On December 3, Rapid7 security researcher Juan Vazquez hosted a panel of experts for a tweet chat to discuss SAP system hacking. The #pwnSAP chat was a great discussion – here are some highlights.
Juan's first question was, “Can you start by telling us a bit about how SAP system hacking has changed lately?” @todb called this research paper, SAP Penetration Testing Using Metasploit – How to Protect Sensitive ERP Data, “the most complete survey on the state of the art on SAP assessment today.” Panelist @ChrisJohnRiley added, “The available tools for probing and testing SAP security have really increased in recent years” and explained that the general complexity of SAP systems means that reconfiguration/patching can be a nightmare – resulting in companies either being constantly behind the current patch level, or just ignoring it as a lost cause.
So why is it important to pentest an SAP system? Panelist @nmonkee spoke about the devastating consequences that can result from an SAP system that's been compromised. Even a DoS can cost significantly, he added, and urged people to “disprove the myths.”
Why is SAP so vulnerable to attack? @todb explained that taking your ERP offline to patch takes tons of planning, and every site has different concerns so it's hard to generalize security advice. Lastly, all too often stakeholders don't know how their SAP infrastructure works, because it was installed by contractors.
What are some SAP vulnerabilities that attackers look for? @morrisson replied, “Speaking from a tester's perspective easiest way in is default creds…there are also a number of auth bypass vulns that can be used to obtain info or access, quite easily. take for instance the several SOAP unauthenticated requests, and the verb tampering vuln.”
We'll be tweeting again – stay tuned to find out when our next chat will be!