OWASP Core Business Application Security


We are happy to announce a new project has been added to support the CBAS project. With the contribution of Joris van de Vis, SAP Internet Research project aims to help organizations and security professionals to identify and discover open SAP services facing the internet. This allows individuals to further test these services for any potential threats that might affect their SAP applications.

CHECK IT OUT


Introduction

To allow organizations using enterprise business applications to determine an achievable, tailored-to approach defining actionable targets and measurable results, with the capability to scale by strengthening people, leveraging processes, and enhancing the use of tools. The Core Business Security Application (CBAS) project is designed to combine different industry standards and expertise from various security professionals to provide a comprehensive framework to align the measures for enterprise application security with the organization’s security strategy. As a result, a framework is created to improve the security governance of the use of enterprise application technology.

Background

Core business applications or enterprise business applications are beneficial to organizations in several ways. Some of these benefits include

  • Combining different business processes under one solution
  • Improving business performance
  • Higher productivity by eliminating redundant processes
  • Flexibility and mobility
  • Easier collaboration between different organizational teams
  • Centralized data

Even though there are numerous benefits that these solutions have, security threats have not decreased. Maintaining, implementing, and deploying security controls and/or information security standards around such solutions is still facing challenges. Some of these challenges include

  • Little to no understanding of the solutions in place
  • Security professionals not involved in the initial phases of deploying and implementing such solutions
  • Security controls being built after the solution is operational and functional; causing a blow back from business units

NO MONKEY Security Matrix

The NO MONKEY Security Matrix, combines elements of the security operational functions, defined by NIST, and IPAC model, created by NO MONKEY and explained below, into a functional graph. The Security Matrix serves as a starting point to

  • Visually show what areas within an organization can be improved
  • Identify responsibility and knowledge gaps that are aligned to the areas of the Security Matrix

IPAC model

NO MONKEY have come up with these four different security areas to focus the security topics to a core business application. The areas are

  • Integration: focus of different integration scenarios within systems themselves, as well as third-party tools integrating with a core business application environment, including proprietary as well as non-proprietary communication protocols and interfaces. Topics include secure architecture, security design, and general security operation concepts.

  • Platform: consideration of the vulnerabilities, hardening, and configuration of the core business applications. Includes the review of security features and weaknesses in the software’s operations, setup, and security management.
  • Access: consideration of access control and user authorizations measures and methodologies of core business applications.
  • Customization: consideration of the customization of core business applications - including change management, custom code, business customizing, legacy interfaces, and add-ons.

Objectives

While there are many enterprise solutions out there, SAP has been proven to dominate the ERP market. With that in mind, the initial CBAS project release focuses on SAP solutions (CBAS-SAP).

The CBAS-SAP objectives and goals are defined in the Objectives page

Getting Started

The below video illustrates how you can get started with the Security Aptitude Assessment and Analysis; which serves as the first part of the CBAS project.

Getting Started

The HOW-TO page or the Getting Started page also gives an overview on how to start with your assessment and analysis.

Contribution

See CONTRIBUTING section for more information.


“The more the survey takers are, the better the results and analysis become to understand the gap areas within your organization”

The below video illustrates how you can get started with the Security Aptitude Assessment and Analysis.

Getting Started

To get started, download a copy of the “Security_Aptitude_Analysis”, “SAA_Assessment” and “Survey” documents from the Analysis folder or the Downloads tab

Assessment requirements:

  • Each assessment must uniquely be identified by an ID number (i.e. 1,2,3…)

  • The “Data” sheet inside the assessment should be exported to the generic file “Survey.xlsx”.

  • Once you have copied or exported the data to the “Survey.xlsx” file, edit the data source path in the “Security_Aptitude_Analysis” file to change it to your preferred location

  • Once you open the “Security_Aptitude_Analysis” the file will prompt to update the data source (this will depend on the excel version you are running)

  • To manually update the data source navigate to Data > edit links

  • Then change source to your preferred path.

  • Once you change the data source, any new data that you export or copy to the “Survey” file make sure you refresh the “Security_Aptitude_Analysis” file to get the recent changes. Navigate to Data > Refresh All

CBAS Projects RoadMap

Objectives and goals are defined in the Objectives document. All tasks that enable the success of a project are first raised under the Projects section, and then separated through five different areas:

  • Plan
  • Development
  • Design
  • Research and Development

In order to assure the success of achieving the objectives of the CBAS project, the roadmap is designed with a set of goals to achieve each objective.

All tasks that are created to achieve a specific goal are defined in the Projects section. They are converted to an ISSUE and placed in the “To Do” column of the Projects section once it has been identified as a priority.

While converting tasks to issues, they should be labeled with there respective label in order to be identified properly

Example:

  • The below task is associated to one of the goals for achieving the first objective, and so it will be labeled respectively with the OBJ01 and G01 labels.

