SlideShare ist ein Scribd-Unternehmen logo
1 von 7
Downloaden Sie, um offline zu lesen
8/18/2015 Simple SAP Security Breach | SAP Yard
http://www.sapyard.com/simple­sap­security­breach/ 1/7
Simple SAP Security
Breach
TOPICS: Authorization Data Theft Hacking
SAP Security
POSTED BY: SAP YARD AUGUST 18, 2015
It is nearly impossible to prevent a developer from
accessing any t-code. We saw an example in our other
post titled “Can you really restrict any developer
from executing any t-code?“. For almost a decade I
(and I am sure, all ABAPers) have been happily using
the loop holes in SAP security to access the forbidden
transactions, with no malicious intension though, only
for speedy analysis and ethical debugging.
But today I am wondering, is it really a loop hole or has
Enter email
Subscribe
RECENT POSTS
Simple SAP Security Breach
Playing Sherlock Holmes to
detect CONVT_CODEPAGE
runtime error mystery
DELETING rows of the
internal table within the
LOOP. Is it a Taboo? A big
NO NO?
SAP YARD
YOUR BACKYARD FOR SAP TECHNICAL TIPS AND SOLUTIONS
HOME SEE ALL POSTS ASK YOUR QUESTIONS ABOUT ME CONTACT ME
You and 92 other friends like this
SAP Yard
173 likes
Liked
SEARCH …
8/18/2015 Simple SAP Security Breach | SAP Yard
http://www.sapyard.com/simple­sap­security­breach/ 2/7
SAP provided these small windows to the developers
knowingly?
SAP Security Guys!! Hope you are reading this.
Check, I do not have access to t-code SE38 (ABAP
Editor) in my Pre-Production system.
I also do not have access to t-code SE80 (Object
Navigator/ ABAP Workbench), SE37 (Function
Module) etc in the same system.
Quick Reference for Vistex
Technical
Offshore Development
Model in 10 Steps
8/18/2015 Simple SAP Security Breach | SAP Yard
http://www.sapyard.com/simple­sap­security­breach/ 3/7
I do have authorization to the basic t-code SE11
(Display Table). You might have access to some other
common t-codes (you can use that). SE11 is my secret
window to all the forbidden t-codes.
Check how ??
I am in SE11. Click Other Object icon (Shift + F5) ->
Enhanced Options radio button. Click on the corner
square icon for Program, Function Group or click
‘More’ to get other areas.
8/18/2015 Simple SAP Security Breach | SAP Yard
http://www.sapyard.com/simple­sap­security­breach/ 4/7
For demo, I chose, Program. Provide the program
name you want to view. And here you are in the ABAP
editor. You can see the code.
8/18/2015 Simple SAP Security Breach | SAP Yard
http://www.sapyard.com/simple­sap­security­breach/ 5/7
Similarly you can view, function modules, services,
proxies, web dynpros and what not.
As an ABAPer, I am happy to figure out this alternative
way to navigate through the t-codes. This process is
specially handy, when you want to check something
really quick or want to do some comparison during some
issues mitigation.
If you go via the right path i.e. –> ask your manager
for approval –> raise ticket for security team –>
wait for approval again –> wait for security team
to provide you the right access. Some times, you do
not have the liberty of waiting and watching for that
long. So, ABAPers quickly use this trick. Specially in
quality and pre-production (where you have the
restriction).
Question to Security Guys. 
Are the developers suppose to access the t-code via this
alternate route?
Did you guys knowingly provide this alternative? If you
8/18/2015 Simple SAP Security Breach | SAP Yard
http://www.sapyard.com/simple­sap­security­breach/ 6/7
know and it is ok to access this way, then we are good.
But, if Security Guys are not aware of this loop hole,
then there are chances of bigger Security breach. SAP
Security folks can end up giving the same alternative
in Production environment too. If this happens,then
there can be serious implications and data theft (and
I know of clients where you can use this alternative in
Production environment as well). 
We would like to hear comments from Security
experts. Please provide your opinion on this topic.
Should Security team not close this alternative if the
user’s role does not allow him/her to access certain
transactions?
ABAPers, please forgive me if your doors get closed.
 But I am sure, no ABAPer want his/her system and
data to be visible to unwanted crooks. It’s our duty to
make our environment as robust as possible and protect
them from any unforeseen spy or data thief.
Morever ABAPers would figure out some other way, if
this one is closed.. ABAPers rock!!!!
Do you have anything more to add to it? Do you have any
story to share on this topic. Please feel free to email us at
mailsapyard@gmail.com or leave it in our comment
section. 
If you want to get updates about our new tweaks and
tricks, please subscribe.
If you liked it, please share it. Thank you very much for
your time!!
 
