Andreas Wiegenstein (Team Lead, CodeProfiler Research Labs, Virtual Forge)

Presentation Title SQL Injection with ABAP – Ascending from Open SQL Injection to ADBC Injection
Presentation Abstract

ABAP is the most widely used business programming languages today. But little is known about security defects in ABAP code. This session analyzes SQL Injections, one of the most common application security defects, in an ABAP context.

ABAP provides three major techniques to access the SAP database: Open SQL, Native SQL and ADBC. All three have their specific security risks. This session gives detailed technical insights into ABAP based SQL access methods, weaknesses and related exploiting techniques. It starts with Open SQL, which was believed to be immune to SQL Injection for many years and has only limited damage potential and ascends to ADBC SQL Injections, which have devastating effects to an SAP system.

The first part of the presentation will introduce the three database access technologies in order to provide a basic technical understanding of ABAP SQL access to the audience. Especially ADBC (ABAP DataBase Connectivity) is an SQL access mechanisms that is surprising to even the most seasoned ABAP developers. We then continue with a discussion on the relevant security risks and demonstrate exploits, including a very dangerous real-world ADBC vulnerability. Finally, mitigation functions of the SAP standard are discussed.

Witness a demonstration of the first remote-exploitable ADBC SQL Injection!

About Andreas Wiegenstein

Andreas Wiegenstein has been working as a professional SAP security consultant for 8 years. He performed countless SAP code audits and has been researching security defects specific to SAP / ABAP applications.

He leads the CodeProfiler Research Labs at Virtual Forge, a team focusing on SAP/ABAP specific vulnerabilities and countermeasures. At the CodeProfiler Labs, he works on ABAP security guidelines, ABAP security trainings, an ABAP security scanner as well as white papers and publications.

Andreas has trained large companies and defense organizations on ABAP security and has spoken at SAP TechEd on several occasions as well as security conferences such as BlackHat and Troopers. He is co-author of the first book on ABAP security (SAP Press 2009). He is also a founding member of BIZEC.org, the Business Security community.