Security Testing Checklist - SAP Platform

My personal pentesting checklist for SAP. Use this when you run into one of these things.

Pre-Assessment Phase

1. Information Gathering

2. Vulnerability Research

Unauthenticated Testing

1. Default Credentials

2. Publicly Exposed Services

Service Enumeration
- Check for exposed RFC interfaces (port 3300)
- Check for exposed ICM (port 8000, 44300)
- Check for exposed Web Dispatcher (port 50000, 50013)
- Check for exposed Message Server (port 3600)

3. Unsecured Interfaces

RFC Interface Testing
- Test for unauthorized RFC access
- Check for exposed function modules
- Test for data extraction via RFC
ICM/Web Dispatcher Testing
- Test for path traversal
- Check for information disclosure
- Test for authentication bypass

4. File Upload Vulnerabilities

CVE-2025-31324 Testing
- Test for unauthenticated file upload
- Try to upload webshells
- Test for path traversal in upload

5. Information Disclosure

Error Messages
- Check for verbose error messages
- Look for system information in errors
- Check for stack traces
System Information
- Check for version information
- Look for system configuration details
- Check for user information

Authenticated Testing

1. Authentication Mechanisms

Login Functionality
- Test for SQL injection in login forms
- Check for auth bypass vulnerabilities
- Test for brute force protection
- Verify password complexity requirements

2. Session Management

Session Security
- Test for session fixation vulnerabilities
- Check session timeout configuration
- Verify session invalidation on logout
- Test for concurrent session handling

3. Access Control Testing

Role-Based Access Control
- Test for privilege escalation
- Check for horizontal privilege escalation
- Verify role assignment controls
- Test for role manipulation
CVE-2025-0070 Testing
- Test for authentication bypass
- Check for privilege escalation
- Verify proper authorization checks

4. Custom Code Review

ABAP Code Analysis
- Test for SQL injection in custom ABAP
- Check for authorization bypass
- Test for input validation flaws
- Check for business logic flaws
Java Code Analysis
- Test for deserialization vulnerabilities
- Check for injection vulnerabilities
- Test for authorization bypass

5. Business Logic Testing

API Security Testing

1. REST API Testing

2. SOAP API Testing

SOAP Security
- Test for SOAP injection
- Check for XML external entity (XXE) attacks
- Test for SOAP action manipulation
- Verify SOAP authentication

Database Security Testing

1. Database Access

Direct Database Access
- Test for direct database connections
- Check for database user permissions
- Test for privilege escalation
- Verify database access controls

2. SQL Injection

ABAP SQL Injection
- Test for SQL injection in custom ABAP
- Check for parameterized query usage
- Test for blind SQL injection
- Verify input validation

Configuration Testing

1. Security Misconfigurations

2. Network Configuration

Firewall Configuration
- Check for unnecessary open ports
- Verify network segmentation
- Test for internal network access
- Check for DMZ configuration

Patch Management Testing

1. Security Notes

2. Version Analysis

Version Detection
- Identify SAP version and build
- Check for end-of-life versions
- Verify version-specific vulnerabilities
- Check for unsupported versions

Logging and Monitoring

1. Security Logging

2. Monitoring

Post-Exploitation Testing

1. Privilege Escalation

2. Data Access

3. Persistence

Backdoor Installation
- Test for user account creation
- Check for service installation
- Test for scheduled task creation
- Verify persistence mechanisms

HOW TO Guides

1. How to Identify SAP Instance Type

Check if it's ABAP or Java
- Method 1: Port Analysis
  - ABAP: Usually ports 8000, 8001, 8002 (ICM)
  - Java: Usually ports 50000+ (Web Dispatcher)
- Method 2: HTTP Headers
  - Check for "SAP NetWeaver" in headers
  - Look for "X-SAP-System" header
- Method 3: URL Patterns
  - ABAP: /sap/bc/ui2/nwbc/ or /sap/bc/gui/sap/its/webgui
  - Java: /sap/bc/ui5_ui5/ or /sap/bc/webdynpro/
- Method 4: Error Messages
  - ABAP errors mention "ABAP" or "SAP NetWeaver AS ABAP"
  - Java errors mention "Java" or "SAP NetWeaver AS Java"

2. How to Determine On-Prem vs Cloud

Check for Cloud Indicators
- URL Analysis
  - Cloud: *.sapbydesign.com, *.s4hana.cloud.sap.com
  - On-prem: Internal domains, IP addresses
- HTTP Headers
  - Look for "X-SAP-System" with cloud indicators
  - Check for "X-SAP-Cloud" headers
- Error Messages
  - Cloud: References to "SAP Cloud Platform"
  - On-prem: Local system names, internal paths
- Port Analysis
  - Cloud: Usually only 443/80 exposed
  - On-prem: Multiple SAP ports (3200, 3300, 3600, 8000, etc.)

3. How to Connect to RFC

RFC Connection Methods
- Method 1: SAP GUI
  - Install SAP GUI
  - Use transaction SM59 to configure RFC connections
  - Test connection with transaction SMGW
- Method 2: Python Scripts
  - Use pyrfc library
  - Connect to port 3300 (Gateway)
- Method 3: Java/JCo
  - Use SAP Java Connector (JCo)
  - Connect to port 3300
- Method 4: .NET Connector
  - Use SAP .NET Connector
  - Connect to port 3300

4. How to Test RFC Security

RFC Security Testing
- Check RFC Permissions
  - Use transaction SM59
  - Check for "Trusted RFC" connections
  - Verify RFC user permissions
- Test RFC Function Modules
  - Use transaction SE37
  - Test for unauthorized function calls
  - Check for data extraction possibilities
- Network Testing
  - Port scan for 3300 (Gateway)
  - Test for exposed RFC interfaces
  - Check for RFC over HTTP

5. How to Identify SAP Version

Version Detection Methods
- Method 1: HTTP Headers
  - Look for "Server" header
  - Check "X-SAP-System" header
- Method 2: Error Pages
  - Trigger errors to see version info
  - Check stack traces
- Method 3: URL Patterns
  - Different versions use different URL patterns
  - Check for version-specific endpoints
- Method 4: File System
  - Check for version files (if accessible)
  - Look for installation directories

6. How to Test File Upload Vulnerabilities

File Upload Testing
- CVE-2025-31324 Testing
  - Target: /sap/bc/ui2/nwbc/visualcomposer/metadata
  - Upload JSP webshell
  - Test for path traversal
- General File Upload Testing
  - Test various file types
  - Check for file type validation
  - Test for size limits
  - Look for path traversal

7. How to Test Authentication Bypass

Auth Bypass Testing
- CVE-2025-0070 Testing
  - Test for auth bypass in NetWeaver AS ABAP
  - Check for privilege escalation
- CVE-2024-41730 Testing
  - Target BusinessObjects BI Platform
  - Test for missing auth checks
  - Try to get login tokens

8. How to Test Custom ABAP Code

ABAP Code Testing
- Transaction SE80
  - Use SE80 to browse custom code
  - Look for SQL injection points
  - Check for authorization bypass
- Transaction SE37
  - Test function modules
  - Check for input validation
  - Test for business logic flaws
- Transaction SE38
  - Browse ABAP programs
  - Look for security issues
  - Check for hardcoded credentials

Tools and Resources

1. Automated Testing Tools

2. SAP-specific Tools

3. Custom Scripts

Reporting & Documentation

1. Vulnerability Documentation

2. Risk Assessment

3. Remediation Recommendations

Disclaimer: This checklist is for authorized security testing only. Always ensure you have proper authorization before testing any systems.