RE: SAP Pen-Test

["Rob Shein" <shoten () starpower net>]

Phenoelit has done some interesting research on this, including the release
of a few exploits for SAP ITS.  I can't say I've seen very much else
covering SAP, however.  You also might find it interesting to read the
chapter of "Stealing the Network: How to Own a Continent" that was written
by FX; in it, he describes a progressive (albeit extremely skilled) attack
against an SAP system.

> -----Original Message-----
> From: Sven Tambler [mailto:tambler.20.tam () spamgourmet com] 
> Sent: Friday, October 29, 2004 4:42 AM
> To: pen-test () securityfocus com
> Subject: SAP Pen-Test
>
>
> Hello everyone,
>
> I want to test a SAP Enterprise Portal. Do you know a tool for 
> pen-testing a SAP portal? Of course, there are a lot of tools and 
> techniques for apache or IIS and you can use them in a similar way. 
> Otherwise there are a lot of SAP originalities and 
> specialities you have 
> to keep in mind. I don´t search for a tool like "nessus for 
> SAP" - such 
> a thing doesn´t exist - but some advices or plug-ins could be very 
> useful. Could you by any chance be able to help?
>
> Thanks - Sven