SAP security assessment

Find what an SoD matrix can't see.

NetWeaver · ABAP · HANA · Fiori · SAProuter, tested by hand for RFC gateway abuse, authority-object chaining, segregation-of-duties violations that move money, ICMAD-class memory corruption, RECON-class unauthenticated user creation, and custom-ABAP injection. Every finding lands with a working proof-of-exploit, code-level fix guidance, and a re-test.

See the SAP attack paths
Four SAP surfaces, NetWeaver/ABAP, HANA, Fiori, SAProuter, converging on one central proof-of-exploit; the NetWeaver tile is highlighted as the exploited finding.

Four SAP surfaces

NetWeaver/ABAP · HANA · Fiori · SAProuter, one method, four control points.

Evidence

Working proof-of-exploit and ABAP-level fix guidance on every finding.

Re-test included

We verify your fixes at no extra cost. One engagement, closed loop.

Why now

The default RFC-Gateway open since '07 still hands attackers SAP_ALL.

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

Airbase
Quiltt
Pacvue
Imagine Learning

On record

Accredited testers, audited handling.

CREST is the standard for offensive security execution. CERT-In, SOC 2 Type II, and ISO/IEC 27001 cover how SecureLayer7 handles your SAP landscape, your transport requests, and your engagement record.

  • CREST accredited
    CREST
    Accredited company & testers
  • CERT-In empanelled auditor
    CERT-In
    Empanelled auditor
  • AICPA SOC 2 Type II
    SOC 2 Type II
    Independently audited
  • ISO/IEC 27001
    ISO/IEC 27001
    Information Security Management

Why a role review isn't a pentest

An SoD matrix that passes is not a chain that holds.

GRC tooling and SoD matrices report what your SAP landscape looks like on paper, which authorization objects each user holds, which transactions sit inside which role. A pentest reports what an attacker can actually do with that landscape. SecureLayer7's operators chain those passing rows, S_TCODE for MM02, S_TCODE for FB01, an open RFC trust to the production system, into the proof-of-exploit your basis team can fix and your auditor will accept.

Two columns side by side, what an SAP role / SoD audit reports on the left, and the chained authorization-object exploit each becomes in a manual pentest on the right, terminating in one orange node.
Two columns side by side, what an SAP role / SoD audit reports on the left, and the chained authorization-object exploit each becomes in a manual pentest on the right, terminating in one orange node.

IN SCOPE.

Where we look inside your SAP estate.

ROLES + SOD
Chained authorisations

SAP_ALL leakage, transaction-code combinations the SoD matrix passes, S_RFC + S_TCODE chains.

RFC + GATEWAY
External interfaces

Gateway ACL gaps, registered RFC servers, ABAP-to-Java trust, SOAP / OData endpoints exposed.

CUSTOM ABAP
Code-injection paths

Open SQL injection, directory traversal in custom Z* programs, OS-command via CALL SYSTEM.

BTP + INTEGRATIONS
Cloud + middleware

BTP destinations, Cloud Connector trust, S/4HANA Cloud APIs, IDP federation across landscapes.

What we test —

Six SAP surfaces. One engagement.

Every layer of the SAP landscape gets a manual, threat-modelled review against its real attack surface — kernel, database, presentation, transport, custom code, and authorization. Intensity tunes per scope.

NetWeaver / ABAP kernel

RECON-class unauth user creation (CVE-2020-6287 family), ICMAD memory corruption (CVE-2022-22536 family), authority-object bypass against S_TCODE / S_DEVELOP / S_RFC, ABAP code injection in dynamic CALL TRANSACTION and EXECUTE IMMEDIATELY, transport-request abuse, message server unauthenticated registration.

SAP HANA

SQL injection in custom procedures, SYSTEM privilege escalation, cross-schema access via shared CDS views, _SYS_REPO mis-grants, encryption-at-rest verification, audit-policy gaps, XSA tenant boundary bypass, replication-route abuse on system replication.

S/4HANA & ECC business logic

Segregation-of-duties chains that move money — vendor master maintenance + invoice posting + payment release in one user; F110 payment program abuse via spoofed bank master; MIRO three-way-match bypass; goods-receipt reversal-and-repost flows that paper over inventory shrink.

Fiori / UI5 frontend

OData service authorisation gaps, CSRF token reuse across sessions, UI5 mock-data leakage, Launchpad role-hiding bypass, Gateway service /sap/opu/odata/ exposure, web-dispatcher header-rewrite abuse, BSP application chained-XSS to ABAP RFC.

