Deception & Adversary Simulation

We create tools that emulate advanced threat tactics, techniques, and procedures (TTPs) in SAP systems, helping teams to stay one step ahead by visualizing attack patterns and preparing adaptive responses.

• HoneySAP: SAP low-interaction honeypot
• pysap - Python library for crafting SAP’s network protocols packets
• SAPKiln

HoneySAP: SAP Low-interaction honeypot

Version 0.1.2.dev0 (XXX 2022)

Overview

HoneySAP is a low-interaction research-focused honeypot specific for SAP services. It’s aimed at learn the techniques and motivations behind attacks against SAP systems.

HoneySAP Project Page

Features

• Low-interaction honeypot for SAP services
• YAML and JSON-based configuration
• Pluggable datastore backend
• Modular services system
• Modular feeds system
• Console logging

pysap - Python library for crafting SAP’s network protocols packets

Version 0.1.20.dev0 (XXX 2022)

Overview

SAP Netweaver and SAP HANA are technology platforms for building and integrating SAP business applications. Communication between components uses different network protocols and some services and tools make use of custom file formats as well. While some of them are standard and well-known protocols, others are proprietaries and public information is generally not available.

pysap is an open source Python 2 library that provides modules for crafting and sending packets using SAP’s NI, Diag, Enqueue, Router, MS, SNC, IGS, RFC and HDB protocols. In addition, support for creating and parsing different proprietary file formats is included. The modules are built on top of Scapy and are based on information acquired at researching the different protocols, file formats and services.

pysap Project Page

Features

• Dissection and crafting of the following network protocols:

  • SAP Network Interface (NI)
  • SAP Diag
  • SAP Enqueue
  • SAP Router
  • SAP Message Server (MS)
  • SAP Secure Network Connection (SNC)
  • SAP Internet Graphic Server (IGS)
  • SAP Remote Function Call (RFC)
  • SAP HANA SQL Command Network (HDB)

• Client interfaces for handling the following file formats:

  • SAP SAR archive files
  • SAP Personal Security Environment (PSE) files
  • SAP SSO Credential (Credv2) files
  • SAP Secure Storage in File System (SSFS) files

• Library implementing SAP’s LZH and LZC compression algorithms.

• Automatic compression/decompression of payloads with SAP’s algorithms.

• Client, proxy and server classes implemented for some of the protocols.

• Example scripts to illustrate the use of the different modules and protocols.

SAPKiln

The world :earth_americas: of SAP is very vast and unique. SAP has multiple products to tackle various problems as well as multiple technology platforms such as NetWeaver etc. SAPKiln is an open-source GUI tool :computer: designed to empower security researchers in conducting efficient auditing and penetration testing of SAP systems through SAP Logon/GUI (desktop application). It caters to both experienced SAP professionals and those unfamiliar with the SAP environment, as it streamlines the process of performing security checks with a user-friendly interface:sparkles:.

Powered :battery: by saplogon.exe and SAP scripting in its backend, SAPKiln executes automated checks in the SAP system. The current version (v1.0) boasts a comprehensive array of over 70+ checks :exclamation: divided into 10 modules. Beyond its built-in checks, SAPKiln provides flexibility with dynamic checks, accommodating custom user inputs. By automating security assessments, SAPKiln effectively bridges the knowledge gap for security researchers :cop: compared to SAP domain experts:eyeglasses:.

SAPKiln Project Page

Modules Included

• Attempt Login with Default SAP Credentials
• Enumerate for Accessible T-Codes
• Enumerate for Accessible Tables
• Enumerate for Usage of SAP_ALL Profile
• Enumerate Password Policies
• Enumerate Weak Password Hashes (Users)
• Enumerate Weak Password Hashes (Hashes)
• OS Commands Execution - RSBDCOS0
• OS Commands Execution - SAPXPG
• Enumerate Instances for Lateral Movement

Attack Surface Management

Understanding your SAP attack surface enables you to better prioritze and apply security controls that help mature your SAP security posture. The below tools are designed to identify and provide you with possible threats and attack vectors that your SAP environment might posses.

