SlideShare ist ein Scribd-Unternehmen logo

Top 10 most interesting vulnerabilities and attacks in SAP

ERPScan
ERPScan

An increasing number of SAP Security Notes and talks on SAP Security proves that it becomes a really hot topic nowadays. However, SAP systems attacks are still believed to be available only for insiders. The reality is not so good. There are about 5000 systems including dispatchers, message servers, SapHostcontrols, Web-services on the internet. Top 10 vulnerabilities 2011-2012 are: 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet 3. Buffer overflow in ABAP Kernel 4. Code execution via TH_GREP 5. MMC read SESSIONID 6. Remote portscan 7. Encryption in SAPGUI 8. BAPI XSS/SMBRELAY 9. XML Blowup DOS 10. GUI Scripting DOS The presentation provides a detailed description of these attacks, its potential business risks and the way to prevent them.

Software
1 von 58
Downloaden Sie, um offline zu lesen
Invest  in  security   to  secure  investments   Top  10  most  interes.ng       SAP  vulnerabili.es  and   a9acks   Alexander  Polyakov     CTO  at  ERPScan  
About  ERPScan   •  The   only   360-­‐degree   SAP   Security   solu8on   -­‐   ERPScan   Security   Monitoring  Suite  for  SAP   •  Leader  by  the  number  of  acknowledgements  from  SAP  (  150+  )   •  60+  presenta.ons  key  security  conferences  worldwide   •  25  Awards  and  nomina.ons   •  Research  team  -­‐  20  experts  with  experience  in    different  areas   of  security   •  Headquarters  in  Palo  Alto  (US)  and  Amsterdam  (EU)       2  
What  is  SAP  ?                      Shut  up              And              Pay   3  
Really   •  The  most  popular  business  applica8on   •  More  than  120000  customers   •  74%  of  Forbes  500   4  
Agenda     •  Intro   •  SAP  security  history   •  SAP  on  the  Internet   •  Top  10  latest  interes8ng  aPacks   •  DEMOs   •  Conclusion   5  
6   3  areas  of  SAP  Security   2010   Applica3on  pla4orm  security   Prevents  unauthorized  access  both  insiders  and  remote   a3ackers   Solu8on:  Vulnerability  Assessment  and  Monitoring   2008   ABAP  Code  security   Prevents  a3acks  or  mistakes  made  by  developers   Solu8on:  Code  audit   2002   Business  logic  security  (SOD)   Prevents  a3acks    or  mistakes  made     Solu8on:  GRC  
Talks  about  SAP  security   0   5   10   15   20   25   30   35   2006   2007   2008   2009   2010   2011   2012   Most  popular:   •  BlackHat     •  HITB     •  Troopers     •  RSA     •  Source     •  DeepSec       •  etc.   7  
SAP  Security  notes   0   100   200   300   400   500   600   700   800   900   2001   2002   2003   2004   2005   2006   2007   2008   2009   2010   2011   2012   By  April  26,  2012,  a  total  of  2026  notes   8  
SAP  vulnerabili.es  by  type   0   50   100   150   200   250   300   350   12  -­‐SQL  Inj   11  -­‐  BOF   10  -­‐  Denial  of  service     9  -­‐  Remote  Code  Execu8on   8  -­‐  Verb  tampering   7  -­‐  Code  injec8on  vulnerability   6  -­‐  Hard-­‐coded  creden8als   5  -­‐  Unauthorized  usage  of  applica8on   4  -­‐  Informa8on  Disclosure   3  -­‐  Missing  Auth  check   2  -­‐  XSS/Unauthorised  modifica8on  of  stored   1  -­‐  Directory  Traversal       Stats  from  :   •  1Q  2012   •  1Q  2010   •  4Q  2009   9  
SAP  on  the  Internet     •   We  have  collected  data  about  SAP  systems  in  the  WEB   •   Have  various  stats  by  countries,  applica8ons,  versions   •   Informa8on  from  Google,  Shodan,  Nmap  scan     MYTH:  SAP  systems  a9acks    available  only  for  insiders   10  
SAP  on  the  Internet   About  5000  systems  including  Dispatcher,  Message  server,    SapHostcontrol,  Web-­‐  services   11  
SAP  on  the  Internet   12  
Top  10  vulnerabili.es  2011-­‐2012     1.  Authen8ca8on  Bypass  via  Verb  tampering   2.  Authen8ca8on  Bypass    via  the  Invoker  servlet     3.  Buffer  overflow  in  ABAP  Kernel   4.  Code  execu8on  via  TH_GREP   5.  MMC  read  SESSIONID   6.  Remote  portscan   7.  Encryp8on  in  SAPGUI     8.  BAPI  XSS/SMBRELAY       9.  XML  Blowup  DOS   10.  GUI  Scrip8ng  DOS     13  
10  –  GUI-­‐Scrip.ng  DOS:  Descrip.on       •  SAP  users  can  run  scripts  which  automate  their  user  func8ons   •  A  script  has  the  same  rights  in  SAP  as  the  user  who  launched  it   •  Security  message  which  is  shown  to  user  can  be  turned  off  in   the  registry   •  Almost  any  user  can  use  SAP  Messages  (SM02  transac8on)   •  It  is  possible  to  run  DOS  aPack  on  any  user  using  a  simple  script           New   Author: Dmitry Chastukhin (ERPScan) 14  
10  –  GUI-­‐scrip.ng:  Other  a9acks         Script  can  be  uploaded  using:   –  SAPGUI  Ac8veX  vulnerability     –  Teensy  USB  flash     –  Any  other  method  of  client  exploita8on         Other  a9acks  like  changing  banking  accounts  in  LFBK  also  possible     15  
10  –  GUI-­‐scrip.ng:    Business  risks   Sabotage  –  High   Ease  of  exploita.on  –  Medium   Espionage  –  No   Fraud  –  No   16  
 10  –  GUI-­‐scrip.ng:    Preven.on   •       SAP  GUI  Scrip8ng  Security  Guide   •       sapgui/user_scrip8ng  =  FALSE   •       Block  registry  modifica8on  on  worksta8ons   17  
9  –  XML  Blowup  DOS:  Descrip.on       •  WEBRFC  interface  can  be  used  to  run  RFC  func8ons   •  By  default  any  user  can  have  access   •  Even  without  S_RFC  auth   •  SAP  NetWeaver  is  vulnerable  to  malformed  XML  packets   •  It  is  possible  to  run  DOS  aPack  on  server  using  simple  script     •  It  is  possible  to  run  over  the  Internet!           New   Author: Alexey Tyurin (ERPScan) 18  
9  –  XML  Blowup  DOS:  Demo   19  
9  –  XML  Blowup  DOS:  Business  risks   Ease  of  exploita.on  –  Medium   Espionage  –  No   Fraud  –  No   Sabotage  –  Cri.cal   20  
 9  –  XML  Blowup  DOS:    Preven.on   •       Disable  WEBRFC           •       Prevent  unauthorized  access  to  WEBRFC  using  S_ICF   •       Install  SAP  notes  1543318  and  1469549     21  
8  –  BAPI  script  injec.on/hash  stealing  :   Descrip.on     •  SAP  BAPI  transac8on  fails  to  properly  sani8ze  input   •  Possible  to  inject  JavaScript  code  or  link  to  a  fake  SMB  server     •  SAP   GUI   clients   use   Windows   so   their   creden8als   will   be   transferred  to  aPackers  host.           Author: Dmitry Chastukhin (ERPScan) 22  
