When you think about SAP, most of you surely think about that kind of GUI client based black box. But SAP is more and more moving it’s application to browser based web applications.
There are several in the meantime: Web DynPro which was introduced with SAP Netweaver, SAP Solution Manager and others.
All of them having regular patch cycles and are maintained by SAP. But there are still issues within. I’ve discovered that for example the Solution Manager IT Service Management Application is not properly converting SVG attachments which can be added to tickets there.
On the other hand, there are so called “Z” transactions in SAP which are custom or customized applications. This applications can usually be identified as such by their prefix.
You can easily search for such transactions by googling for e.g. “inurl:bc/bsp/sap/z” and check them for vulnerabilities.