• SAP Attack Surface Discovery
• SAPKiln
• sncscan

SAP Attack Surface Discovery

The project aims to help organizations and security professionals to identify and discover open SAP services through the use of different network scanning techniques. This allows individuals to further test these services for any potential threat that might affect SAP applications in their organizations.

SAP Attack Surface Discovery Project Page

SAPKiln

The world of SAP is very vast and unique. SAP has multiple products to tackle various problems as well as multiple technology platforms such as NetWeaver etc. SAPKiln is an open-source GUI tool :computer: designed to empower security researchers in conducting efficient auditing and penetration testing of SAP systems through SAP Logon/GUI (desktop application). It caters to both experienced SAP professionals and those unfamiliar with the SAP environment, as it streamlines the process of performing security checks with a user-friendly interface:sparkles:.

Powered by saplogon.exe and SAP scripting in its backend, SAPKiln executes automated checks in the SAP system. The current version (v1.0) boasts a comprehensive array of over 70+ checks divided into 10 modules. Beyond its built-in checks, SAPKiln provides flexibility with dynamic checks, accommodating custom user inputs. By automating security assessments, SAPKiln effectively bridges the knowledge gap for security researchers :cop: compared to SAP domain experts:eyeglasses:.

SAPKiln Project Page

Modules Included

• Attempt Login with Default SAP Credentials
• Enumerate for Accessible T-Codes
• Enumerate for Accessible Tables
• Enumerate for Usage of SAP_ALL Profile
• Enumerate Password Policies
• Enumerate Weak Password Hashes (Users)
• Enumerate Weak Password Hashes (Hashes)
• OS Commands Execution - RSBDCOS0
• OS Commands Execution - SAPXPG
• Enumerate Instances for Lateral Movement

sncscan

Tool for analyzing SAP Secure Network Communications (SNC).

How to use?

In its current state, sncscan can be used to read the SNC configurations for SAP Router and DIAG (SAP GUI) connections. The implementation for the SAP RFC protocol is currently in development.

sncscan Project Page

Security Posture Validation & Baseline Controls

Validating and enforcing secure configurations and controls in SAP, we offer frameworks for continuous monitoring of system integrity against best practices.

• SAP Security Verification Standard
• NO MONKE Security Matrix

SAP Security Verification Standard (SSVS)

The CBAS - SAP Security Verification Standard (SSVS) project allows organizations to determine their SAP security posture based on controls used to define a standard security baseline that organizations can maintain and adopt. This enables organizations to plan and enhance their security mechanisms when protecting SAP resources.

SAP Security Verification Standard Project Page

NO MONKEY Security Matrix

The NO MONKEY Security Matrix combines elements of the security operational functions, defined by NIST, and IPAC model, created by NO MONKEY and explained below, into a functional graph.

NO MONKE Security Matrix

OWASP CBAS - SAP Security Research

A curated collection of findings, PoCs, and tools for advancing SAP Security

OWASP CBAS - SAP Security Research Project Page

[!Warning] All PoCs and tools are provided for educational and research purposes only. You are solely responsible for ensuring you have appropriate authorization before testing against any system.

Never test on production SAP systems without proper approval.

About This Repository

This repository is maintained by the OWASP Core Business Application Security (CBAS) project and serves as a public archive of research efforts focused on SAP Security.

Here we collect:

• Research Papers & Whitepapers Novel attack vectors, analysis of SAP technologies, and deep-dives into misconfigurations or overlooked weaknesses.

• Proof-of-Concept Exploits (PoCs) Demonstrative code snippets and reproducible environments for responsible testing and education.

• Detection & Hardening Tools Scripts and techniques to aid defenders in identifying vulnerable components, misconfigurations, and implementing mitigations.

All contributions are intended to educate, empower, and protect the global SAP ecosystem in line with OWASP’s mission.

