Free Security Tools

ERPScan SAP Pentesting Tool

ERPScan SAP Pentesting Tool is NOT a demo or a part of professional products such as ERPScan Security Scanner or ERPScan Security Monitoring Suite. it is just a set of perl scripts for penetration testers. If you want to test our professional product, please proceed by the following link.

ERPScan SAP Pentesting Tool Overview

ERPScan SAP Pentesting Tool is a freeware intended for pentesters and security professionals. With the help of it you can conduct penetration testing and vulnerability assessment of SAP systems using Black Box testing methodologies. You do not need to have any information or credentials of the target system. All the necessary data will be collected by SAP Pentesting tool.

How this tool can help you

    Using ERPScan's SAP Pentesting Tool you can:

  • Obtain information using 20+ disclosure vulnerabilities;
  • Exploit 30+ potential vulnerabilities including Verb Tampering and more;
  • Get access to business critical data or collect the data for simulating other attacks.

ERPScan webxml checker

ERPScan WEBXML checker is a freeware tool intended for checking security configuration of SAP J2EE applications by scanning WEB.XML file for different vulnerabilities and misconfigurations like Verb Tampering, Invoker servlet bypass and others. Detailed information about these vulnerabilities can be found in “Architecture and program vulnerabilities in SAP’s J2EE engine” whitepaper presented at the BlackHat 2011 conference.

How ERPScan webxml checker can help you

    This tool can check the likelihood of attacks on J2EE application:
  • Information disclosure through error code;
  • Auth bypass by verb tampering;
  • Intercept critical data through lack of SSL encryption for data transfer;
  • Cookie theft through lack of SSL for an authorization;
  • Cookie theft through XSS. Checking for Httponly=true;
  • Session theft when JSESSIONID are not in Cookie;
  • Increased CSRF or XSS probability with session timeout;
  • Unauthorized actions by locally enabled invoker servlets;
  • Invoker servlet bypass by checking for /* and /servlet/* in security-constraint.

TokenChpocken Peoplesoft SSO cracker

TockenChpoken v0.5 beta // Oracle PS_TOKEN cracker

TokenChpoken is a special toolkit (written in Python) for attacking Oracle PeopleSoft SSO technology. It gives you the opportunity to perform the TockenChpoken attack on a PeopleSoft application. For more information, read our blog post.

With the toolkit we can parse a PS_TOKEN cookie, perform a dictionary-based attack on a node password, and then create a new PS_TOKEN with any values (any username, nodename, date&time). The toolkit consists of three python scripts:,,