SAP application penetration testing.

Similar Messages

• New version of sapyto - SAP Penetration Testing Framework

  Hello list,
  I'm glad to let you know that a new version of sapyto, the SAP Penetration Testing Framework, is available.
  You can download it by accessing the following link: http://www.cybsec.com/EN/research/sapyto.php
  News in this version:
  This version is mainly a complete re-design of sapyto's core and architecture to support future releases. Some of the new features now available are:
  . Target configuration is now based on "connectors", which represent different ways to communicate with SAP services and components. This makes the
  framework extensible to handle new types of connections to SAP platforms.
  . Plugins are now divided in three categories:
       . Discovery: Try to discover new targets from the configured/already-discovered ones.
       . Audit: Perform some kind of vulnerability check over configured targets.
       . Exploit: Are used as proofs of concept for discovered vulnerabilities.
  . Exploit plugins now generate shells and/or sapytoAgent objects.
  . New plugins!: User account bruteforcing, client enumeration, SAProuter assessment, and more...
  . Plugin-developer interface drastically simplified and improved.
  . New command switches to allow the configuration of targets/scripts/output independently.
  . Installation process and general documentation improved.
  . Many (many) bugs fixed. :P
  Enjoy!
  Cheers,
  Mariano

  Hi Mariano,
  Thanks for the update.
  We implemented secinfo restrictions 5 years ago, but used a rather complicated approach. We did some tests today (the "local" setting works okay so far) and will continue tomorrow.
  We now use the HOST and USER-HOST set to "local" and let the application security deal with who-can-do-what and this works quite well; though we have encountered some external 3rd party server programs in some cases. It seems to be popular amongst the business folks and some of the products use the gateway monitor to comunicate with the SAP system to find out when it has completed processing.
  I think this is a design error, but they of course think otherwise
  What was interesting to note, was that we locked ourselves out of an unprotected system. We changed the gw/monitor from 2 to 1 in a test. This worked. But then the gwmon cannot be used to change it back to 2! To we tried RZ11, and experienced the same. So we changed it to 0 in a test, and then 1 was blocked as well. This appears to be implemented in the kernel, as even hobbling the application coding does not help. The parameter is only dynamic when decreasing the value and increasing the security.
  We had to restart the whole system for the instance profile to take effect again. Rather noisy and a few developers could take an additional 10 minute coffee break as a result
  We are testing this on 3 different releases with different config:
  - 4.6C (46D)
  - 6.40
  - 7.00
  The different config relates to:
  - gw/sec_info
  - gw/monitor
  - auth/rfc_authority_check
  Our intention behind this is to improve baseline security and harden some special systems further.
  Cheers,
  Julius

• Create directory on SAP application server with blanks

  Hi,
  is it possible and if so how to create within ABAP a directory on a Linux based SAP application server that contains blanks.
  We've tested with SXPG_COMMAND_EXECUTE but didn't succeeded.
  A working code snippet would be great.
  Thanks and kind regards
  Florian

