How to hack SAP with OutSystems

...and how to avoid being hacked!
OutSystems SAP Login Ticket
SAP Hacked by OutSystems
SAP-OutSystems Architecture

Keep using SAP for the back end and OutSystems for the front end and mobile or tablet apps is an approach that can speed up your digital transformation radically. Any kind of mobile- or web application can be integrated with SAP and complement your SAP environment to a modern and future-proof system. 


A bunch of reasons leads our customers to choose a low-code platform like OutSystems on top of their SAP-landscape, such as:
-Short delivery time of mobile- and web applications
-Overall reduction of IT-costs
-New business model opportunities
-Increase efficiency of business processes
-Offering customer-friendly solutions
-Increase Developer Experience

Does this sound too good to be true? Well it isn’t! But nevertheless, there are some issues that should be carefully considered. One of them is how to deal with security on SAP-OutSystems integration scenario which these pages are about.
 
 It almost sounds to good to be true, Connect, Search and use SAP Services in OutSystems. Is it really this simple. Off course nothing is ever as simple in the IT world. From a technical perspective usin a BAPI (Business Application Programming Interface is easy enough. But when you do apart from technical and functional SAP knowhow there are some subjects that need thorough observation. One of them being the SAP-OutSystems Security.

SAP, as most OutSystems developers know by now comes packed with functions to create or update their business object like sales orders, purchase orders Plant Maintenance Orders etc. B-Synergy and OutSystems implemented in close collaboration the functionality in OutSystems to consume those functions. Since these functions can be called from outside SAP they are called RFC's (Remote Function Calls). The more complex ones are called BAPI's (Business Application Programming Interface)  or contact 
SAP-OutSystems Hacker Anonymous
How to hack SAP with OutSystems
"If you're in a business that's worth being in, there's someone out there who will find your information valuable"
This is a lesson that more and more corporations are learning.

"Although attacks by outside hackers -- people who illegally access electronic systems to obtain secret information or steal money -- generally receive more publicity, insiders pose a far greater threat to computer security," according to The Lipman Report, a monthly management newsletter published by security consulting firm Guardsmark Inc.
OutSystems comes with the functionality to very easy get data out of SAP ECC or S/4HANA by using RFC's.. Most companies that want to benefit from this SAP-OutSystems synergy are not aware and have not implemented Security measures that keep your SAP systems from pring eyes. This comes as a serious security risk and does from a legal perspective could be seen as negligence in courtcases where Private data was stolen.
How easy is it actually to breach an SAP System with OutSystems? Well when you are using a technical SAP user to integrate with OutSystems a junior developer can make ALL of your SAP publicly available for querying.

It is therefor very worrying that all but 1 customer B-Synergy has encountered in almost 10 years of SAP-OutSystems experience has a security layer implemented. Without naming true identities a big dutch brewerie, an orange rental company, a large chemical plant, a large bakery and a major retailer are all at serious risk!

B-Synergy can audit your SAP-OutSystems integration in 1 day to help you avoid intentional or unintentional SAP-OutSystems security breaches. When we find threats you can implement security measures yourselves or implement the security layer as provided by B-Synergy.

When you are a SAP or OutSystems partner B-Synergy is more than willing to help secure your customers, the employees of your customer and the customers of the customer, another good adres company to talk to in this regards is Craig Terblanche- Chief Transformation Advisor at ExoSystems
SAP-OutSystems Login Ticket
SAP-OutSystems Login Ticket
SAP Logon Tickets are native to SAP and will be issued only in exchange to valid credentials (during logon / inbound communication).

 -typically transmitted as (non-persistent) browser cookie

-transmitted whenever the browser sends a http request to a server (domain constraints apply)

-designed to be used for cross-system SSO (Portal scenario)

SAP Logon ticket creation is not supported by OutSystems as standard function in their SAP utilities
Difference between BAPI and RFC

 1. BAPI stands for Business Application Programming Interface. It is a library of functions that are released to the public as an interface into an existing SAP system from an external system.RFC is the protocol used to call functions in a R/3 system by a caller external to R/3 or to call programs external to R/3 from an R/3 system.

2. Functions can only be called via RFC, if they are tagged as RFC functions in the SAP development workbench. They are then called RFC function modules. BAPIs are complete sets of (BAPI) function modules that model a business application.When you are familiar with web developments: RFC can be compared to HTTP and BAPIs are CGI applications. In other words: A BAPI function is a function module that can be called remotely using the RFC technology.

3. An RFC (Remote Function Call), describes an external interface to a system function module available in SAP. For example, getting the system parameters is a system function available via RFC.

A BAPI (Business Application Programming Interface), is an RFC-enabled function module that provides external access to a SAP business application such as creating a sales order.

In effect, all BAPIs are RFCs but there is a superset of RFCs that are not considered BAPIs. Really, two sides of the same coin.

4. BAPI are RFC enabled function modules. The difference between RFC and BAPI are business objects. You create business objects and those are then registered in your BOR (Business Object Repository) which can be accessed outside the SAP system by using some other applications (Non-SAP) such as VB or JAVA. in this case u only specify the business object and its method from external system in BAPI there is no direct system call. while RFC are direct system call Some BAPIs provide basic functions and can be used for most SAP business object types. These BAPIs should be implemented the same for all business object types. Standardized BAPIs are easier to use and prevent users having to deal with a number of different BAPIs. Whenever possible, a standardized BAPI must be used in preference to an individual BAPI. 
SAP OutSystems ODATA Integration

By exposing SAP Business Suite functionality as REST-based OData (Open Data Protocol) services, SAP Gateway enables SAP applications to share data with a wide range of devices, technologies, and platforms in a way that is easy to understand and consume.

