SAP Penetration Testing
& Defense In-Depth
Mariano Nuñez Di Croce
mnunez@cybsec.com
October 2-3, 2008
Ekoparty, Buenos Aires - Argentina
© Copyright 2008 CYBSEC. All rights reserved.
sap security, sap pentest, sap pentesting, sap pt, sap security assessment, sap vulnerability assessment, sap insecurity, sap vulnerabilities, sap vulnerability, sap defense, hardening sap, sap hardening, protecting sap
2
© 2008
Who is CYBSEC ?
� Provides Information Security services since 1996.
� More than 300 customers, located in LatinAmerica, USA and Europe.
� Wide range of services: Strategic Management, Operation Management,
Control Management, Incident Management, PCI Services, SAP Security.
SAP & CYBSEC
� Member of the SAP Global Security Alliance (GSA).
� Has been working with SAP (Walldorf) since 2005.
� Provides specific SAP security services (Penetration Testing, Secure
Architecture Design, Secure Configuration, …)
3
© 2008
Who am I?
� Senior Security Researcher at CYBSEC.
� Devoted to Penetration Testing and Vulnerability Research.
� Discovered vulnerabilities in Microsoft, Oracle, SAP, Watchfire, …
� Speaker/Trainer at Blackhat, Sec-T, Hack.lu, DeepSec, Ekoparty, CIBSI, …
SAP & Me
� Started researching in 2005.
� SAP Pentesting projects (customers).
� Discovered more than 40 vulnerabilities in SAP software.
� Published “Attacking the Giants: Exploiting SAP Internals”.
� Developed sapyto, the first SAP Penetration Testing Framework.
� CYBSEC’s “SAP (In)Security ” Training instructor.
4
© 2008
Agenda
Agenda
� Introduction to the SAP World
� Why SAP Penetration Testing?
� PenTest Setup
� SAP PenTesting
� Discovery Phase
� Exploration Phase
� Vulnerability Assessment Phase
� Exploitation Phase
� Case Study: SAProuter Security Assessment
� Conclusions
5
© 2008
Introduction to
the SAP World
Basic concepts for deep knowledge
6
© 2008
So… what is SAP?
Introduction to the SAP World
SAP (Systems, Applications and Products in Data Processing) is a
german company devoted to the development of business solutions.
� More than 41