Skip to Content
0

SAP lock out all users

Mar 24, 2017 at 08:30 PM

108

avatar image

I was wondering, if someone wrote a simple script that attempted to connect to sap 4 times for each user in the system, would they then be able to lock out every user in the system?

I thought of this, because I am writing a webservice, and obviously the first step is connecting with the proper credentials.

The immediate remedy is clear, Basis would have to reset all users, I was just wondering if there would possibly be a way to block this. It seems like a really simple way for a nefarious person to take down the system. perhaps the IP could be locked from connecting after too many attempts?

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

1 Answer

Best Answer
Isaias Freitas
Mar 27, 2017 at 06:08 PM
0

Hello Jacob,

Wouldn't you need a list of valid users first? Otherwise, you would have to guess the usernames, which would decrease the success rate of such attack considerably.

Cheers!

Isaías

Show 2 Share
10 |10000 characters needed characters left characters exceeded

Isaias,

user names are 12 characters I believe. Therefore a brute force attack would need... 4(connection attempts) * 36(character possibilities) ^ 12(possible length) = way too many attempts for this to be feasible.

Another consideration is that for larger organizations, sometimes the usernames are standardized (for instance, first 4 characters of last name + department number). Such a standardization would mean the attack could be more dictionary based, and have higher chances of success.

Anyways, I do not have a real requirement here. I was just curious as this seems like a security flaw.

Thanks,

Jacob

0

Hello Jacob,

This is an interesting question.

I am not aware of a protection mechanism that would tackle such attack...

Maybe someone else on the community can comment on this.

I'll also update this question if I find something.

Cheers!

Isaías

0