Simple SAP Security Breach TOPICS: Authorization Data Theft Hacking SAP Security POSTED BY: SAP YARD AUGUST 18, 2015 It is nearly impossible to prevent a developer from accessing any t-code. We saw an example in our other post titled “Can you really restrict any developer from executing any t-code?“. For almost a decade I (and I am sure, all ABAPers) have been happily using the loop holes in SAP security to access the forbidden transactions, with no malicious intension though, only for speedy analysis and ethical debugging. But today I am wondering, is it really a loop hole or has Enter email Subscribe RECENT POSTS Simple SAP Security Breach Playing Sherlock Holmes to detect CONVT_CODEPAGE runtime error mystery DELETING rows of the internal table within the LOOP. Is it a Taboo? A big NO NO? SAP YARD YOUR BACKYARD FOR SAP TECHNICAL TIPS AND SOLUTIONS HOME SEE ALL POSTS ASK YOUR QUESTIONS ABOUT ME CONTACT ME You and 92 other friends like this SAP Yard 173 likes Liked SEARCH …
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Simple SAP SecurityBreachTOPICS: Authorization Data Theft Hacking
SAP Security
POSTED BY: SAP YARD AUGUST 18, 2015
It is nearly impossible to prevent a developer fromaccessing any t-code. We saw an example in our otherpost titled “Can you really restrict any developerfrom executing any t-code?“. For almost a decade I(and I am sure, all ABAPers) have been happily usingthe loop holes in SAP security to access the forbiddentransactions, with no malicious intension though, onlyfor speedy analysis and ethical debugging.
But today I am wondering, is it really a loop hole or has
Enter email
Subscribe
RECENT POSTS
Simple SAP Security BreachPlaying Sherlock Holmes todetect CONVT_CODEPAGEruntime error mysteryDELETING rows of theinternal table within theLOOP. Is it a Taboo? A bigNO NO?
SAP YARDYOUR BACKYARD FOR SAP TECHNICAL TIPS AND SOLUTIONS
HOME SEE ALL POSTS ASK YOUR QUESTIONS ABOUT ME CONTACT ME
I do have authorization to the basic t-code SE11(Display Table). You might have access to some othercommon t-codes (you can use that). SE11 is my secretwindow to all the forbidden t-codes.
Check how ??
I am in SE11. Click Other Object icon (Shift + F5) ->Enhanced Options radio button. Click on the cornersquare icon for Program, Function Group or click‘More’ to get other areas.
Similarly you can view, function modules, services,proxies, web dynpros and what not.
As an ABAPer, I am happy to figure out this alternativeway to navigate through the t-codes. This process isspecially handy, when you want to check somethingreally quick or want to do some comparison during someissues mitigation.
If you go via the right path i.e. –> ask your managerfor approval –> raise ticket for security team –>wait for approval again –> wait for security teamto provide you the right access. Some times, you donot have the liberty of waiting and watching for thatlong. So, ABAPers quickly use this trick. Specially inquality and pre-production (where you have therestriction).
Question to Security Guys. Are the developers suppose to access the t-code via thisalternate route?Did you guys knowingly provide this alternative? If you
know and it is ok to access this way, then we are good.
But, if Security Guys are not aware of this loop hole,then there are chances of bigger Security breach. SAPSecurity folks can end up giving the same alternativein Production environment too. If this happens,thenthere can be serious implications and data theft (andI know of clients where you can use this alternative inProduction environment as well).
We would like to hear comments from Securityexperts. Please provide your opinion on this topic.Should Security team not close this alternative if theuser’s role does not allow him/her to access certaintransactions?
ABAPers, please forgive me if your doors get closed. But I am sure, no ABAPer want his/her system and
data to be visible to unwanted crooks. It’s our duty tomake our environment as robust as possible and protectthem from any unforeseen spy or data thief.
Morever ABAPers would figure out some other way, ifthis one is closed.. ABAPers rock!!!!
Do you have anything more to add to it? Do you have anystory to share on this topic. Please feel free to email us [email protected] or leave it in our commentsection.
If you want to get updates about our new tweaks andtricks, please subscribe.
If you liked it, please share it. Thank you very much foryour time!!