Skip to main content
SAP Pentest Playbook
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  2. /
  3. SAP Business Technology Platform
  4. /
  5. Known Attack Vectors
  6. /
  7. BTP Destinations
Edit page

BTP Destinations

Description

In SAP Business Technology Platform (BTP), destinations are central configuration objects that define connectivity settings to remote systems or services. They store essential details such as the target URL, authentication method (e.g. BasicAuth, OAuth2, SAML, Principal Propagation), proxy type (Internet, OnPremise), and additional properties. Destinations are managed in the SAP BTP Cockpit and are consumed at runtime by applications, SAP Integration Suite, CAP-based services, or SAP Launchpad to access external APIs and backend systems.

Risk

Misconfigured or overly permissive destinations can expose sensitive backend systems (e.g. SAP S/4HANA, SuccessFactors, or third-party APIs). Examples of risks include:

  • Unauthorized access to business-critical data (HR, finance, logistics).
  • Leakage of stored credentials in the destination configuration.
  • Abuse of OAuth2 flows to impersonate users.
  • Exploitation of OnPremise destinations via Cloud Connector to reach internal systems.
  • Destinations pointing to non-HTTPS endpoints, leading to potential man-in-the-middle attacks.

In worst cases, attackers can pivot from the cloud into on-premise systems through insecure destination setups.

Options

Destinations can be defined and accessed in different ways:

  • SAP BTP CockpitConnectivityDestinations
  • Environment Variables via Destination Service binding in Cloud Foundry or Kyma
  • SAP Business Application Studio → consumption in CAP / UI5 apps
  • Cloud Connector → linking on-premise systems as OnPremise destinations
  • SAP Integration Suite → to configure adapters accessing external APIs
  • Programmatic access via the Destination Service API (OAuth2 client credentials flow)
  • btp CLI via a shell
  • cf CLI
  • kubectl via the Kyma environment
  • Kyma services

Mitigation

  • Enforce least privilege on destination authentication (e.g., service accounts with limited roles).
  • Use OAuth2 / Principal Propagation instead of hardcoded BasicAuth.
  • Always configure HTTPS endpoints; avoid plain HTTP.
  • Protect and restrict access to the Cloud Connector to avoid lateral movement.
  • Audit destination definitions regularly for exposed credentials or unused entries.
  • Apply role-based access control (RBAC) in BTP to limit who can create or modify destinations.

References