SAProuter & RFC Gateway

Gateway ACL bypass (reginfo / secinfo gaps), unauthenticated RFC server registration, message-server SXM access, SAProuter route-permission leakage, DIAG / RFC protocol replay where TLS isn't terminated, exposure of internal load-balancer behind public listener.

Custom Z* code & roles

Z-program authority-check omissions, hardcoded SAP* / DDIC credentials in customer transports, ABAP open-SQL injection in customer namespaces, role/profile drift between DEV and PROD landscapes, derived-role inheritance abuse, GRC mitigations that whitelist the chain rather than break it.

SAP METHODOLOGY.

Eight phases. Landscape to transaction.

Threat-modelled to your SAP landscape (clients, RFC trust, custom Z* footprint, GRC mitigations). Not a generic SAP checklist we run against every customer.

  1. 01

    Scope & threat-model

    Landscape topology, client boundaries, RFC trust graph, GRC and SoD-ruleset baseline mapped before any traffic.

  2. 02

    Recon & enumeration

    External exposure of SAProuter, Web Dispatcher, Fiori Launchpad, ICM ports. Internal enumeration of message servers, gateway listeners, attached HANA tenants, RFC destinations.

  3. 03

    Authorization review

    GRC, SoD, and authority-object snapshots collected as leads to chase, not findings to ship. Drift between role design and effective authorisation highlighted.

  4. 04

    Authority exploitation

    Authority-object chaining across S_TCODE, S_DEVELOP, S_RFC; derived-role inheritance abuse; GRC mitigation bypass; default SAP*, DDIC, and EARLYWATCH paths exercised to credential or transaction takeover.

  5. 05

    Kernel & RFC exploitation

    RECON-class auth bypass, ICMAD-class memory corruption, RFC gateway ACL bypass, message-server registration abuse, HANA SYSTEM-privilege escalation, cross-schema CDS pivots, XSA tenant boundary tests.

  6. 06

    Vulnerability analysis

    Findings correlated, chained into business-impact paths (vendor payout, payroll spoof, inventory shrink, SoX-bypass) and scored with SAP-aware blast-radius rather than CVSS in isolation.

  7. 07

    Remediation guidance

    ABAP patch notes, SAP Note IDs, role-redesign diffs, GRC ruleset corrections, transport-request templates, SAProuter and gateway ACL deltas. Written for basis and security architects, not auditors.

  8. 08

    Patch verification

    Every finding re-tested after your team ships the SAP Note or role change, at no extra cost. Written confirmation each path is closed.

Insights

SAP & ERP security Resources.

SAP-side audit notes: RFC abuse, transport drift, and the ABAP/Fiori findings our reviewers file across S/4HANA estates.

Meet our expert

Meet our expert

Nivedita Singh

Security Advisor & Engagement Lead

10+

Years in offensive security

300+

Engagements led

99.7%

On-time delivery rate

Nivedita scopes SAP-pentest engagements against your landscape topology, RFC trust graph, custom Z* footprint, and GRC ruleset. She guides the pod from kick-off through final report and remediation review with your basis and audit teams.

  • Scopes NetWeaver, S/4HANA, ECC, and HANA engagements against your real risk model.
  • Owns kick-off, mid-engagement check-ins, and live walkthrough with basis and audit.
  • Drives remediation review and re-test until every chained authorization path is closed.
SL7 Lab. Published CVE research.
Nivedita Singh, Security Advisor & Engagement Lead at SecureLayer7

Ready to scope an SAP pentest? Book 30 minutes with Nivedita to walk through your landscape, RFC trust, and timeline.

Tested by industry.

The bug classes named below come from real engagements in each sector. Pick the closest fit.

FinTech

SAP for banking treasury, S/4HANA financial close, custody adjacency.

See FinTech pentest

Retail

SAP retail merchandising, vendor master, store-replenishment data flows.

See Retail pentest

Tech SaaS

SAP for SaaS finance & ops, BTP integrations, identity sync to AD/Entra.

See Tech SaaS pentest
Sample SAP pentest report, kill-chain · evidence · remediation

Sample engagement report

See what arrives in your inbox.

A pre-vetted sample report: full vulnerability narrative, working PoC against an SAP authority-object chain, ABAP-level fix guidance, and SAP Note references. Sent on request after a 5-minute scoping call.