8  –  BAPI  script  injec.on/hash  stealing:   Demo   New   23  
8  –  BAPI  script  injec.on/hash  stealing:   Business  risks   Ease  of  exploita.on  –  Low   Sabotage    –  High   Espionage    –  High   Fraud    –  High   24  
7  –  SAP  GUI  bad  encryp.on:  Descrip.on   •  SAP  FrontEnd  can  save  encrypted  passwords  in  shortcuts     •  Shortcuts  stored  in  .sap  file   •  This  password  uses  byte-­‐XOR  algorithm  with  “secret”  key   •  Key  has  the  same  value  for  every  installa8on  of  SAP  GUI   •  Any  password  can  be  decrypted  in  1  second           Author: Alexey Sintsov (ERPScan) New   25  
7  –  SAP  GUI  bad  encryp.on:  Business  risks   Sabotage  –  Medium   Fraud  –  High   Espionage  –  High   Ease  of  exploita.on  –  Medium   26  
7  –  SAP  GUI  bad  encryp.on:  Preven.on   •       Disable  password  storage  in  GUI   27  
6  –  Remote  port  scan  via  JSP:  Descrip.on     •   It  is  possible  to  scan  internal  network  from  the  Internet   •   Authen.ca.on  is  not  required   •   SAP  NetWeaver  J2EE  engine  is  vulnerable     •  /ipcpricing/ui/BufferOverview.jsp?   •  server=172.16.0.13     •  &  port=31337     •  &  password=     •  &  dispatcher=     •  &  targetClient=     •  &  view=     Author: Alexander Polyakov (ERPScan) 28  
6  –  Remote  port  scan  via  JSP:  Demo   Port  closed   HTTP  port   SAP  port   29  
6  –  Remote  port  scan  via  JSP:  Business  risks   Espionage  –  Medium   Fraud  –  No   Ease  of  exploita.on  –  High   Sabotage  –  Low   30  
6  –  Remote  port  scan  via  JSP:  Preven.on   •       Install  SAP  notes:    1548548,  1545883,  1503856,  948851,  1545883   •       Disable  unnecessary  applica8ons   31  
5  –  MMC  JSESSIONID  stealing:  Descrip.on     •  Remote  management  of  SAP  Platorm   •  By  default,  many  commands  go  without  auth   •  Exploits  implemented  in  Metasploit  (by  ChrisJohnRiley)   •  Most  of  the  bugs  are  informa8on  disclosure   •  It  is  possible  to  find  informa8on  about  JSESSIONID   •  Only  if  trace  is  ON   Can  be  authen.cated  as  an  exis.ng  user  remotely   1)  Original bug by ChrisJohnRiley 2)  JSESSIONID by Alexey Sintsov and Alexey Tyurin (ERPScan) New   32  
5  –  MMC  JSESSIONID  stealing:  Business  risks   Espionage  –  Cri.cal   Sabotage  –  Medium   Fraud  –  High   Ease  of  exploita.on  –  Medium   33  
5  –  MMC  JSESSIONID  stealing:  Preven.on     •  The  JSESSIONID  by  default  will  not  be  logged  in  log  file     •  Don’t  use  TRACE_LEVEL  =  3  on  produc8on  systems  or  delete  traces   aver  use   •  Other  info  hPp://help.sap.com/saphelp_nwpi71/helpdata/en/ d6/49543b1e49bc1fe10000000a114084/frameset.htm         34  
4    –  Remote  command  execu.on  in   TH_GREP:  Descrip.on   •  RCE  vulnerability  in  RFC  module  TH_GREP   •  Found  by  Joris  van  de  Vis   •  SAP  was  not  properly  patched  (1433101)   •  We  have  discovered  that  the  patch  can  be  bypassed  in   Windows     Original  bug  by  Joris  van  de  Vis  (erp-­‐sec)   Bypass  by  Alexey  Tyurin  (ERPScan)   35  
