Know These Hidden SAP Security Dangers before Uploading Files

Posted on by Christoph Nagy

Cybercriminals are breaching business systems with ease. According to Dark Reading, Businesses suffered 50% more cyberattack attempts per week in 2021.” Front-page vulnerabilities such as RECON and PAYDAY allow cybercriminals to compromise applications through the SAP application layer. Of course, the increase in cybersecurity attacks is not welcome news for 99 out of 100 of the largest companies worldwide using SAP ERP solutions.


The Gap

Hackers know there is an open door into SAP where they can exploit users and the application layer by introducing malicious files. Additionally, this attack vector is in the application’s critical path, as attaching supporting documents to transactions is a common requirement in business processes backed by SAP applications.


Many SAP customers presume the Endpoint Detection and Response (EDR) software deployed at the OS layer will protect the SAP applications, but the truth is that’s not the case. File uploads into SAP applications bypass these OS-layer security tools and present a significant threat to internal and external users. Such uploads also threaten the security and integrity of the SAP application and the mission-critical data stored and processed by it. They also entirely bypass any anti-malware or EDR solution installed at the OS Layer of the SAP system.


Malware is just one (smaller) part of the problem. It may be stored inside the content server attached to SAP and pass it on to internal and external users. In addition, other file-based threats can potentially compromise the SAP application.


  • File-Type Filter Evasion: SAP’s built-in file-type filters are limited and only consider the extension of a file. A (potentially malicious) executable renamed with a “.PDF” extension is processed as if it were a PDF. Hackers can use this limitation to place executables in/on the system.
  • Chameleon/Polyglot Files: These will ultimately satisfy the identification criteria of not one but two or more file types. For example, they could be identified as (benign) GIF images and, simultaneously, be valid Java archives containing the attacker’s malicious payload.
  • Active Content is usually embedded in files and triggers action whenever the file is displayed. These malicious actions include various script types, embedded executables, or macros, which have regained popularity as a prevalent way to propagate ransomware, such as Locky, WannaCry, Ryuk, etc. When downloaded from an SAP application, these potentially malicious active components even inherit the same access privileges to the SAP application as the user who downloaded the file.
  • SAPCAR-Based Attacks: In the SAP context, the proprietary SAPCAR archive format is inherently trusted by administrators. Virus scanners cannot analyze the content of SAPCAR archives, making them a potent threat vector.
  • File-Based Cross-Site Scripting: With a cross-site scripting (XSS) attack, hackers insert code, typically JavaScript, into the application markup rendered by the user’s browser.


What makes the matter worse is that none of these threats are identified or blocked by a standard anti-malware solution because—by definition—they are not malware. Instead, they are legitimate features—but extremely dangerous in the context of a mission-critical application.


Minding the Gap

Because standard anti-virus solutions cannot protect against malware or active content within SAP applications, SAP created NW-VSI, a virus-scanning and content-security interface embedded directly in the application infrastructure. When combined with an SAP-certified anti-malware and content-security solution, it protects against malware and SAP-specific file-based threats. In addition, SAP administrators can define granular policies to control what types of files they want to accept into the SAP application. File transfers violating these policies are blocked, and detailed logs are created in SAP’s Security Audit Log.


Finding the Gap

SAP deployments are inherently complex. With a mix of standard code delivered by SAP and custom code, modifications, or add-ons introduced by the customers, it is often challenging to detect file uploads and alert administrators that those pose a threat.


However, cybersecurity experts have found a solution, available as new event classes in SAP’s Security Audit Log. Whenever a file is uploaded and is not subject to a security scan, a warning message is generated. Top security providers can process these messages and proactively alert administrators of this potential security bypass in real time.


Conclusion: Closing the Gap

Cybercriminals are targeting SAP because its applications store a wealth of business intelligence. The door is wide open, from financial payment information to employee names and social security numbers, due to a need for more processes for monitoring uploaded files.


The solution to the SAP file vulnerability challenge is implementing a real-time threat monitoring solution with anomaly detection. Identifying and highlighting file-upload vulnerabilities points administrators to the systems where SAP-certified anti-malware solutions should be deployed. With this level of cybersecurity in place, no matter how often hackers change their attack vectors, the anomaly is detected, reported, and triaged.


With real-time alerts and reports, SAP administrators will be able to understand specific vulnerabilities to content-based attacks and prevent users from unknowingly executing viruses that unleash devastation deep into mission-critical business systems. 

Christoph Nagy

CEO, Security Bridge

DevSecOps & Application Security

application security endpoint detection visibility & response access control

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs