A curated collection of findings, PoCs, and tools for advancing SAP Security
Warning
All PoCs and tools are provided for educational and research purposes only. You are solely responsible for ensuring you have appropriate authorization before testing against any system.
Never test on production SAP systems without proper approval.
This repository is maintained by the OWASP Core Business Application Security (CBAS) project and serves as a public archive of research efforts focused on SAP Security.
Here we collect:
-
Research Papers & Whitepapers Novel attack vectors, analysis of SAP technologies, and deep-dives into misconfigurations or overlooked weaknesses.
-
Proof-of-Concept Exploits (PoCs) Demonstrative code snippets and reproducible environments for responsible testing and education.
-
Detection & Hardening Tools Scripts and techniques to aid defenders in identifying vulnerable components, misconfigurations, and implementing mitigations.
All contributions are intended to educate, empower, and protect the global SAP ecosystem in line with OWASP’s mission.
SAP-Security-Research/
├── papers/ # Research documents and presentations
├── CVE-20XX-XXXX/ # Proof-of-Concept exploits, test scripts and descriptive Readme to the CVE.
└── README.md
To add your own contribution, fork the repo, create your feature branch, and open a pull request — we review all contributions related to SAP vulnerability research, PoCs, and detection techniques.
Anyone interested in supporting, contributing or giving feedback join us in our discord channel