4  –  RCE  in  TH_GREP:  Details        elseif  opsys  =  'Windows  NT'.     concatenate  '/c:"'  string  '"'  filename  into  grep_params  in  character  mode.     else.      /*if  linux*/              /*  185  */      replace  all  occurrences  of  ''''  in  local_string  with  '''"''"'''.     /*  186  */    concatenate  ''''  local_string  ''''  filename  into  grep_params     /*  187*/      in  character  mode.     /*  188*/      endif.       /*  188*/       36  
4  –  RCE  in  TH_GREP:  Demo  #1   37  
4  -­‐  RCE  in  TH_GREP:  More  details     4  ways  to  execute  vulnerable  program     •  Using  transac8on  "Se37“   •  Using  transac8on  “SM51“  (thanks  to  Felix  Granados)   •  Using  remote  RFC  call  "TH_GREP"   •  Using  SOAP  RFC  call  "TH_GREP"    via  web     38  
4  –  RCE  in  TH_GREP:  Demo  #2   39  
4  –  RCE  in  TH_GREP:  Business  risks   Sabotage  –  Medium   Fraud  –  High   Espionage  –  High   Ease  of  exploita.on  –  medium   40  
4  –  RFC  in  TH_GREP:  Preven.on   •       Install  SAP  notes  1580017,  1433101   •       Prevent  access  to  cri8cal  transac8ons  and  RFC  func8ons   •       Check  the  ABAP  code  of  your  Z-­‐transac8ons  for  similar   vulnerabili8es   41  
3  -­‐  ABAP  Kernel  BOF:  Descrip.on   •  Presented  by    Andreas  Wiegenstein  at  BlackHat  EU  2011     •  Buffer  overflow  in  SAP  kernel  func8on  C_SAPGPARAM     •   When  NAME  field  is  more  than  108  chars     •  Can  be  exploited  by  calling  an  FM  which  uses  C_SAPGPARAM     •  Example  of    report  –  RSPO_R_SAPGPARAM   Author: (VirtualForge) 42  
3  –  ABAP  Kernel  BOF:    Business  risks   Espionage    –  Cri.cal   Ease  of  exploita.on  –  Medium   Fraud    –  Cri.cal   Sabotage    –  Cri.cal   43  
3  –  ABAP  Kernel  BOF:  Preven.on   •   Install  SAP  notes:   -­‐  1493516  –  Correc8ng  buffer  overflow  in  ABAP  system  call   -­‐  1487330  –  Poten8al  remote  code  execu8on  in  SAP  Kernel   •       Prevent  access  to  cri8cal  transac8ons  and  RFC  func8ons     •       Check  the  ABAP  code  of  your  Z-­‐transac8ons  for  cri8cal  calls   44  
2  –  Invoker  Servlet:  Descrip.on   •  Rapidly  calls  servlets  by  their  class  name   •  Published  by  SAP  in  their  security  guides   •  Possible  to  call  any  servlet  from  the  applica8on   •  Even  if  it  is  not  declared  in    WEB.XML     Can  be  used  for  auth  bypass   45  
2  -­‐  Invoker  Servlet:  Details   <servlet> ! <servlet-name>CriticalAction</servlet-name> ! <servlet-class>com.sap.admin.Critical.Action</servlet-class> ! </servlet>! <servlet-mapping> ! <servlet-name>CriticalAction</</servlet-name> ! <url-pattern>/admin/critical</url-pattern> ! </servlet-mapping! <security-constraint>! <web-resource-collection>! <web-resource-name>Restrictedaccess</web-resource-name>! <url-pattern>/admin/*</url-pattern>! <http-method>GET</http-method>! </web-resource-collection>! <auth-constraint>
      !<role-name>admin</role-name>
   !</auth-constraint>! </security-constraint>! Author: Dmitry Chastukhin (ERPScan) What  if  we  call  /servlet/com.sap.admin.Cri.cal.Ac.on     46  