News

• [October 2024] usd AG has contributed sncscan to the OWASP CBAS
• [October 2023] Jonathan Stross has joined as contributor
• [October 2024] Nicolas Schickert has joined as contributor and author of sncscan
• [October 2023] Gaurav Singh has joined as contributor to the SAP Security Verification Standard Project
• [September 2023] The SAP Internet Research project goes under a complete update and is now called the SAP Attack Surface Discovery
• [September 2023] The OWASP CBAS Roadmap is created to provide a clear view and direction of the different improvements and security areas that will be covered
• [August 2023] The OWASP SAPKiln project, lead by Alex Devassy, is added under the umbrella of the OWASP CBAS
• [August 2023] Alex Devassy joins the OWASP CBAS team
• [July 2023] Julian Petersohn contributes and takes lead on the SAP Internet Research project
• [July 2023] Julian Petersohn joins the OWASP CBAS team
• [October 2022] SecureAuth’s Innovation Labs donates the HoneySAP and Pysap projects to the OWASP CBAS
• [October 2022] Martin Gallo joins the leadership team
• [September 2020] Joris Van De Vis (@jvis) donates the SAP Internet Research project to the OWASP CBAS
• [June 2020] NO MONKEY donates the SAP Security Matrix to the OWASP CBAS
• [June 2020] OWASP CBAS created by Waseem Ajrab and Marco Hammel to provide a central location to address areas for SAP security

Events

• [November 2024] Talk at German OWASP Day - SAP from an Attacker’s Perspective – Common Vulnerabilities and Pitfalls
• [November 2024] OWASP Frankfurt Chapter Meeting #69 - Presentation of the OWASP CBAS project
• [September 2024] Talk at BSides Frankfurt - Identify, Exploit, & Defend SAP Environments - Showcasing the True Power of Open-Source

Roadmap

• [pysap] migration to Python3
• [honeySAP] migration to python3
• [honeySAP] advance with regards for detection engineering
• [SAP Attack Surface Discovery] add missing SAP Services (SAP HANA, SAP NetWeaver Java, etc)
• [SAP Attack Surface Discovery] increase usablity by adding a web interface

CBAS Supporters and Contributors

We are grateful for all our supporters and contributors that have spent a significant time working on the OWASP Core Business Application Security project.

We are continuously updating and improving the different parts of the project. All contributions are welcome. Get in touch with us to know more!

Supporters (Time and Donation) - Organizations

Organizations who have allowed contributors and/or donated a significant time and material on working on the different projects within the OWASP Core Business Application Security. Supporters contributing time and material will be evaluated at the sole discretion of the project leaders.

Supporters (Time and Donation) - Individuals

• Joris van de Vis - SecurityBridge - SAP Internet Research Project

Contributors

A live update of contributors can be found under each area of the OWASP Core Business Application Security project.

• SAP Security Verification Standard
• pySAP
• HoneySAP
• SAP Attack Surface Discovery
• SAPKiln
• SAP Security Aptitude assessment

CBAS Contribution Guidelines

We are grateful for all our supporters and contributors that are willing to spend time and effort on working on the OWASP Core Business Application Security projects.

Particpate in Dicussions

We’re using Discussions as a place to connect with other members of our community. We hope that you:

• Ask questions you’re wondering about
• Share ideas
• Engage with other community members
• Welcome others and are open-minded. Remember that this is a community we build together

Join our OWASP CBAS Discord or Slack Channel to stay up-to-date with any updates or news.

• Discord Channel
• Slack Channel

Contribution Steps

1. Create Issues

First create issues before opening any pull requests. Issues will be discussed for any missing requirements, content, duplications, or bugs.

Assignment will be done by project leaders.

2. Opening Pull Requests

Once you have opened a Pull Request, a reviewer will make sure all requirements are met and submitted for a merge. (refer to the Review page to learn more)

Becoming a Reviewer

COMING SOON