  Hi
  Try with Tcodes SM49/SM69.
  Thanks,
  Sreeram

• Exception in SAP Application Integrator occured: Unable to process templat

  Hi,
  We are trying to execute a BI report in portal through BEx web and we are getting the below error
  [EXCEPTION]
  com.sapportals.portal.prt.runtime.PortalRuntimeException: Exception in SAP Application Integrator occured: Unable to process template '<System.Access.WAS.protocol>://<System.Access.WAS.hostname><BWLauncherComponent[PORTAL_URL]>;jsessionid=<Request.JSessionID>?sap-ext-sid=<ESID[url_ENCODE]>&Language=<Request.Language>&theme=<LAF.Theme[url_ENCODE]>&sap-lafversions=<LAF.AllVersions[url_ENCODE]>&<Authentication>&<Report>&<BusinessParameters>', because 'Report' is an invalid terminal property of the Root context.
  at com.sapportals.portal.appintegrator.AbstractIntegratorComponent.doContentPass(AbstractIntegratorComponent.java:123)
  at com.sapportals.portal.appintegrator.AbstractIntegratorComponent.doContent(AbstractIntegratorComponent.java:98)
  at com.sapportals.portal.prt.component.AbstractPortalComponent.serviceDeprecated(AbstractPortalComponent.java:209)
  at com.sapportals.portal.prt.component.AbstractPortalComponent.service(AbstractPortalComponent.java:114)
  at com.sapportals.portal.prt.core.PortalRequestManager.callPortalComponent(PortalRequestManager.java:328)
  at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:136)
  at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:189)
  at com.sapportals.portal.prt.component.PortalComponentResponse.include(PortalComponentResponse.java:215)
  at com.sapportals.portal.prt.pom.PortalNode.service(PortalNode.java:645)
  at com.sapportals.portal.prt.core.PortalRequestManager.callPortalComponent(PortalRequestManager.java:328)
  at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:136)
  at com.sapportals.portal.prt.core.PortalRequestManager.dispatchRequest(PortalRequestManager.java:189)
  at com.sapportals.portal.prt.core.PortalRequestManager.runRequestCycle(PortalRequestManager.java:753)
  at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:240)
  at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:524)
  at java.security.AccessController.doPrivileged(Native Method)
  at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:407)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
  at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
  at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
  at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
  at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
  at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
  at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
  at java.security.AccessController.doPrivileged(Native Method)
  at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
  at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
  I have tested the connection in the system and also checked the webas name and host details in the system. they look fine.
  please help me with your inputs.
  Thanks.
  Kind Regards,
  Priyanka.

  This could be the problem . In your portal , copy the pcd path of a folder under which you would like to place this report and paste it in the bex analyser while publishing (pcd link) , see if this helps . A few more points .
  1) You can also publish these queries as reports in portal using Bex Query designer - there will be an option to publish in portal . You will see it depending upon the version of designer. If you are able to see that option , selecting the pcd location would require you to have content admin role in portal .
  2) Manually create iviews in portal (BI Reports) using the query string given to you by your BI folks . You can create either Bex 3.X or 7.0 depending upon the query string .
  Regards
  Mayank

• How to use non sap application in sap.......?

  hi,
          anyone has any idea how to use non sap application  like java class in sap through abap programming. please let me know ...
  thanks in advance.
  saurin shah.

  Hi,
  DATA: COMMAND TYPE STRING VALUE 'C:\j2sdk1.4.2_08\bin\java',
  DIR TYPE STRING VALUE D:\eclipse\workspace',
  PARAMETER TYPE STRING VALUE 'Helloworld'. "here the name of your java program
  CALL METHOD CL_GUI_FRONTEND_SERVICES=>EXECUTE
  EXPORTING
  APPLICATION = COMMAND
  PARAMETER = PARAMETER
  DEFAULT_DIRECTORY = DIR
  MAXIMIZED =
  MINIMIZED = 'X' "If you need the DOS window to be minimized
  EXCEPTIONS
  CNTL_ERROR = 1
  ERROR_NO_GUI = 2
  BAD_PARAMETER = 3
  FILE_NOT_FOUND = 4
  PATH_NOT_FOUND = 5
  FILE_EXTENSION_UNKNOWN = 6
  ERROR_EXECUTE_FAILED = 7
  OTHERS = 8.
  check this link
  /people/gregor.wolf3/blog/2004/08/26/setup-and-test-sap-java-connector-outbound-connection
  Regards,
  Satish

• About integration between SAP and non-SAP applications via javaidoc classes

  Hi,All
  Now we are implementing a SAP-Retail project,we encounter a problem of integration between SAP and non-SAP applications(POS),we want to set Inbound/Outbound between SAP and POS applications realtimely,POS can connect to the SAP system via VPN,weather it can be implemented?
  I conceive to implement it with SAP Java Connector IDoc Class,I don't know weather it is the best solution?If not,please give some other proposal.
  I have download the classes from SAP website and try it with the samples provided by SAP(JCoIDocSample1.java/JCoIDocSample3.java),In my testing,Inbound is succeed,but,in SAP-Retail IS,standard Outbound message type is defined via file port,some one told me that SAP Java Connector IDoc Class can only receive idocs from tRFC port?is it true?If not,please tell me how to deploy in SAP so java program can receive idocs from file port?