2  –  Invoker  servlet:  Business  risks   Ease  of  use  –  Very  easy!   Espionage    –  High   Sabotage    –  High   Fraud    –  High   47  
2  -­‐  Invoker  servlet:  Preven.on     •           Update  to  the  latest  patch  1467771,  1445998   •           “EnableInvokerServletGlobally”  property  of  the  servlet_jsp  must  be  “false”         If  you  can’t  install  patches  for  some  reason,  you  can  check  all  WEB.XML  files  using   ERPScan  web.xml  scanner  manually.   48  
 1  –  VERB  Tampering   49  
1st    Place  –  Verb  Tampering   <security-constraint>! <web-resource-collection>! <web-resource-name>Restrictedaccess</web-resource- name>! <url-pattern>/admin/*</url-pattern>! <http-method>GET</http-method>! </web-resource-collection>!   !<auth-constraint>
      !<role-name>admin</role-name>
   !</auth-constraint>! </security-constraint>! ! What  if  we  use  HEAD  instead  of  GET  ?   Author: Alexander Polyakov (ERPScan) 50  
1  –  Verb  tampering:  Details   Remotely  without  authen.ca.on!   51   •  CTC  –  Secret  interface  for  managing  J2EE  engine   •  Can  be  accessed  remotely     •  Can  run  user  management  ac8ons:     –  Add  users   –  Add  to  groups   –  Run  OS  commands   –  Start/Stop  J2EE  
1  –  Verb  tampering:  Demo   52  
1  –  Verb  tampering:  More  details   53   If  patched,  can  be  bypassed  by  the  Invoker  servlet!  
1  –  Verb  tampering:  Business  risks   Espionage    –  Cri.cal   Sabotage  –  Cri.cal     Fraud    –  Cri.cal   Ease  of  use  –  Very  easy!   54  
1st  Place  –  Verb  tampering:  Preven.on       Preven8on:   •         Install  SAP  notes  1503579,1616259   •         Install  other  SAP  notes  about  Verb  Tampering  (about  18)   •         Scan  applica8ons  using  ERPScan  WEB.XML  check  tool  or  manually   •         Secure  WEB.XML  by  dele8ng  all    <hPp-­‐method>   •         Disable  the  applica8ons  that  are  not  necessary   55  
Conclusion   It  is  possible  to  be  protected  from  almost  all  those  kinds  of  issues  and  we   are  working  hard  with  SAP  to  make  it  secure     SAP  Guides   It’s  all  in  your  hands   Regular  Security  assessments   ABAP  Code  review   Monitoring  technical  security   Segrega.on  of  Du.es   56  
Future  work    Many  of  the  researched  things  cannot  be  disclosed  now  because   of   our   good   relaGonship   with   SAP   Security   Response   Team,   whom   I   would   like   to   thank   for   cooperaGon.   However,   if   you   want  to  see  new  demos  and  0-­‐days,  follow  us  at  @erpscan  and   a3end  the  future  presentaGons:     •  PHDays    in  May  (Moscow)   •  Just4Mee8ng    in  July  (Portugal)   •  BlackHat  USA    in  July    (Las  Vegas)           57  
  Greetz   to   our   crew   who   helped:   Dmitriy   Evdokimov,   Alexey   Sintsov,   Alexey   Tyurin,   Pavel   Kuzmin,  Evgeniy  Neelov.     web:                www.erpscan.com   e-­‐mail:          info@erpscan.com                                  sales@erpscan.com   TwiPer:      @erpscan                  @sh2kerr     58  

