DeepSec2017 Workshop: SAP CTF Pentest : From Outside To Company Salaries Tampering – Yvan Genuer

Sanna/ October 10, 2017/ Conference, Training

The SAP business suite is widespread among enterprises. It is the heart of the operation, at least in terms of business logic, administration, accounting, and many other cornerstones of big companies. SAP itself was founded in 1972. Its software has now grown up and lives with the Internet and cloud platforms next door. Due to the SAP software being a platform itself, it is quite unwieldy for hackers to handle. If you believe this, then we recommend the SAP CTF Pentest training at DeepSec 2017! Yvan Genuer has something to show to you:

SAP is boring, too big or too complicated? What about learning SAP Security during a fun CTF workshop? Additionally we’ll provide you with a pre-configured attacker VM with all tools required to perform workshop activities. Attendees learn how to work against different SAP Systems targets with different configuration issues in  a ‘realistic’ environment. Few slides, lots of practice – that’s the leitmotiv of this guided SAP pentest workshop.

SAP is no longer an unknown black box for security community and SAP product appears more and more often in audit requests. This training is focused on SAP Netweaver. Because we can’t cover seriously all SAP software in two days, we decided to work on the most frequent vulnerabilities we faced during our pentests. We’ll provide different SAP Systems with different configuration issues in an ‘realistic’ environment, and also a pre-configured attacker VM with all tools required to perform training activities. SAP knowledge is not required.

General knowledge on pentesting.SAP knowledges is NOT required.

Target audience:
Pentesters or security professional. Anyone interested in to learn about SAP Security.

Material to bring by attendees:
A laptop capable of running virtual machine, with 10G free disk space and 1GB Ram for VM.

The course will teach you SAP Netweaver and the SAP platform from inside to outside and vice versa. Technical components such as SAProuter, interactions, the basics of SAP security, the attack surface, risks, the SAP Gui, and many more. If you do penetration testing in an enterprise environment, you cannot do without this knowledge!

Update: Unfortunately the trainer has cancelled the training. We will try to offer SAP related workshops for DeepSec 2018. However you can hack and pen-test enterprise systems/platforms with the knowledge of other trainings and the conference presentations as well.



Yvan has nearly 15 years of experience in SAP. Starting out as a SAP basis administrator for various well-known French companies, since 5 years, he focuses on SAP Security and is now the head of SAP assessment and pentesting at Devoteam security team. Although being a very discreet person, he received official acknowledgements from SAP AG for vulnerabilities he’s reported. Furthermore, he is a longtime member of the Grehack conference organization committee and has conducted a SAP pentest workshop at Clusir 2017, as well as a full training at Hack In Paris 2017.

Share this Post