  We too are interested in finding information on integration between SAP and Intergraph.  Were you able to obtain information and I was wondering if could share this with us.
  Thanks,
  Sue
  City of Edmonton

• SAP Application Development Lead (ABAP) Needed in Fort Worth, Texas

  Hi SAP Community,
  A client of mine in the Aerospace and Defense industry is looking for an SAP Application Development Lead in Fort Worth, Texas for an 11 month contract. Below is the description, if you are interested please email me your resume at <removed> or give me a call at <removed>
  <b>SAP Application Development Lead – ABAP</b>
  <b>
  Fort Worth, Texas
  Contract - 11 months</b>
  <b>Responsibilities:</b>
  • Lead the development of the technical integration strategy for the SAP environment including approved tools, usage criteria, development standards, and monitoring techniques.
  • Ensure optimization of SAP technical performance in the infrastructure environment, including network, database, and application server performance.
  • Provide oversight to individual project technical development activities to ensure appropriate use of integration tools and standards.
  • Establish an internal staff development plan to train and development internal expertise in use of SAP technical tools and techniques and testing tools.
  • Participate in SAP issue and change management processes to ensure alignment with business objectives, and appropriate prioritization and assignment of integration related change requests.
  <b>Skills:</b>
  • 7-10 years experience in ABAP toolsets.
  • Comprehensive knowledge of problem analysis, and design and application development programming techniques.
  • Minimum of 5 years experience in developing and supporting SAP in a complex, multi-organization, multi-landscape environment.
  • Minimum of 5 years experience with SAP’s native integration tools (BAPI, IDOCS, etc).
  • Minimum of 3 years experience with IBM’s WBI (Websphere).
  • Superior organizational skills and excellent communication skills.
  • Strong analytical and problem solving skills.
  • Good customer service skills.
  • Solid project management skills and team-oriented interpersonal skills.
  • Ability to work in a matrix organization.
  <b>Education:</b>
  Bachelor's degree in Computer Science, Engineering, or related discipline with an IT focus is required.
  <b>• This position requires use of information which is subject to the International Traffic in Arms Regulations (ITAR). All applicants must be U.S. persons within the meaning of ITAR. ITAR defines a U.S. person as a U.S. Citizen, U.S. Permanent Resident (i.e. 'Green Card Holder').</b>
  Message was edited by:
          Rich Heilman

  This is not a recruitment site.  Thanks for NOT posting such threads.
  Regards,
  Rich Heilman

• How to dertermine size of a perticula Client in sap application server

  R/S all,
  Kindly guide me for "How to determine size (hard disk space) of a perticular client in SAP Application Server "

  Hi,
  Have a look at the [SAP Note 118823 - CC-ADMIN: Size of a client|https://websmp130.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=118823].
  You can use the report RSSPACECHECK to check the size of SAP client. You can also use the test run option in client copy to determine the size os a client.
  Hope this helps.
  Regards,
  Varadharajan M

• How to install SAPGUI Patches(Silently) while SAP application is running.

  Hello All,
  We have SAPGUI 7.10 installed in our environment. We would like to update the sapgui patch from 10 to 12. However we would like this to be installed to all the PCs silently while sap application is open.
  We want this to happen becasue most of the users will be accessing sap and we want the patch to be push silently without user interations. Please let us know your inputs on this.
  Thanks
  Sarin

  Hello Subash,
  Thanks for the reply. I have gone throught the blog. here is a quote from the blog you sent meu2026
  "When we made tests with the installtion package we noticed that there is a problem when SAPGui/SAPLogon is still running. Is there a possibility to kill any GUI/Logon Process on start of the installation?"
  It appears that it is saying there are issues when the SAP GUI is running.  I believe they are saying that the package should kill the SAP GUI prior to installing the patch.  Am I reading it correctly?
  If that is the case we could get in trouble if we just kill someone SAP connection. Please advise...

• BI SAP Query Connector test fails!

