/CBAS-SAPInternetResearch

SAP application service interface discovery and scanning

Primary LanguagePythonCreative Commons Attribution Share Alike 4.0 InternationalCC-BY-SA-4.0

SAP Internet Research

Make sure you have the appropriate permissions to actively scan and test applications. Without doing so, you might face legal implications

The SAP Internet Research project aims to help organization and security professionals to identify and discover open SAP services facing the internet. This allows individuals to further test these services for any potential threat that might affect SAP applications in their organizations.

Objectives:

  • To allow security professional to be able to identify and discover SAP internet facing applications being used by their organization
  • To be able to demonstrate to organizations the risk that can exist from SAP applications facing the internet
  • Aligning the results of the research to a single organization to demonstrate SAP technology risk
  • To allow contribution to the SAP Internet Research project

WIIFM (Whats In It For Me)

Below is a list of how you can benefit from the different research areas of the project:

  • Using different port scanners to discover your organizations open SAP services that are published to the internet, below are the services included in the project:
  • SAPRouter
  • SAP Gateway
  • SAP Internet Graphic Server
  • SAP Message Server Internal Port
  • HANA Database
  • Conducting further analysis on the discovered services
  • Aligning discovery with the Core Business Application Security (CBAS) – Security Aptitude Assessment.
  • Monitoring services within your organizations IP block that might get published due to misconfiguration

OWASP CBAS project:

Three areas within the NO MONKEY Security Matrix can benefit from the SAP Internet Research project:

  1. Identify – NIST Security Functions
  2. Detect - NIST Security Functions
  3. Integration – IPAC Model

Identify | Integration

When applied to a single organization, the results from the SAP Internet Research project can aid organizations to further concentrate their efforts in the IDENTIFY and INTEGRATION quadrant of the NO MONKEY Security Matrix.

Detect | Integration

Another potential area of benefit will be under the DETECT and INTEGRATION quadrant, this will allow organizations to automate their monitoring capabilities when it comes to publishing SAP application to the internet. If publishing these applications is not a requirement and have been done due to misconfiguration then the organization would be able to properly detect it.

button