Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
Showing results for 
Search instead for 
Did you mean: 

SAP application penetration testing.

Former Member
0 Kudos

Dear All,

Does anyone have information on penetration testing of SAP application? I am looking for the following:

· Tools

· Methodology including any reference material

phenoelit has some resources/vulns for SAP.

and also:

Thanks in advance,

Elad Shapira, CISSP


Former Member
0 Kudos


SAP Security Testing is at the complex end of Application Testing. It's easy to test individual components (e.g. EP or ITS apps can be tested to some extent by more or less any outfit with Web App experience). We've been 'doing' SAP Security Testing for most modules, WAS, EP and ITS for a while now and it's a very strange beast indeed.

The bad news: There aren't any tools (beyond ABAP Workbench and Access/TOAD).

Generally in an SAP test you're looking for the following:

Assurance that underlying infrastructure and databases are secure (So, classic Vulnerability Assessment and Database testing)

Assurance that the SAP instances themselves are sufficiently secured (Authorizations, audit focused points, source code review for Z* and Y* transactions, Interfaces, User Exits etc.)

Assurance that the documentation and procedures are up to scratch (normally a fairly swift policy review, usually highlights the areas that are different).

Please feel free to send me a message offline if there's any specifics you'd like to discuss.