  BI SAP Query Connector test is failing in Portal 7.0 SP6
  Scuccessfully tested BI SAP Query connector using the
  URL : http://<myhost>:51200/TSapq/servlet/TestSapq
  But when i try to test from the portal its failing
  The Connection properties are defined both in Connection Connector in Visual admin as well as Portal as follows and user mapping is done as follows.
  Application Server  myhost.xxx.net
  Client  : 010
  Message Server  : myhost.xxx.net
  Query Area  : x
  System Number : 12
  System Name : BWT_SAPQ
  Master Language : en
  User Management
  Logon Method : SAPLOGONTICKET
  User Mapping : Admin, User
  In User Administration i have maped the BWT_SAPQ system and provided user id and password.
  Below is test result
  Test Connection with Connector
  Test Details:
  The test consists of the following steps:
  1. Retrieve the default alias of the system
  2. Check the connection to the backend application using the connector defined in this system object
  Results
  Retrieval of default alias successful
  Connection failed. Make sure user mapping is set correctly and all connection properties are correct.
  Would really appreciated your help on this.
  Thanks,
  Srinivas

  hi Aamod;
  it seems like you already have your BI SAP Query system working properly, if you can use it in the BI Integration Wizard. what's the problem you're seeing in VC?
  systems created with the BI SAP Query Connector are relational systems and therefore expose tables and fields in VC. via the BI Connector, these systems are 'lent' BI functionality and you can use these tables in the BI Integration Wizard, as you've seen. you might therefore call these "relational BI systems" (just like systems created with the BI JDBC Connector are).
  if you have consulted the System Landscape documentation on configuring properties for a BI SAP Query System (<a href="http://help.sap.com/saphelp_nw04s/helpdata/en/4b/9afe3323d14005a283dee9101c66fc/frameset.htm">here</a>) and you're still having problems connecting with the BI SAP Query Connector, i'd suggest you write up a CSS message.
  hope it helps;
  -m

• How sap application connect oracle database

  The gurus,
  I just to known how sap application connect to oracle database. Where or what the configuration files at SAP level and oracle level.
  Thank you
  Edited by: Muzaidi Marjuki on Apr 28, 2011 8:58 AM

  existing database to other database that also running on oracle ( right now we testing for recovery server) in case the existing server going down or have a problem that cannot been restore
  Its similar to DR setup, then why don't you install application at time of initial installation of DR?
  *Explain in  detial with a clear query
  Regards,
  Nick Loy

• How to deploy the application into Test system in NWDI

  Hi ,all
  i hava some problems about NWDI, Could you help me ?
  I hava defined the test system in runtime system of NWDI .
  As a general ,it must be deploy the application into test system  for test before transport the CR, is it right?
  if so , how can i do to deploy the application into test system before assembly?
  regards.

  Hi Zhijun,
  Thank you for your repay.
  You are welcome
  After assembly , can i deploy the application into test system by CMS? mean that if it can be done not through CR?
  Yes, you import the changes on the "Test" tab of the transport studio of the CMS webui. This will deploy the changes to Test (to the system you have specified in the runtime system configuration for this track)
  and what is the benefit of Dev system and Con system
  See the guide: http://help.sap.com/saphelp_nw70/helpdata/en/b6/e6b9fc9ec00f4ca4a0d3e0645e87b5/frameset.htm
  Best Regards,
  Ervin

• SAP Application forms

  Hi, Experts,
                     This is Kiran. I am working on SAP Application Forms in IS-U module. In this form has ‘one page’. But while running the form it goes to shot dump. The message is “ Out put is continues or contains too many pages (>2). Why did it happen? Actually
  My application form has one page.
                  The Error message is “ The Termination occurred in ABAP Program “SAPLEFGP” IN EFG-PRINT “  the main program was “ EFG-TEST-PRINT”.
                  The termination occurred in line 590 of the source code of the include program “LEFGPU01”
  MAC_MAG_SY-OUT ‘X’  here system idicates the error. Please help me for this solutions what I have to do .

