Connect with us

Hi, what are you looking for?


Application Security

Authentication Vulnerability Enables Attackers to Access SAP Systems, Says Expert

HTTP Request with Modified Header Makes SAP Login Screen Disappear, Researcher Says

SAP environments are often home to an organization’s most important business data, making protecting them paramount for enterprise security.

HTTP Request with Modified Header Makes SAP Login Screen Disappear, Researcher Says

SAP environments are often home to an organization’s most important business data, making protecting them paramount for enterprise security.

Oftentimes however, securing these environments is considered synonymous with segregation of duties controls, creating for some a false sense of security – one that Onapsis CEO Mariano Nuñez Di Croce is hoping to change. To illustrate his point, the CEO will lay bare details of an authentication bypass vulnerability at the Ekoparty conference today in Buenos Aires.

SAP Authentication VulnerabilityThe vulnerability is the result of a combination of two problems, he explained. First, there is an insecure authentication scheme by design, where the SAP system trusts that connections always come from legitimate authentication proxies. Second, customers failing to properly implement best-practices security settings detailed by SAP, by applying proper network filtering and trust relationships.

“The vulnerability resides in the SAP Application Server Java – which is the base framework for critical components such as SAP Enterprise Portal, SAP Process Integration and SAP Mobile Infrastructure – so all these solutions are affected,” he said.

The vulnerability is trivial to exploit, Nuñez Di Croce explained, noting it only takes on HTTP request with a specially-modified header to make the login screen disappear.

“After discovering this vulnerability, I even found out that there was some vague documentation about its root causes publicly available since 2006,” he said. “Therefore, as for somebody with basic knowledge of SAP and Web security performing this attack is so trivial, I won’t be surprised at all to find out that real-world attacks have been performed in the wild during these years.”

Using the vulnerability, an attacker can log-in as the user of his or her choice without specifying a password, allowing them to fully compromise the business information and processes of the target SAP system in the name of fraud or corporate espionage, he said.

“If you think about it, for an attacker to exploit a SoD (segregation of duties) vulnerability, he first needs a user account in the system,” he added. “In the kind of vulnerabilities we are discussing about, attacks can be performed remotely and anonymously, completely bypassing any existing SoD controls. The risk is by far much higher.”

Advertisement. Scroll to continue reading.

A SAP spokesperson told SecurityWeek that the company works closely with security researchers to identify vulnerabilities and works independently to improve security in their products.

“A trend that we did observe over the last months is the fact that our customers take security more seriously and that our proactive information outreach to our customers is fruitful,” the spokesperson said. “Security is a topic in more and more customer conversations and our security guidelines and recommendations, security services and fixes get more attention than before. This is a very positive trend as it helps to increase the security of our customers.”

According to Nuñez Di Croce, businesses need to find out whether they are exposed to this risk, and then react quickly by applying proper SAP security configurations and reviewing network firewalls to make sure attackers can’t bypass the deployed authentication proxies and access the back-end SAP systems directly.

“These vulnerabilities reside in the base technological frameworks of the SAP systems, which security configuration has been traditionally disregarded,” he said. “Lately, SAP has issued several security notes and guidelines focused exclusively in securing these components. Now customers have to catch-up, but that’s definitely not an easy task if they have dozens or hundreds of SAP servers.”

Onapsis released a white paper at Black Hat DC that touches on SAP application security issues.

Releated Resource: Vulnerability Management Buyer’s Checklist: Key Questions to Ask

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

More People On The Move

Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.