SAP Pentest & Offensive Security

Penetration test – the simulated attack on an SAP system

A so-called SAP Penetration Test, better described as “Simulated Attack on an SAP System”, is a controlled review of the security state of your SAP system. Using the tools of the trade of a hacker, controlled attack scenarios are driven against a selected SAP system to determine the vulnerability of the SAP system.

In recent years, this type of security review of an SAP system has become established, often as a supplement to or preparation for an SAP audit, but also as a requirement of the auditors themselves to determine the security status of an SAP system.

The SAP area is perhaps the most critical area for IT security. As a rule, all business processes or all critical business processes converge here. Without many years of knowledge and a profound understanding of SAP environments, security reviews such as a pen test with conventional tools will miss the point. A pen tester is not a hero of Internet technologies, breaking everything and then celebrating. On the contrary, a pen test in the SAP environment requires that, together with the customer, the vulnerabilities that are mission critical are identified and uncovered. This can only be done together as a partner with the customer or the network specialist of the customer

Ideally, the pen test is preceded by a risk assessment that defines risk clusters. In the financial industry, with its emphasis on payments and payments, threat vectors are completely different from those of a spy-endangered industrial firm with a lot of design expertise. A specific threat risk in a given risk context is extremely seriously for one customer, where it does not matter in another industry context.


Variations of a Pen test

There are three variations of a pen test

(1) Black Box Test

The pen tester gets no informations upfront. He must be able to penetrate completely from the outside without any help. But he may very well exploit all possibilities such as phishing (fake emails) Waterholing (targeted attacks of specialist groups such as SysAdmins in a company) or such things as smuggling USB sticks, etc. However, this must be documented in legal terms, and possibly involved business areas such Corporate communication (simulated phishing email to all employees) agreed. Such black box tests are very expensive and often take several months. This approach is mostly used on cloud attacks

(2) Grey Box & White Box Test

The normal, common understanding when performing an SAP penetration test is a gray or white box test on site: The pen tester brings a laptop and register the MAC address. The laptop has a virus scanner and defined hacker software as well as a SAP scanner installed, which are all documented and create appropriate records. The attacker attempts to hack the SAP systems through the internal infrastructure that is accessible. This scenario corresponds to an intruder coming from inside (SysAdmin etc) but has no access to the SAP system itself.

In addition, the Pen Tester gets access and an administration user on the system, mostly by means of a so-called SAP scanner, which is available in various forms on the market. This scanner is used for qualified control and analysis of the system. Qualified considerations of individual configurations can also be done this way. The “white box test” is usually done as follow-up and verification after a “black box” or “gray box” test. An up-to-date SAP scanner checks the system for approximately 1500 known vulnerabilities and provides a complete, static image of the security state of an SAP system. This scan must be accompanied by an active, customer-specific single check, since a standardized scan often does not sufficiently take into account the customer’s own environment.

(3) Offensive Pen Test

In this variant variants, tools and attack vectors from real hacker attacks are used. These hacks have a goal to conquer the goal and sometimes also use destructive techniques. This variant is the acid test, because here is simulated with the weapons of the attacker. This includes denial-of-service attacks, but also exploit attacks that crash a system or server to take that moment into the game.


The pen tests for SAP usually take place only at the infrastructure level. This means that the network view and the external view of the database, application server and message server as well as services such as SAP Gateway, etc. are the targets of attack. In addition to a manual analysis of the customer-specific details of the network and the basic server, the testing of the infrastructure also includes the use of standardized system scanners, analogous to the white box test of the SAP environment.


Every profession has its own toolbox. It’s the same with hacking and penetration testing. The set of personal tools that a security expert uses is an expression of their own work style and their own experience. The tools described in this chapter have proved to be suitable tools in practice. Which one of them finds its way into your own personal work fund is a question of your own workflow and your own style. ,
Our tools offer everything needed to complete a complete pen test in just a few hours. This tool can be installed on any desktop or laptop or completely pre-installed on the laptops of our consultants.


SAP Application

Conventional attack methods, as implemented in web applications, are completely meaningless in the area of ​​SAP because SAP as the runtime environment never falls into an unsecured state. Therefore, such a procedure can not work either. This is exclusively about source analysis. For this purpose, tools such as the SAP Code Inspector are available in SAP. This is usually not part of a classic penetration test.


A serious penetration tester will always document all steps and provide all additional information such as log files, etc. The results are all documented and for each attack point that is found, there is also a guide to rectification (“mitigation”)

Final Presentation

There are several sessions taking place. First, the results are discussed with the SAP base group of the IT center. Above all, it is important to evaluate here against a baseline to be defined, which must be determined jointly.
At the same time, security aspects of the optional SAP Code Scan have to be discussed with application programming.

The results must then be translated by the pen tester into a general assessment and completion report that is agreed with all parties involved. It is important here that, above all, critical assessments are discussed with the company, whether “critical” also applies in the respective security context

SAP Pen Test Package

Within the framework of the SAP Pen Test Package of log (2) oHG, the customer receives the following services:
  • Preparation and contractual preparation of SAP Pentest in the company, coordination of prerequisites and documents to be fulfilled (DSGVO.konform)
  • Conducting a pen test on site in the customer’s infrastructure
    Processing of the results
  • Agreement and final presentation on site
  • Hand-out: presentation and conclusion study with trade recommendations

Log (2) offers a pen test at a fixed price, which can be done by a customer. This includes a complete analysis of the SAP system from the security point of view and that of a hacker.

The test refers to exactly one SAP system (one SAP SID). The package includes all costs without travel expenses as well as the necessary use of the tools.

Request a quote by sending us a contact request.

Get free consultation