  Hello, thanks for your answer.
  I can't use the first option from you, because of the necessity to use SAP Logon Tickets.
  If i understand everthing right, it is possible to implemant the SAP-Logon-Ticket-Libary in the integrated application. By Oracle Forms is this not possible, because it is a framework application. The authentification to the Oracle Forms application is transferred over the Oracle Application Server. It is also no possiblity to implement the libary in the application server.
  Today i talked to the Oracle Support and they said that one solution is to use the Oracle Access Management as Middle-Software between SAP EP and Oracle Application Server.
  What do you think about this solution? It is really not possbile to integrate Oracle forms in SAP EP with SAP-Logon-Ticket without an extra software?
  Thanks in advance,

• SAP provides Load testing/Performance testing tool

  Kindly suggest any Load testing tool which is provided by SAP itself.
  *Note to author of this question: I have taken the liberty of moving this to the proper thread
  cheers, Marilyn

  Hi Swapan,
  I would be glad to know if you can give me a step by step screenshot document for a Loadtest on SAP Application ( Any Module).
  Y i am asking you all this,.. well, downloading and installing a loadrunner on a desktop/standallone machine is very simple,.. but when it comes to Network environment where you have Controller installed on one machine and Load Generators on Another machine.. and Diagnostics installed on ( i donno where it will be installed ) user/server machine.. it is really difficult to imagine/assume/picturize the whole scenerio by taking x as example..
  I would be really glad and thankfull if someone can let us know, how to quick start a project..
  I have gone thru the Documentation " How to Perform SAP EP Load Testing.." good enough to understand but it would be more good if someone have articulated with interactive screenshots..
  Ok fine, now my next question is , how do we go with SAP GUI protocol..
  can someone give me an example with some interactive screenshots..
  If someone is working in SAP. then you may please contribute your knowledge by all means.. like https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/webcontent/uuid/ba95531a-0e01-0010-5e9b-891fc040a66c [original link is broken]
  This is a very beautiful video example on SAP Bex reports,.. with video and Voice..
  Recorded by using Camtasia Studio software , which will record you desktop,.. how you do , while you explain in voice..
  Hope someone comes up with a nice video presentation on SAP LOADRUNNER..
  Can you please show me /upload any document with some interactive screenshots on configuring Loadrunner with SAP and testing with SAP Gui protocol ,..on any one module of SAP.. either it be SD, MM, or APO..
  Infact as of now, i am in an urgent need of a sample scenerio of Loadtest by using Mercury Loadrunner ( SAP GUI Protocol) on any SAP Module with some interactive screenshots,...
  I appreciate your quick response..
  Will award maximum points.
  Please help me.. by mailing any document with some sample scenerio's step by step to my mail id: [email protected].
  Thanks
  Vinni..

• Sharing support on SAP Application

  Hello experts,
  Iu2019m in charge of finding a approach (theoretically ) to ensure that  one sap application related to buildings management  will be maintained by two teams without problems. The two teams are in two different countries in Europe.
  My task is to write a guide that clearly outlines the maintenance procedures that will be used by both teams without impacting the performance and generating conflicts.
  Support will include: ABAP, authorisations, customizing.
  Thanks in advance

  Bassydiallo,
  You mention a building management application, is that application Strategy Management or SSM being used integrated with other applications? If you are only looking for best practices for creating documentation, this might not be the best Forum to get an answer for this question.
  I do have a couple of suggestions. Documentation, alone, is not going to be a total solution for what you want to accomplish. You also have to plan for some sort of ongoing communication between the two groups so that efforts aren't be duplicated nor problems being created because one group is not keeping the other informed.
  I'd recommend you looking at Streamwork http://www.sapstreamwork.com/ which is a collaboration tool SAP offers. Both teams would be able to use the area for your documentation as well as updates on maintenance or customization. It allows you send email notifications and updates, which you will need to keep the team in sync.
  SAP Solution Manager is part of NetWeaver that has tools for implementing and upgrading SAP solutions, a solution documentation assistant, test management, monitoring business process operations, real-time system monitoring, change control, root cause analysis and service or issue management. You could use this in conjuntion with a collaboration tool for shared administration.
  Regards,
  Bob