Recently I started a new project called Offline Security. Offline Security is new IT Security Project like no other. It is a client-server application for analyzing the security of SAP systems. You collect all the information necessary for generating...
Here's another magic lesson. Today we will focus on the SAP_ALL profile. This profile contains all SAP authorizations (in ABAP systems), meaning that a user with the SAP_ALL profile can perform any action in the system. That’s why SAP doesn’t recomme...
I continue my posts regarding secret knowledge of SAP Consulters to bypass your security. And today I will tell you about calling SAP transactions without authorizations for them. It is known that to invoke transaction codes users need the S_TCODE au...
As you may know there are some basic rules in SAP Security. One of them is to prohibit direct modifications in production systems. All changes in SAP system have to be first implemented in the development system and then could be promoted through the...
There are some user authentication mechanisms in SAP (ABAP systems). One of them – using classical user passwords. Yes, there are modern technics using certificates, tokens, SSO and so on. All of these methods are more complicated and requires additi...
No, you can transport the malicious code to production from other system in the same landscape. Or the developer key can be removed immediately after code modifications. The RSUSR100N report tracks only classical changes in SU01 or PFCG. The way ment...