 
 
8/18/2015 Simple SAP Security Breach | SAP Yard
http://www.sapyard.com/simple­sap­security­breach/ 7/7
BE THE FIRST TO COMMENT
ON "SIMPLE SAP SECURITY BREACH"
Image source : www.theregister.co.uk
Previous post
Leave a comment
Logged in as SAP Yard. Log out?
Comment
Post Comment
COPYRIGHT 2015 | SAPYARD BY WWW.SAPYARD.COM
ALL PRODUCT NAMES ARE TRADEMARKS OF THEIR RESPECTIVE COMPANIES. SAPYARD.COM IS NOT AFFILIATED TO SAP AG.


Weitere ähnliche Inhalte

Andere mochten auch

κλεισιμο σπειρασ
κλεισιμο σπειρασκλεισιμο σπειρασ
κλεισιμο σπειρασevadagli
 
SISTEMAS BIOLOGICOS
SISTEMAS BIOLOGICOSSISTEMAS BIOLOGICOS
SISTEMAS BIOLOGICOSgrupo3cenal
 
Digital Transformation in Defense: Live, Virtual and Constructive (LVC) Training
Digital Transformation in Defense: Live, Virtual and Constructive (LVC) TrainingDigital Transformation in Defense: Live, Virtual and Constructive (LVC) Training
Digital Transformation in Defense: Live, Virtual and Constructive (LVC) TrainingAmy Blanchard
 
асанова чынара сабақf
асанова чынара  сабақfасанова чынара  сабақf
асанова чынара сабақfNurlan Abilhanov
 
Sexual harassment of women at workplace
Sexual harassment of women at workplaceSexual harassment of women at workplace
Sexual harassment of women at workplaceSinu Joseph
 

Andere mochten auch (6)

κλεισιμο σπειρασ
κλεισιμο σπειρασκλεισιμο σπειρασ
κλεισιμο σπειρασ
 
SISTEMAS BIOLOGICOS
SISTEMAS BIOLOGICOSSISTEMAS BIOLOGICOS
SISTEMAS BIOLOGICOS
 
Digital Transformation in Defense: Live, Virtual and Constructive (LVC) Training
Digital Transformation in Defense: Live, Virtual and Constructive (LVC) TrainingDigital Transformation in Defense: Live, Virtual and Constructive (LVC) Training
Digital Transformation in Defense: Live, Virtual and Constructive (LVC) Training
 
асанова чынара сабақf
асанова чынара  сабақfасанова чынара  сабақf
асанова чынара сабақf
 
Sexual harassment of women at workplace
Sexual harassment of women at workplaceSexual harassment of women at workplace
Sexual harassment of women at workplace
 
Odissea
OdisseaOdissea
Odissea
 

Ähnlich wie Simple SAP Security Breach !!

Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2jvandevis
 
Sap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depthSap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depthIgor Igoroshka
 
Short introduction to SAP security research (sitNL)
Short introduction to SAP security research (sitNL)Short introduction to SAP security research (sitNL)
Short introduction to SAP security research (sitNL)Twan van den Broek
 
SAP inside track NL 2013, SAP Security update
SAP inside track NL 2013, SAP Security updateSAP inside track NL 2013, SAP Security update
SAP inside track NL 2013, SAP Security updatejvandevis
 
sitNL Security Update from SAP TechEd 2013
sitNL Security Update from SAP TechEd 2013sitNL Security Update from SAP TechEd 2013
sitNL Security Update from SAP TechEd 2013Twan van den Broek
 
Incident Response and SAP Systems
Incident Response and SAP SystemsIncident Response and SAP Systems
Incident Response and SAP SystemsOnapsis Inc.
 
Designing with capabilities (DDD-EU 2017)
Designing with capabilities (DDD-EU 2017)Designing with capabilities (DDD-EU 2017)
Designing with capabilities (DDD-EU 2017)Scott Wlaschin
 
Android reverse engineering - Analyzing skype
Android reverse engineering - Analyzing skypeAndroid reverse engineering - Analyzing skype
Android reverse engineering - Analyzing skypeMário Almeida
 
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Nick Galbreath
 
So You Think You Can Hack | sitNL 2016
So You Think You Can Hack | sitNL 2016So You Think You Can Hack | sitNL 2016
So You Think You Can Hack | sitNL 2016Twan van den Broek
 
Exploiting Critical Attack Vectors to Gain Control of SAP Systems
Exploiting Critical Attack Vectors to Gain Control of SAP SystemsExploiting Critical Attack Vectors to Gain Control of SAP Systems
Exploiting Critical Attack Vectors to Gain Control of SAP SystemsOnapsis Inc.
 
