Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP lock out all users

Go to solution
Former Member

‎03-24-2017 8:30 PM

0 Kudos

I was wondering, if someone wrote a simple script that attempted to connect to sap 4 times for each user in the system, would they then be able to lock out every user in the system?

I thought of this, because I am writing a webservice, and obviously the first step is connecting with the proper credentials.

The immediate remedy is clear, Basis would have to reset all users, I was just wondering if there would possibly be a way to block this. It seems like a really simple way for a nefarious person to take down the system. perhaps the IP could be locked from connecting after too many attempts?

1 ACCEPTED SOLUTION

Go to solution
isaias_freitas
Advisor
Advisor

‎03-27-2017 7:08 PM

0 Kudos

Hello Jacob,

Wouldn't you need a list of valid users first? Otherwise, you would have to guess the usernames, which would decrease the success rate of such attack considerably.

Cheers!

Isaías

3 REPLIES 3

Go to solution
isaias_freitas
Advisor
Advisor

‎03-27-2017 7:08 PM

0 Kudos

Hello Jacob,

Wouldn't you need a list of valid users first? Otherwise, you would have to guess the usernames, which would decrease the success rate of such attack considerably.

Cheers!

Isaías

Go to solution
Former Member
In response to isaias_freitas

‎03-29-2017 9:46 PM

0 Kudos

Isaias,

user names are 12 characters I believe. Therefore a brute force attack would need... 4(connection attempts) * 36(character possibilities) ^ 12(possible length) = way too many attempts for this to be feasible.

Another consideration is that for larger organizations, sometimes the usernames are standardized (for instance, first 4 characters of last name + department number). Such a standardization would mean the attack could be more dictionary based, and have higher chances of success.

Anyways, I do not have a real requirement here. I was just curious as this seems like a security flaw.

Thanks,

Jacob

Go to solution
isaias_freitas
Advisor
Advisor
In response to isaias_freitas

‎03-30-2017 12:59 AM

0 Kudos

Hello Jacob,

This is an interesting question.

I am not aware of a protection mechanism that would tackle such attack...

Maybe someone else on the community can comment on this.

I'll also update this question if I find something.

Cheers!

Isaías