Page 88 - Cyber Defense eMagazine April 2023
P. 88

What is SAP Debugger?

            The SAP Debugger, also known as the Advanced Business Application Programming (ABAP) Debugger,
            is one of the most important development tools offered by SAP. An ABAP developer or a technical SAP
            consultant uses it to analyze problems or to simulate program flows. Usually, the debugger is simply used
            to understand a certain behavior in SAP ERP and to identify or understand customizing options. Provided
            that a user has the appropriate authorizations, the debugger can be called from all ABAP screen-based
            transactions using function code /h. The SAP ABAP Debugger can also be used in OData, WebDynpro
            for ABAP, etc.



            What can I do in the SAP Debugger?

            In addition to the generally known functions such as the step-by-step processing of source code and the
            analysis of values of program variables, there are still some hidden features not known by everyone.

            Did you know that you can start a remote debug session with the SAP Debugger, where you can analyze
            - or influence - a user's SAP session? The feature is not new, by the way, as evidenced by this blog from
            2013: Remote ABAP Debugging (https://blogs.sap.com/2013/04/29/remote-abap-debugging/)

            Alternatively,  you  can  let  the  cursor  jump  from  line  1  to  next  without  executing the  source  code  in-
            between.

            So-called breakpoints can also be set dynamically. Breakpoints stop the debugger, or to be more precise,
            the cursor at a certain point in the program flow.


            Additionally, to the ability to view the values of a program variable, there is also the option to change
            values.  SAP offers the possibility to authorize this function granularly. More about this in the section:
            How can I protect myself?



            What risks arise from the SAP Debugger?

            It was rightly pointed out by the speaker of the SAP webinar mentioned at the beginning of this article
            that the debugger can be used to compromise the system, provided that the attacker holds or acquires
            the authorizations to do so.

             Some examples spotted in the wild:

               •  Bypass authorization checks by resetting the return code (SY-SUBRC) or setting the cursor.
               •  Changing values in program variables to infiltrate or manipulate the database
               •  Modification of the program flow to obtain an abort or a change of the end-result.


            Now you must know that if an attacker accesses the coveted Debug & Change permission, he typically
            does not base the attack on the debugger only but uses it in the Reconnaissance phase or in the Gaining





                                                                                                              88
   83   84   85   86   87   88   89   90   91   92   93