Onapsis SAP Backdoors
Onapsis SAP BackdoorsOnapsis SAP Backdoors
Onapsis SAP BackdoorsOnapsis Inc.
 
Sap monitoring tutorial & best practices system guard
Sap monitoring tutorial & best practices   system guardSap monitoring tutorial & best practices   system guard
Sap monitoring tutorial & best practices system guardm t
 
Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleDeploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleAchim D. Brucker
 
[CB19] Spyware, Ransomware and Worms. How to prevent the next SAP tragedy by ...
[CB19] Spyware, Ransomware and Worms. How to prevent the next SAP tragedy by ...[CB19] Spyware, Ransomware and Worms. How to prevent the next SAP tragedy by ...
[CB19] Spyware, Ransomware and Worms. How to prevent the next SAP tragedy by ...CODE BLUE
 
Security panel-western-mass-drupal-camp
Security panel-western-mass-drupal-campSecurity panel-western-mass-drupal-camp
Security panel-western-mass-drupal-campcwworks
 
Sap navigation
Sap navigationSap navigation
Sap navigationsteve4sap
 
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches,  Eireann Leverett & Matt Erasmus44CON 2014 - Switches Get Stitches,  Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus44CON
 

Ähnlich wie Simple SAP Security Breach !! (20)

Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2
 
Sap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depthSap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depth
 
Short introduction to SAP security research (sitNL)
Short introduction to SAP security research (sitNL)Short introduction to SAP security research (sitNL)
Short introduction to SAP security research (sitNL)
 
SAP inside track NL 2013, SAP Security update
SAP inside track NL 2013, SAP Security updateSAP inside track NL 2013, SAP Security update
SAP inside track NL 2013, SAP Security update
 
sitNL Security Update from SAP TechEd 2013
sitNL Security Update from SAP TechEd 2013sitNL Security Update from SAP TechEd 2013
sitNL Security Update from SAP TechEd 2013
 
Incident Response and SAP Systems
Incident Response and SAP SystemsIncident Response and SAP Systems
Incident Response and SAP Systems
 
Designing with capabilities (DDD-EU 2017)
Designing with capabilities (DDD-EU 2017)Designing with capabilities (DDD-EU 2017)
Designing with capabilities (DDD-EU 2017)
 
Android reverse engineering - Analyzing skype
Android reverse engineering - Analyzing skypeAndroid reverse engineering - Analyzing skype
Android reverse engineering - Analyzing skype
 
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
 
So You Think You Can Hack | sitNL 2016
So You Think You Can Hack | sitNL 2016So You Think You Can Hack | sitNL 2016
So You Think You Can Hack | sitNL 2016
 
Exploiting Critical Attack Vectors to Gain Control of SAP Systems
Exploiting Critical Attack Vectors to Gain Control of SAP SystemsExploiting Critical Attack Vectors to Gain Control of SAP Systems
Exploiting Critical Attack Vectors to Gain Control of SAP Systems
 
Onapsis SAP Backdoors
Onapsis SAP BackdoorsOnapsis SAP Backdoors
Onapsis SAP Backdoors
 
Sap monitoring tutorial & best practices system guard
Sap monitoring tutorial & best practices   system guardSap monitoring tutorial & best practices   system guard
Sap monitoring tutorial & best practices system guard
 
Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleDeploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large Scale
 
SAST Code Security Advisor for SAP [Webinar]
SAST Code Security Advisor for SAP [Webinar]SAST Code Security Advisor for SAP [Webinar]
SAST Code Security Advisor for SAP [Webinar]
 
[CB19] Spyware, Ransomware and Worms. How to prevent the next SAP tragedy by ...
[CB19] Spyware, Ransomware and Worms. How to prevent the next SAP tragedy by ...[CB19] Spyware, Ransomware and Worms. How to prevent the next SAP tragedy by ...
[CB19] Spyware, Ransomware and Worms. How to prevent the next SAP tragedy by ...
 