On every minor or major release of different aspects of the project we conduct a simple yet effective testing mechanism:

  • Test
  • Adjust
  • Implement
Tag Legend  
OBJ Objective
G Goals

Objectives

Version Date Author
V1.0 01/06/2020 Waseem Ajrab

The success criteria of each objective is identified by the completion of the goals associated to a specific objective.

Objectives and goals can increase and get adjusted or modified as further requirements arise

Objective 1

To provide an assessment methodology for security professionals to assess and evaluate SAP security against different platforms, products, integrations, and security areas within their organization

Goals

  • Creating an assessment that identifies gaps against the NO MONKEY Security Matrix
  • Tuning and improving the assessment analysis
  • Identifying and mapping technology and process areas to be included in the assessment

Objective 2

To help and assist organizations with enabling and adopting a personalized SAP security assessment methodology based on a framework that promotes people, processes, and the use of technologies

Goals

  • Automating the assessment methodology

Objective 3

To bring awareness to security professionals of the threats and risks that SAP solutions can present within an organization


The below documents provides organizations and individuals with the necessary information to conduct the Security Aptitude Analysis (SAA) and perform the required analysis to determine the operational gaps within the NO MONKEY Security matrix

Required documents:

The How-To page or the Getting Started page will help you with getting started with the analysis and assessment.


Areas of Contribution

We have different areas that we love for you to help us with. You don’t need to be a security expert to help us out. If you enjoy developing new tools, designing pages, creating documentation, or even translating, we want you!

We are adopting an agile methodology while creating the projects’ roadmap and developing the CBAS project. The Roadmap page will give you a clear idea of how we plan to develop our first area of concentration, CBAS-SAP, and the Project map might also help you decide.

If you still want to help but not sure how, contact us and we are happy to discuss it


SAP Internet Research

Make sure you have the appropriate permissions to actively scan and test applications. Without doing so, you might face legal implications

The SAP Internet Research project aims to help organization and security professionals to identify and discover open SAP services facing the internet. This allows individuals to further test these services for any potential threat that might affect SAP applications in their organizations.

Objectives:

  • To allow security professional to be able to identify and discover SAP internet facing applications being used by their organization
  • To be able to demonstrate to organizations the risk that can exist from SAP applications facing the internet
  • Aligning the results of the research to a single organization to demonstrate SAP technology risk
  • To allow contribution to the SAP Internet Research project

WIIFM (Whats In It For Me)

Below is a list of how you can benefit from the different research areas of the project:

  • Using different port scanners to discover your organizations open SAP services that are published to the internet, below are the services included in the project:
    • SAPRouter
    • SAP Gateway
    • SAP Internet Graphic Server
    • SAP Message Server Internal Port
    • HANA Database
  • Conducting further analysis on the discovered services
  • Aligning discovery with the Core Business Application Security (CBAS) – Security Aptitude Assessment.
  • Monitoring services within your organizations IP block that might get published due to misconfiguration

OWASP CBAS project:

Three areas within the NO MONKEY Security Matrix can benefit from the SAP Internet Research project:

  1. Identify – NIST Security Functions
  2. Detect - NIST Security Functions
  3. Integration – IPAC Model

Identify | Integration

When applied to a single organization, the results from the SAP Internet Research project can aid organizations to further concentrate their efforts in the IDENTIFY and INTEGRATION quadrant of the NO MONKEY Security Matrix.

Detect | Integration

Another potential area of benefit will be under the DETECT and INTEGRATION quadrant, this will allow organizations to automate their monitoring capabilities when it comes to publishing SAP application to the internet. If publishing these applications is not a requirement and have been done due to misconfiguration then the organization would be able to properly detect it.

button


Requirements

We have conducted our tests using Ubuntu 20.04 and Windows OS, were necessary, but the tools installation can be done on any linux distribution, or Windows OS (installation steps on Windows are not mentioned)

Tool Name Installation Additional Notes
NMAP $ sudo apt install nmap Scan tool. Good for smaller subnets
NMAP ERPSCAN $ git clone git://github.com/gelim/nmap-erpscan Improves nmap capabilities when detecting SAP Services
ZMAP $ sudo apt install zmap Scan tool. Was used for the full 0.0.0.0/8 range
Masscan $ sudo apt install masscan Scan tool. Used for large scale analysis
IFSTAT $ sudo apt install ifstat Tool used to check bandwidth
SAPROUTER Utilities SAP Download Manager Need an S-User to download the utilities
GIT $ sudo apt install git Content tracker
Python $ sudo apt install python Can be used for automating detection mechanisms

Initial steps

After installing the appropriate tools, we start by detecting SAP services that can present a risk to your organization if misused or misconfigured.

