In this small two article series I’ll show how “easy” it can be to discover information and apps not intended for your eyes. Easy is a relative term here. It still means to look out for information, understand what it means, how to combine it and be able to interpret it to come to a conclusion.

Internal apps are the once that you should not be able to access, maybe not even know that they exist. As internal information and apps is for an internal audience, don’t expect that the access is made public for everyone. To find these apps, to access them, you must first find an error, a mistake made by a responsible person or team that gives you a hint that there is something. These mistakes do not have to be huge, something obvious. The people that are responsible for the mistake don’t do these intentionally. These information leakages happen by accident and most of the time are simply overlooked as the focus is on other things. One single mistake normally also not so bad that you get directly access to protected information. But several small mistakes sum up and with a little luck help to gain access to the protected information. This is what makes this complicated to teams and companies. The one mistake that seems negligible, together with several other negligible mistakes sums up to a severe problem. If the errors occur across teams and orgs, rest assured, for them it is harder to get the big picture and talk to each other than for the person that looks at these from the outside. The outside person is able to connect the dots across areas, simply for not knowing that there are internal boundaries.

I’ll share here now how I came across an SAP internal app by finding several small errors and combining them. Don’t worry, nothing big is going to be exposed, no data leakage, just a walkthrough how to get access to an app. And it is already reported to SAP weeks ago.

Part I – SAP Help status page

Let’s follow me in my journey finding a hidden app. Following my journey in your very own browser won’t work. As already stated,: I reported my findings and the information pieces I found are removed. Nevertheless, once it worked, and this is a summary of what I did.

It all started with the SAP Help Portal page. One of the main entry points to SAP related information is the SAP Help Portal. It’s the place to find product documentation.

Normally I enter it via Google search, but you might also access it directly. Yes, this is one of the SAP sites where I am surprised to find out that there is an official entry / home page. Accessed through Google the SAP Help page might have a different layout, depending on the link saved in the search index.

Google search result for “SAP Fiori launchpad extension”.

SAP Help site

If you compare this with the entry page, the design is different, and there is no footer. Going to the official home page of SAP Help, the footer will appear.

It is a nice footer with a lot of information (ignore the link titled Cookie-Präferenzen that for whatever reason is shown in German, while all other texts are in English). What surprised me was the link System Status. Did you know that there is a system status site for SAP Help available?

I did not and of course, I clicked the link 😊

The system status page for the SAP Help Portal opened. I was automatically logged in. I thought this was strange and unexpected. Why have a publicly accessible link that demands authentication, yet not making this clear? The page for the system status opened and it got my attention. The little fact that the page title was not only system status, but System Status (Internal) might have helped in getting my attention.

Obviously, something went wrong here. Either the page is for internal usage only, and access to external users was given by error, or the whole branding is wrong. What surprises most (jaw dropping, facepalm, what the … level of astonishment) is that nobody noticed that. The link to the status page is not hidden. It is on the main site. Start page level. Visible to every single person with internet access. And no one from SAP noticed that something was not OK? Judging from my findings over the last month, I am convinced that too many SAP employees are not aware what internal and external is. And I mean governance is failing drastically, continuously.

Let’s continue at the technical side. I looked a little bit closer at the site. User name is not set, despite being logged on.

That’s because the user name is (was) hard coded in the HTML source code.

The box for Email Notifications contained a link to an internal server.

And the footer wasn’t updated since a while. It contained several old and obsolete images, even one to Google Plus.

This seemed to be a working yet forgotten site and service. OK, it was accessible to everyone as the link was published in the SAP Help footer. Authentication was needed (P/S/D/I/x), but the audience was clearly everyone. The source code gave more hints that some budget ran out a long time ago.

The site loaded Angular in a rather outdated version: 1.4.8

And jQuery in version 1.11.3

The latest hype around the SAP custom font 72 had not reached the site, it was using a different font.

That’s all nice, but honestly, that is how a real world website works. If it works, don’t touch it, and who is constantly updating the libraries and source code? What is more interesting is how the site is working. Its purpose is after all to report the status of the SAP Help portal. This is done by polling the system status.

https://saphelp.hana.ondemand.com/system-status/health

The poll is run in a certain interval and can be traced in the network tab of the browser.

Taking a closer look at the call reveals that several cookies are set by the service. Cookies that define who you are and what your role is.

Seeing that a maybe (?) internal site is exposed externally I added SAP security. On 28.06.2022 I found and reported the above “issues”. SAP worked on it and solved the reported problem. Well, partially. The website got an update: no logon, no internal, no username, no links to internal systems:

As you can see, the website was updated, compared to the current version it looks different. So, what happened? I clicked a mail-to link and things escalated a little bit.

More about this in part 2.