Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Authentication Vulnerability Enables Attackers to Access SAP Systems, Says Expert

HTTP Request with Modified Header Makes SAP Login Screen Disappear, Researcher Says

SAP environments are often home to an organization’s most important business data, making protecting them paramount for enterprise security.

HTTP Request with Modified Header Makes SAP Login Screen Disappear, Researcher Says

SAP environments are often home to an organization’s most important business data, making protecting them paramount for enterprise security.

Oftentimes however, securing these environments is considered synonymous with segregation of duties controls, creating for some a false sense of security – one that Onapsis CEO Mariano Nuñez Di Croce is hoping to change. To illustrate his point, the CEO will lay bare details of an authentication bypass vulnerability at the Ekoparty conference today in Buenos Aires.

SAP Authentication VulnerabilityThe vulnerability is the result of a combination of two problems, he explained. First, there is an insecure authentication scheme by design, where the SAP system trusts that connections always come from legitimate authentication proxies. Second, customers failing to properly implement best-practices security settings detailed by SAP, by applying proper network filtering and trust relationships.

“The vulnerability resides in the SAP Application Server Java – which is the base framework for critical components such as SAP Enterprise Portal, SAP Process Integration and SAP Mobile Infrastructure – so all these solutions are affected,” he said.

The vulnerability is trivial to exploit, Nuñez Di Croce explained, noting it only takes on HTTP request with a specially-modified header to make the login screen disappear.

“After discovering this vulnerability, I even found out that there was some vague documentation about its root causes publicly available since 2006,” he said. “Therefore, as for somebody with basic knowledge of SAP and Web security performing this attack is so trivial, I won’t be surprised at all to find out that real-world attacks have been performed in the wild during these years.”

Using the vulnerability, an attacker can log-in as the user of his or her choice without specifying a password, allowing them to fully compromise the business information and processes of the target SAP system in the name of fraud or corporate espionage, he said.

“If you think about it, for an attacker to exploit a SoD (segregation of duties) vulnerability, he first needs a user account in the system,” he added. “In the kind of vulnerabilities we are discussing about, attacks can be performed remotely and anonymously, completely bypassing any existing SoD controls. The risk is by far much higher.”

A SAP spokesperson told SecurityWeek that the company works closely with security researchers to identify vulnerabilities and works independently to improve security in their products.

“A trend that we did observe over the last months is the fact that our customers take security more seriously and that our proactive information outreach to our customers is fruitful,” the spokesperson said. “Security is a topic in more and more customer conversations and our security guidelines and recommendations, security services and fixes get more attention than before. This is a very positive trend as it helps to increase the security of our customers.”

According to Nuñez Di Croce, businesses need to find out whether they are exposed to this risk, and then react quickly by applying proper SAP security configurations and reviewing network firewalls to make sure attackers can’t bypass the deployed authentication proxies and access the back-end SAP systems directly.

“These vulnerabilities reside in the base technological frameworks of the SAP systems, which security configuration has been traditionally disregarded,” he said. “Lately, SAP has issued several security notes and guidelines focused exclusively in securing these components. Now customers have to catch-up, but that’s definitely not an easy task if they have dozens or hundreds of SAP servers.”

Onapsis released a white paper at Black Hat DC that touches on SAP application security issues.

Releated Resource: Vulnerability Management Buyer’s Checklist: Key Questions to Ask

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.