Use NMAP-ERPSCAN service probes to find open SAP services for your organization. (External and internal testing is recommended)

$ git clone git://github.com/gelim/nmap-erpscan

$ cd nmap-erpscan

$ nmap -n –open –datadir . -sV -p $(./sap_ports.py) $TARGET

Changing the data directory (–datadir) helps to better identify SAP services as they are not added to the default data directory of NMAP

SAPRouter

SAPouter product info is a reverse proxy for the SAP proprietary RFC protocol. Insecurely configured SAProuter can allow an attacker to discover SAP installations behind the reverse proxy and forcing unencrypted communication. Unpatched versions are known to be vulnerable against denial of service attacks and compromise of configuration CVE’s

Port Used Tools Additional Notes
3299 NMAP, SAPRouter Utilities  

If the initial scan has not identified any open ports for the SAPRouter, you can try to scan with below command specifying the SAPRouter port if it is not the default one.

$ nmap -sV -n -p 3299 -Pn $TARGET -oX output_nmap_3299.txt

Identifying SAPRouter. Red circle shown in the image below


In order to further test the SAPRouter and determine whether access is allowed or denied, you will require to download the SAPRouter utilities from the SAP download manager using you S-USER. (The S-USER is given to organizations that have deployed or is currently implementing any SAP applications)

In order to determine whether the access is allowed or not, use the below command.

$ saprouter -L -H $TARGET

Access denied


Access allowed


The above reply shows the SAProuter connection list, this information can be very critical as it may allow routing from the internet to the internal local network, this information is usually available in and can be retrieved from the SAPROUTTAB file.

To automate the process for better detection you can use the python script inforequest_saprouter_WIN.py found here.

To run the script use the below syntax:

$ python inforequest_saprouter_WIN.py $filename_with_ip_addresses

SAP RFC Gateway

SAP RFC Gateway is a gateway service which standalone, or as part of an SAP ABAP system provides service for the proprietary RFC protocol. Unpatched, or misconfigured installations can yield to full system compromise. Up to unauthenticated remote code execution vulnerabilities. By default the RFC protocol is not encrypted. Communication encryption has to be setup by the use of SNC.

Port Used Tools Additional Notes
3300 NMAP, NMAP erpscan  

If the initial scan has not identified any open ports for the SAP Gateway, you can try to scan with below command specifying the SAP Gateway port if it is not the default one.

$ nmap -sV -R -p 3300 -Pn $TARGET

To automate the process for better detection you can use the files found in the 3300 zip file found here. Using the python script found in the files, read the SAP info where possible (from windows machine and adjust in script sysnr=XX to correct system number):

$ py.exe SAPinfo_WIN_v2.py $filename_with_ip_addresses

To check whether the gateway is vulnerable use the Gateway_Scanner_RESEARCH_V0.1.py file found here

$ py.exe Gateway_Scanner_RESEARCH_V0.1.py $filename_with_ip_addresses

SAP Internet Graphic Server

SAP Internet Graphic Server (IGS) provides services to generate web graphics. It can run standalone or intergrated in an SAP system. When certain patches are missing the IGS can be vulnerable to various attacks yielding for example to arbitrary remote file manipulation or denial of service.

Port Used Tools Additional Notes
40080 NMAP, NMAP erpscan  

If the initial scan has not identified any open ports for the SAP Internet Graphic Server, you can try to scan with below command specifying the SAP Internet Graphic Server port if it is not the default one.

$ nmap -sV -R -p 40080 -Pn $TARGET

SAP Message Server Internal Port

SAP Message Server Internal Port provides cluster management services between the application servers of an SAP system cluster. When exposed to malicious actors it can be misused to bypass protection configurations of the SAP RFC Gateway to allow full system compromise even when the gateway is properly configured.

Port Used Tools Additional Notes
3900 NMAP, NMAP erpscan  

If the initial scan has not identified any open ports for the SAP Message Server Internal, you can try to scan with below command specifying the SAP Message Server Internal port if it is not the default one.

$ nmap -sV -R -p 3900 -Pn $TARGET

HANA Database

The HANA Database SQL client port of the systems index server provides access to the SQL/MDX functionality of the database via JDBC/ODBC. Database client for administration and development need access to this service. The encrypted communication can be configured using TLS. Wide exposure administrative database services comes with inherent risks. Specifically weak passwords, insufficient TLS configuration, hardening and patching of of the HANA system can expose an attach surface for various exploit scenarios.

Port Used Tools Additional Notes
30015 NMAP, NMAP erpscan  

If the initial scan has not identified any open ports for the HANA Database, you can try to scan with below command specifying the HANA Database port if it is not the default one.

$ nmap -sV -R -p 30015 -Pn $TARGET


Contributors

With the help and support from the security community, we are continuously adding projects and tools that support the CBAS project.

The projects and tools support the different areas addressed in the CBAS project. The structure for the CBAS project is as follows:

  • CBAS-SAP
    • SAP Security Aptitude Assessment

    • SAP Internet Research

Anyone is welcome to contribute with their projects and tools to enhance the different areas of the CBAS project; contact us and tell us more

Core Business Application Security Project

SAP Internet Research Project

The SAP Internet Research project aims to help organization and security professionals to identify and discover open SAP services facing the internet. This allows individuals to further test these services for any potential threat that might affect SAP applications in their organizations. (More on how to conduct the tests in your organizations can be found here)