Using REST services provides the following advantages:

Obtain human readable results; you can use your browser to see what data you will get.

Use stateless applications

Receive related pieces of information, one leading to another.

Use standard GET, PUT, POST, DELETE, and QUERY. If you know where to GET data, you know where to PUT it, and you can use the same format.
OData is a Web protocol for querying and updating data, applying and building on Web technologies such as HTTP, Atom Publishing Protocol (AtomPub), and RSS (Really Simple Syndication) to provide access to information from a variety of applications. It is easy to understand and extensible, and provides consumers with a predictable interface for querying a variety of data sources.

AtomPub is the standard for treating groups of similar information snippets as it is simple, extensible, and allows anything textual in its content. However, as so much textual enterprise data is structured, there is also a requirement to express what structure to expect in a certain kind of information snippet. As these snippets can come in large quantities, they must be trimmed down to manageable chunks, sorted according to ad-hoc user preferences, and the result set must be stepped through page by page.

OData provides all of the above as well as additional features, such as feed customization that allows mapping part of the structured content into the standard Atom elements, and the ability to link data entities within an OData service (via "…related…" links) and beyond (via media link entries). This facilitates support of a wide range of clients with different capabilities:

Purely Atom, simply paging through data.

Hypermedia-driven, navigating through the data web.

Aware of query options, tailoring the OData services to their needs.

OData is also extensible, like the underlying AtomPub, and thereby allows the addition of features that are required when building easy-to-use applications, both mobile and browser-based.SAP Gateway uses OData for SAP Products, which contains SAP-specific metadata that helps the developer to consume SAP business data, such as descriptions of fields that can be retrieved from the SAP ABAP Dictionary. The following are examples of OData for SAP applications:

Human-readable, language-dependent labels for all properties (required for building user interfaces).

Free-text search, within collections of similar entities, and across collections using OpenSearch. OpenSearch can use the Atom Syndication Format for its search results, so the OData entities that are returned by the search fit in, and OpenSearch can be integrated into AtomPub service documents via links with rel="search", per collection as well as on the top level. The OpenSearch description specifies the URL template to use for searching, and for collections it simply points to the OData entity set, using a custom query option with the name of "search".

Semantic annotations, which are required for applications running on mobile devices to provide seamless integration into contacts, calendar, and telephony. The client needs to know which OData properties contain a phone number, a part of a name or address, or something related to a calendar event.

Not all entities and entity sets will support the full spectrum of possible interactions defined by the uniform interface, so capability discovery will help clients avoiding requests that the server cannot fulfill. The metadata document will tell whether an entity set is searchable, which properties may be used in filter expressions, and which properties of an entity will always be managed by the server.

Most of the applications for "light-weight consumption" follow an interaction pattern called "view-inspect-act", "alert-analyze-act", or "explore & act", meaning that you somehow navigate (or are led) to an entity that interests you, and then you have to choose what to do. The chosen action eventually results in changes to this entity, or entities related to it, but it may be tricky to express it in terms of an Update operation, so the available actions are advertised to the client as special atom links (with an optional embedded simplified "form" in case the action needs parameters) and the action is triggered by POSTing to the target URI of the link.
SAP-OutSystems Security protocols
The key is to remember that the CIO is accountable for the overall security and compliance of the enterprise. At this level, there is little room for distinction between general IT security, such as email, firewalls and Web servers, and SAP-OutSystems security, which includes the control of how people access the system, the data they process, and the functionality they execute. Effective IT departments adopt a similar philosophy by viewing the IT security picture in its entirety across the whole organization, thereby reducing the risk of breaches of any kind.
B-Synergy delivers the service of a one day SAP-OutSystems security audit. That can help the CIO responsible for SAP-OutSystems integrations decide on  SAP-OutSystems measures to take, and architectures to follow.
Secure SAP-OutSystems Architecture
SAP-Outsystems Secure Architecture
IDoc, short for Intermediate Document, is a SAP document format for business transaction data transfers.[1] Non SAP-systems can use IDocs as the standard interface (computing) for data transfer.[2] IDoc is similar to XML in purpose, but differs in syntax. Both serve the purpose of data exchange and automation in computer systems, but the IDoc-Technology takes a different approach.

While XML allows having some metadata about the document itself, an IDoc is obliged to have information at its header like its creator, creation time etc. While XML has a tag-like tree structure containing data and meta-data, IDocs use a table with the data and meta-data. IDocs also have a session that explains all the processes which the document passed or will pass, allowing one to debug and trace the status of the document.

Different IDoc types are available to handle different types of messages. For example, the IDoc format ORDERS01 may be used for both purchase orders and order confirmations.

IDoc technology offers many tools for automation, monitoring and error handling. For example, if the IDocs are customised that way on a particular server, then a user of SAP R/3 system creates a purchase order; this is automatically sent via an IDoc and a sales order is immediately created on the vendor's system.

When this order cannot be created because of an application error (for example: The price per piece is lower than allowed for this material), then the administrator on the vendor's system sees this IDoc among the erroneous ones and can solve the situation. If the error is in the master data at the vendor's system, he can correct them and order the IDoc to be processed again.

Because of the flexibility and transparency of IDoc technology, some non-SAP technologies use them as well.
Click here to see your activities