreyas Zare: "Re: Winzip and Due Diligence"
• Next in thread: Carl Jongsma: "Re: SAP Pen-testing - complexity - first ideas"
• Maybe reply: Carl Jongsma: "Re: SAP Pen-testing - complexity - first ideas"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:39 EDT