English | Deutsch | Español

Virtual Forge Blog

For over 10 years we help companies around the world to optimize the security and stability of their SAP landscapes. On the Virtual Forge Blog, our experts provide relevant content ready to help you to better understand and mitigate your IT risks.


Thomas Fritsch, Virtual Forge GmbH

Find me on

Recent Posts

Dangers in SAP® Transport Management Part 5: Logical File Names and Operating System Commands

January 8, 2018 From Thomas Fritsch, Virtual Forge GmbH

In order for developers to not have to worry about the specifics of the underlying operating system when accessing files or executing OS commands, SAP® uses the concept of logical file names and logical OS commands. For this, a logical file name (and file path) is stored for each physical file name (file path) coming into question. In analogy, platform-specific physical commands are allocated to a collective logical command.

Read more

Dangers in SAP® Transport Management Part 4: Automated Code Execution while Importing

December 7, 2017 From Thomas Fritsch, Virtual Forge GmbH

Almost every SAP® Basis administrator knows how dangerous XPRA entries can be in transport requests (R3TR XPRA <report name>). In principle, any report that does not require any specific parameters can be executed immediately after importing it. If the desired report is not available in the target system yet, it can either be imported with the same request or imported with a previous transport request. The later method is better for covering up attacks as the immediate connection between planting the code and executing it is not as easy to detect.

Read more

Dangers in SAP® Transport Management Part 3: Manipulation of Job Management

November 23, 2017 From Thomas Fritsch, Virtual Forge GmbH

Job Management in SAP® poses a big attack surface for external manipulation. The possibilities reach from abusing the vulnerabilities of certain SAP standard jobs over changing critical job attributes to completely defining and including jobs via transport request.

Read more

Dangers in SAP® Transport Management Part 2: Circumventing AUTHORITY CHECKS transaction-specifically

November 2, 2017 From Thomas Fritsch, Virtual Forge GmbH

The first article of this series talked about the global deactivation of authorization checks for single authorization objects per transport. A similar risk results from the possibility of deactivating authorization checks transaction-specifically. It is even more difficult to detect an attack if this method is used, as the impact can be limited to one transaction.

Read more

Dangers in SAP Transport Management Part 1: Circumventing AUTHORITY CHECKS

October 11, 2017 From Thomas Fritsch, Virtual Forge GmbH

The opinions on the SAP® authorization concept diverge widely. Surely, a certain complexity and the related maintenance effort cannot be denied. Yet, the most important requirement, the gapless protection of all read and write accesses within a program, can be realized quite well – at least in theory. In practice, there are several options to circumvent authorization checks.

Read more