Security panel-western-mass-drupal-camp
Security panel-western-mass-drupal-campSecurity panel-western-mass-drupal-camp
Security panel-western-mass-drupal-camp
 
SAST Managed Services for SAP [Webinar]
SAST Managed Services for SAP [Webinar]SAST Managed Services for SAP [Webinar]
SAST Managed Services for SAP [Webinar]
 
Sap navigation
Sap navigationSap navigation
Sap navigation
 
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches,  Eireann Leverett & Matt Erasmus44CON 2014 - Switches Get Stitches,  Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
 

Mehr von SAPYard

Flow Chart to get Free access to SAP HANA Cloud Platform
Flow Chart to get Free access to SAP HANA Cloud PlatformFlow Chart to get Free access to SAP HANA Cloud Platform
Flow Chart to get Free access to SAP HANA Cloud PlatformSAPYard
 
SAP HANA for Beginners from a Beginner
SAP HANA for Beginners from a BeginnerSAP HANA for Beginners from a Beginner
SAP HANA for Beginners from a BeginnerSAPYard
 
Unwanted character ‘#’ in the short text print outs and reports sap yard
Unwanted character ‘#’ in the short text print outs and reports   sap yardUnwanted character ‘#’ in the short text print outs and reports   sap yard
Unwanted character ‘#’ in the short text print outs and reports sap yardSAPYard
 
bgRFC Framework in SAP
bgRFC Framework in SAPbgRFC Framework in SAP
bgRFC Framework in SAPSAPYard
 
Vistex Chargeback
Vistex ChargebackVistex Chargeback
Vistex ChargebackSAPYard
 
Vistex Contract Overview
Vistex Contract OverviewVistex Contract Overview
Vistex Contract OverviewSAPYard
 
Quick Help in Vistex Technical
Quick Help in Vistex TechnicalQuick Help in Vistex Technical
Quick Help in Vistex TechnicalSAPYard
 
Hello SAP Ehp7 !!
Hello SAP Ehp7 !!Hello SAP Ehp7 !!
Hello SAP Ehp7 !!SAPYard
 
Offshore development model in 10 steps sap yard
Offshore development model in 10 steps   sap yardOffshore development model in 10 steps   sap yard
Offshore development model in 10 steps sap yardSAPYard
 
Are you an abap coder or a programmer?
Are you an abap coder or a programmer?Are you an abap coder or a programmer?
Are you an abap coder or a programmer?SAPYard
 

Mehr von SAPYard (10)

Flow Chart to get Free access to SAP HANA Cloud Platform
Flow Chart to get Free access to SAP HANA Cloud PlatformFlow Chart to get Free access to SAP HANA Cloud Platform
Flow Chart to get Free access to SAP HANA Cloud Platform
 
SAP HANA for Beginners from a Beginner
SAP HANA for Beginners from a BeginnerSAP HANA for Beginners from a Beginner
SAP HANA for Beginners from a Beginner
 
Unwanted character ‘#’ in the short text print outs and reports sap yard
Unwanted character ‘#’ in the short text print outs and reports   sap yardUnwanted character ‘#’ in the short text print outs and reports   sap yard
Unwanted character ‘#’ in the short text print outs and reports sap yard
 
bgRFC Framework in SAP
bgRFC Framework in SAPbgRFC Framework in SAP
bgRFC Framework in SAP
 
Vistex Chargeback
Vistex ChargebackVistex Chargeback
Vistex Chargeback
 
Vistex Contract Overview
Vistex Contract OverviewVistex Contract Overview
Vistex Contract Overview
 
Quick Help in Vistex Technical
Quick Help in Vistex TechnicalQuick Help in Vistex Technical
Quick Help in Vistex Technical
 
Hello SAP Ehp7 !!
Hello SAP Ehp7 !!Hello SAP Ehp7 !!
Hello SAP Ehp7 !!
 
Offshore development model in 10 steps sap yard
Offshore development model in 10 steps   sap yardOffshore development model in 10 steps   sap yard
Offshore development model in 10 steps sap yard
 
Are you an abap coder or a programmer?
Are you an abap coder or a programmer?Are you an abap coder or a programmer?
Are you an abap coder or a programmer?
 

Kürzlich hochgeladen

Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 

Kürzlich hochgeladen (20)

20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 

Simple SAP Security Breach !!

