03-24-2017 8:30 PM
I was wondering, if someone wrote a simple script that attempted to connect to sap 4 times for each user in the system, would they then be able to lock out every user in the system?
I thought of this, because I am writing a webservice, and obviously the first step is connecting with the proper credentials.
The immediate remedy is clear, Basis would have to reset all users, I was just wondering if there would possibly be a way to block this. It seems like a really simple way for a nefarious person to take down the system. perhaps the IP could be locked from connecting after too many attempts?
03-27-2017 7:08 PM
Hello Jacob,
Wouldn't you need a list of valid users first? Otherwise, you would have to guess the usernames, which would decrease the success rate of such attack considerably.
Cheers!
Isaías
03-27-2017 7:08 PM
Hello Jacob,
Wouldn't you need a list of valid users first? Otherwise, you would have to guess the usernames, which would decrease the success rate of such attack considerably.
Cheers!
Isaías
03-29-2017 9:46 PM
Isaias,
user names are 12 characters I believe. Therefore a brute force attack would need... 4(connection attempts) * 36(character possibilities) ^ 12(possible length) = way too many attempts for this to be feasible.
Another consideration is that for larger organizations, sometimes the usernames are standardized (for instance, first 4 characters of last name + department number). Such a standardization would mean the attack could be more dictionary based, and have higher chances of success.
Anyways, I do not have a real requirement here. I was just curious as this seems like a security flaw.
Thanks,
Jacob
03-30-2017 12:59 AM
Hello Jacob,
This is an interesting question.
I am not aware of a protection mechanism that would tackle such attack...
Maybe someone else on the community can comment on this.
I'll also update this question if I find something.
Cheers!
Isaías