Exposed SOAP Services

The connectivity from a BTP subaccount is done through destinations to systems via API. The connection type could be on-premise, which will connect an application to an on-premise backend system through the Cloud Connector. It also can connect it to an external REST or SOAP service on the Internet and/or PrivateLink which establishes a private connection to selected services in a specific IaaS (Infrastructure as a Service) provider accounts. Each destination may contain several properties that can help securing the communication, such as an authentication type that requires a password.

An attacker who gains access to a BTP application or service instance could exploit SOAP destinations without authentication to gain unauthorized access to backend data or execute privileged operations (breach of confidentiality and integrity).

• SOAP destinations can be configured with:
  • NoAuthentication (no credentials required)
  • BasicAuthentication (username/password)
  • OAuth2SAMLBearerAssertion, OAuth2ClientCredentials, or other token-based methods
• Some SOAP services are reachable through Cloud Connector without additional network restrictions if not properly scoped
• WSDLs can be openly exposed allowing attackers to enumerate available operations

• Enforce strong authentication on all SOAP destinations (e.g., OAuth2SAMLBearerAssertion or OAuth2ClientCredentials)
• Never use NoAuthentication for productive SOAP services
• Apply the principle of least privilege to destination credentials (technical users with minimal roles)
• Restrict Cloud Connector access to only required hosts and ports
• Require authentication for WSDL downloads and disable them in production if possible
• Monitor destination usage with BTP Audit Logs and restrict which applications can consume each destination

• Cloud Integration - Usage of WSDLs in the SOAP Adapter
• Cloud Integration - Usage of WSDLs in the SOAP Adapter
• SAP Help: Configuring Destinations
• SAP Help: Cloud Connector Administration