Sergio Abraham

Security Researcher Innovation Lead

As one of the first members of the Onapsis Research Labs, he is responsible for the research of diverse scenarios and configurations of SAP Applications, as well as the development and delivery of Blog posts, SAP Security In-Depth publications, papers and Webcasts, as well as Security Conferences talks and trainings.

Resulting of his experience and work, Sergio discovered and published several SAP Security Vulnerabilities affecting diverse SAP components, and was invited to lecture and teach trainings in different conferences such as Ekoparty, Troopers, HubCon, ASUG and SANS, among others.

Sergio was also the main developer of Onapsis Bizploit (the first open-source SAP Penetration Testing Framework) and the architect of Onapsis X1 (the ERP Security Suite), generating new and innovative security checks for both products.

In terms of consultancy, Sergio has been involved in different kinds of projects related to the SAP Security ecosystem, such as auditing SAP Implementations, defining and implementing SoD rules, performing SAP Security Assessments, SAP Penetration Tests, and also helping SAP customers during SAP Incident Responses.






Chinese most likely using one of top three most common SAP exploits, as identified by Onapsis, to compromise US agencies

The Hill publication reported on November 3, 2014 that Chinese hackers roamed around unnoticed for months inside the network of USIS, is the biggest commercial provider of background investigations to the federal U.S. government.[1] In fact, two of the company’s biggest customers were the Department of Homeland Security (DHS) and the Office of Personnel Management (OPM).

IP filtering bypass in SAP Gateway?

Hi! Today I wanted to share some insight on the behavior of SAP Gateway using its ACL files. Particularly, I'll focus on the ACL which restricts direct RFC connections to the Gateway (gw/acl_file). Briefly, this ACL does not replace sec_info or reg_info (they restrict external servers), acl_file controls direct RFC connections from external clients or other SAP Systems, which is actually the most common kind of RFC connection. Check this document describing the ACL syntax.

Using SAP Gateway as a proxy

Hi! In this post I want to summarize you another little-known behavior of SAP Gateway, which is its ability to act as a proxy. Basically when we want to perform an RFC connection two parameters are specified: the IP of the gateway and the IP of the application server. But wait... Is not the gateway always located in the same host than the application server? Yes, usually... but there are some specific cases where you need to use these parameters with different values.

Assessing the security of SAP ecosystems: Access from the SAP Application Layer to the Database

In previous posts we performed security assessments on the Management Console.

For the upcoming assessments we will need a tool to connect with the underlying databases. SQL*Plus is an Oracle utility with a basic command-line interface which allows us to connect with Oracle databases and execute queries in a simple fashion.

SAP ecosystem security: understanding our arena

We are used to talk about SAP and its components, but in the following post we will put ourselves into the role of an SAP user faced with the environment we need to protect. This post can be considered an introduction to SAP security and the components we are interested in protecting.

SAP stands for Systems Applications and Products in data processing. It is a Germany-based company which for the last 42 years has been developing the most widely adopted ERP (Enterprise Resource Planning) systems used by the biggest companies in the world.