Offensive SAP Security
The SAP Penetration Test by SERPENTEQ is a targeted, manually executed attack on your SAP infrastructure — carried out by aggressive security specialists with deep SAP expertise. No automated scan, no generic report: We simulate real attackers and show you exactly how far a targeted attack on your systems goes — and why.
Test variants
- Black Box - Simulates an external attacker
- Grey Box - Simulates compromised users
- White Box - Maximum testing depth
Technical scope
Reconnaissance & Enumeration
- Active enumeration of all SAP services: message server, dispatcher, ICM, RFC gateway, web dispatcher
- Identify exposed ICF services and open HTTP endpoints
- Fingerprinting of SAP releases, patch levels, and installed add-ons
- OSINT-based preliminary research on exposed SAP assets and credentials
Network & Infrastructure Attacks
- Exploitation of known SAP CVEs against unpatched systems
- Message server attacks — Unauthorized registration of application servers, information extraction without authentication
- RFC Gateway Exploitation — Misconfigured ACLs, external RFC server registration, remote command execution
- SAP router attacks — router string misuse, information leakage, tunneling via SAProuter
- SNC/SSL downgrade — Enforcing uncertain communication channels
Authentication & Session Attacks
- Brute force and credential stuffing against SAP login and web services
- Password hash extraction — Analysis and offline cracking of BCODE/passcode hashes
- SSO abuse — Attacks on Kerberos delegation, stolen logon tickets (SAP SSO/SNC)
- ICM-level session hijacking and unsecure HTTP connections
- Analysis of standard and technical users with known default credentials
Authorization & Privilege Escalation
- Systematic use of SOD conflicts for rights escalation
- Debug & Replace — Manipulating program logic to evade authorization checks
- Misuse of critical authorization objects:
S_DEVELOP, S_TCODE, S_RFC, S_DATASET - Cross-client attacks via Trusted RFC connections
- Privilege escalation from dialog user to SAP_ALL/ basic administrator
ABAP Code Exploitation
- Manual analysis of exposed RFC-enabled function modules without
AUTHORITY CHECK - Injection attacks on customer ABAP code: SQL injection (Open SQL/Native SQL), OS command injection via
CALL 'SYSTEM' - Exploitation of unsafe file operations (
OPEN DATASET) for read/write access at operating system level - Attacks on insecure BAPIs and OData services (Fiori/UI5)
- XSS & CSRF in BSP applications and Webdynpro interfaces
Post-Exploitation & Lateral Movement
- Extraction of sensitive data from tables (credentials, configurations, business data)
- OS level access about SAP vulnerabilities: remote shell, file system access
- Pivot into connected systems via RFC trust relationships and interface users
- Persistence mechanisms at ABAP level: hidden backdoors in function modules and reports
Deliverables
- Executive Summary — Compact risk assessment for management and CISO, without technical overhead
- Technical Report — Complete documentation of every vulnerability including CVSS v3.1 score, attack path and proof of concept
- Attack chain visualization — Graphical presentation of the complete attack path from initial compromise to complete system control
- Remediation plan — Specific, prioritized remediation measures at code, configuration, and architecture levels
- Final presentation — Personal discussion of results with your technical team