  • 1. 8/18/2015 Simple SAP Security Breach | SAP Yard http://www.sapyard.com/simple­sap­security­breach/ 1/7 Simple SAP Security Breach TOPICS: Authorization Data Theft Hacking SAP Security POSTED BY: SAP YARD AUGUST 18, 2015 It is nearly impossible to prevent a developer from accessing any t-code. We saw an example in our other post titled “Can you really restrict any developer from executing any t-code?“. For almost a decade I (and I am sure, all ABAPers) have been happily using the loop holes in SAP security to access the forbidden transactions, with no malicious intension though, only for speedy analysis and ethical debugging. But today I am wondering, is it really a loop hole or has Enter email Subscribe RECENT POSTS Simple SAP Security Breach Playing Sherlock Holmes to detect CONVT_CODEPAGE runtime error mystery DELETING rows of the internal table within the LOOP. Is it a Taboo? A big NO NO? SAP YARD YOUR BACKYARD FOR SAP TECHNICAL TIPS AND SOLUTIONS HOME SEE ALL POSTS ASK YOUR QUESTIONS ABOUT ME CONTACT ME You and 92 other friends like this SAP Yard 173 likes Liked SEARCH …
  • 2. 8/18/2015 Simple SAP Security Breach | SAP Yard http://www.sapyard.com/simple­sap­security­breach/ 2/7 SAP provided these small windows to the developers knowingly? SAP Security Guys!! Hope you are reading this. Check, I do not have access to t-code SE38 (ABAP Editor) in my Pre-Production system. I also do not have access to t-code SE80 (Object Navigator/ ABAP Workbench), SE37 (Function Module) etc in the same system. Quick Reference for Vistex Technical Offshore Development Model in 10 Steps
  • 3. 8/18/2015 Simple SAP Security Breach | SAP Yard http://www.sapyard.com/simple­sap­security­breach/ 3/7 I do have authorization to the basic t-code SE11 (Display Table). You might have access to some other common t-codes (you can use that). SE11 is my secret window to all the forbidden t-codes. Check how ?? I am in SE11. Click Other Object icon (Shift + F5) -> Enhanced Options radio button. Click on the corner square icon for Program, Function Group or click ‘More’ to get other areas.
  • 4. 8/18/2015 Simple SAP Security Breach | SAP Yard http://www.sapyard.com/simple­sap­security­breach/ 4/7 For demo, I chose, Program. Provide the program name you want to view. And here you are in the ABAP editor. You can see the code.
  • 5. 8/18/2015 Simple SAP Security Breach | SAP Yard http://www.sapyard.com/simple­sap­security­breach/ 5/7 Similarly you can view, function modules, services, proxies, web dynpros and what not. As an ABAPer, I am happy to figure out this alternative way to navigate through the t-codes. This process is specially handy, when you want to check something really quick or want to do some comparison during some issues mitigation. If you go via the right path i.e. –> ask your manager for approval –> raise ticket for security team –> wait for approval again –> wait for security team to provide you the right access. Some times, you do not have the liberty of waiting and watching for that long. So, ABAPers quickly use this trick. Specially in quality and pre-production (where you have the restriction). Question to Security Guys.  Are the developers suppose to access the t-code via this alternate route? Did you guys knowingly provide this alternative? If you
  • 6. 8/18/2015 Simple SAP Security Breach | SAP Yard http://www.sapyard.com/simple­sap­security­breach/ 6/7 know and it is ok to access this way, then we are good. But, if Security Guys are not aware of this loop hole, then there are chances of bigger Security breach. SAP Security folks can end up giving the same alternative in Production environment too. If this happens,then there can be serious implications and data theft (and I know of clients where you can use this alternative in Production environment as well).  We would like to hear comments from Security experts. Please provide your opinion on this topic. Should Security team not close this alternative if the user’s role does not allow him/her to access certain transactions? ABAPers, please forgive me if your doors get closed.  But I am sure, no ABAPer want his/her system and data to be visible to unwanted crooks. It’s our duty to make our environment as robust as possible and protect them from any unforeseen spy or data thief. Morever ABAPers would figure out some other way, if this one is closed.. ABAPers rock!!!! Do you have anything more to add to it? Do you have any story to share on this topic. Please feel free to email us at mailsapyard@gmail.com or leave it in our comment section.  If you want to get updates about our new tweaks and tricks, please subscribe. If you liked it, please share it. Thank you very much for your time!!      
  • 7. 8/18/2015 Simple SAP Security Breach | SAP Yard http://www.sapyard.com/simple­sap­security­breach/ 7/7 BE THE FIRST TO COMMENT ON "SIMPLE SAP SECURITY BREACH" Image source : www.theregister.co.uk Previous post Leave a comment Logged in as SAP Yard. Log out? Comment Post Comment COPYRIGHT 2015 | SAPYARD BY WWW.SAPYARD.COM ALL PRODUCT NAMES ARE TRADEMARKS OF THEIR RESPECTIVE COMPANIES. SAPYARD.COM IS NOT AFFILIATED TO SAP AG. 