Monday, 06 August 2018 07:49

SAP identity theft

At Cyber Security for SAP customers Las Vegas (2017) and Prague (2018) I touched upon the point of identity theft. Especially when one has legitimate access to one single box within a large SAP enterprise landscape it may not be a major challenge for a fraudulent mind to steal an identity and gain access to classified data.

You do not need to be a genius to compromise a SAP system.
You need to be a mastermind to do so without leaving any breadcrumbs


Knowledge as a crucial ingredient

SAP expert knowledge is scarce, at or least demand is high. Me writing and you reading this blog post surely does not make us unique in the SAP space. Globally there are more than 15.000 SAP partner firms! This combined with a vast and global user community means there are sufficient people on planet Earth which have the skill-set required the compromise a SAP system with the target to extract critical data.

Knowledge as a crucial ingredient

And, you do not necessarily need to be a seasoned SAP expert. You will find plenty of how-to manuals using your favorite search engine. Since +70% of the worlds transaction revenue runs through a SAP powered system the risk can no longer be underestimated.

A textbook example

It is surely not my intention to run a blog on how to penetrate a SAP system nor to document attack patterns using identify theft as a crucial ingredient. For this reason we shall review a textbook example, which may not (read should not) work within your environment at all. If it does, please report the same to your basis administrator with reference to this article and the SAP security guide.

We will thus not talk about user injection, password hash extraction, password brute forcing, hash overwrites via SQL-injection, modifying logon tokens, ... instead we trigger an identity theft in its most basic form, using SAP standard function module BAPI_USER_CHANGE.

Identity theft may be a crucial incredient for a more sophisticated SAP attack. 

Using function module BAPI_USER_CHANGE one can easily reset a user password. Since the function is RFC enabled it can be called externally. Especially within non-productive environments the authorization setup, preventing unauthorized access, may not be waterproof. Below we execute a password reset using the test workbench (transaction SE37).


Once a password reset has been executed you have all required credentials to login using a -now compromised- identity. It is very unlikely the legitimate identity owner would report his user-ID as stolen. When password logons are used the user may only wonder why the known password no longer works, but only at the time of the very first fresh logon. Instead of triggering a root-cause-analysis the user may simply use the companies password self-service process to trigger yet another reset.

The SAP Security Audit Log

SAP (audit) logging has improved tremendously over the last few years. It is therefore nearly impossible to operate in true stealth mode. Going back to our password reset example following log entries are generated. Unless an active investigation is triggered these log records would never call for attention.

SAL Alerts

Monitor identity usage

Within our firm usage of identities, across all systems, is monitored on a continuous base. As a SAP add-on partner we naturally walk the talk and use the software we develop.

Involve your SAP user community in protecting their identities. 

Going by the example above the user "My_Boss" would have instantly received following email alert:

IP Email Alert

In case account usage is suspicious this can be reported through one single click, which may trigger actions that reduce impact and mitigate the risk for major system breaches or data theft. When account usage would have been legitimate we go by the concept of explicit trust, not a single action is required from your SAP user community.

Real-time Intrusion detection

By running an intrusion detection system (IDS) a guard can be put on duty which continuously monitors & correlates audit logs, system events and user behavior.

Small organizations not bound to strict audit requirements, like ourselves, cannot afford the efforts nor costs required to regularly run security audits that also have a reliable and proven intelligence to identify identity fraud and data theft. Nonetheless our data assets are equally important, the impact of a data leak or hack would have severe impact.

We therefore build and run an IDS that does the job for us. Out-of-the box intelligence that will call for our attention whenever required.

For larger enterprises deploying an IDS not only provides an answer to many audit requirements, it especially proofs to be an extremely valuable enabler to trigger constant security awareness among your SAP user community.

In an earlier blog post I wrote about a false sense of security, ABAP Code vulnerabilities.

SecurityBridge, a native SAP intrusion detection system

Looking at our IDS following alerts are visible, which got generated while hijacking an identity. SecurityBridge almost instantly identified I used various SAP user accounts via my local terminal.

SAL Timeline

When the genuine identity owner reported a potential abuse of his account I would be caught red handed:

IP Alert

Get an insight into what is really happening within your SAP landscape. Out-of-the-box security intelligence, no lengthy project, no new hardware. Plug and play connect SAP with your SIEM. Experience yourself and request a free test drive.

Probably world's best intrusion detection system. 

SB Fiori Launchpad

Additional Info

  • Language:: English
Ivan Mans

Ivan Mans

Passionate about SAP.

Email This email address is being protected from spambots. You need JavaScript enabled to view it.