Empfohlen

SAP (In)Security: New and Best
SAP (In)Security: New and BestSAP (In)Security: New and Best
SAP (In)Security: New and BestPositive Hack Days
 
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineBreaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineERPScan
 
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to usCONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to usPROIDEA
 
A crushing blow at the heart of SAP’s J2EE Engine.
A crushing blow at the heart of SAP’s J2EE Engine. A crushing blow at the heart of SAP’s J2EE Engine.
A crushing blow at the heart of SAP’s J2EE Engine. ERPScan
 
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...ERPScan
 
Attacking SAP Mobile
Attacking SAP MobileAttacking SAP Mobile
Attacking SAP MobileERPScan
 
Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)ERPScan
 
SAP SDM Hacking
SAP SDM HackingSAP SDM Hacking
SAP SDM HackingERPScan
 

Empfohlen

SAP (In)Security: New and Best
SAP (In)Security: New and BestSAP (In)Security: New and Best
SAP (In)Security: New and BestPositive Hack Days
 
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineBreaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineERPScan
 
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to usCONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to usPROIDEA
 
A crushing blow at the heart of SAP’s J2EE Engine.
A crushing blow at the heart of SAP’s J2EE Engine. A crushing blow at the heart of SAP’s J2EE Engine.
A crushing blow at the heart of SAP’s J2EE Engine. ERPScan
 
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...ERPScan
 
Attacking SAP Mobile
Attacking SAP MobileAttacking SAP Mobile
Attacking SAP MobileERPScan
 
Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)ERPScan
 
SAP SDM Hacking
SAP SDM HackingSAP SDM Hacking
SAP SDM HackingERPScan
 
Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)ERPScan
 
All your SAP passwords belong to us
All your SAP passwords belong to usAll your SAP passwords belong to us
All your SAP passwords belong to usERPScan
 
OWASP TOP 10
OWASP TOP 10OWASP TOP 10
OWASP TOP 10Robert MacLean
 
If I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionIf I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionERPScan
 
Attacking SAP users with sapsploit
Attacking SAP users with sapsploit Attacking SAP users with sapsploit
Attacking SAP users with sapsploit ERPScan
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterEqual Experts
 
Forgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application SystemsForgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application SystemsERPScan
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0Cyber Security Alliance
 
ciso-platform-annual-summit-2013-New Framework for ERP Security
ciso-platform-annual-summit-2013-New Framework for ERP Securityciso-platform-annual-summit-2013-New Framework for ERP Security
ciso-platform-annual-summit-2013-New Framework for ERP SecurityPriyanka Aash
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...Denim Group
 
Mirai botnet
Mirai botnetMirai botnet
Mirai botnetOWASP
 
Web Database Server Best Practices
Web Database Server Best PracticesWeb Database Server Best Practices
Web Database Server Best Practicessyrinxtech
 
5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applicationsERPScan
 
Sap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depthSap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depthIgor Igoroshka
 
Practical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applicationsPractical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applicationsERPScan
 
Paloalto Networks ACE
Paloalto Networks ACEPaloalto Networks ACE
Paloalto Networks ACEadam_jhon
 
Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP SystemsOnapsis Inc.
 
Cyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsCyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsOnapsis Inc.
 
Web Socket ASM support lior rotkovitch
Web Socket ASM support lior rotkovitchWeb Socket ASM support lior rotkovitch
Web Socket ASM support lior rotkovitchLior Rotkovitch
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples42Crunch
 
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...ERPScan
 
Assessing and Securing SAP Solutions
Assessing and Securing SAP SolutionsAssessing and Securing SAP Solutions
Assessing and Securing SAP SolutionsERPScan
 

Weitere ähnliche Inhalte

Was ist angesagt?

Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)ERPScan
 
All your SAP passwords belong to us
All your SAP passwords belong to usAll your SAP passwords belong to us
All your SAP passwords belong to usERPScan
 
If I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionIf I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionERPScan
 
Attacking SAP users with sapsploit
Attacking SAP users with sapsploit Attacking SAP users with sapsploit
Attacking SAP users with sapsploit ERPScan
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterEqual Experts
 
Forgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application SystemsForgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application SystemsERPScan
 
ciso-platform-annual-summit-2013-New Framework for ERP Security
ciso-platform-annual-summit-2013-New Framework for ERP Securityciso-platform-annual-summit-2013-New Framework for ERP Security
ciso-platform-annual-summit-2013-New Framework for ERP SecurityPriyanka Aash
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...Denim Group
 
Mirai botnet
Mirai botnetMirai botnet
Mirai botnetOWASP
 
Web Database Server Best Practices
Web Database Server Best PracticesWeb Database Server Best Practices
Web Database Server Best Practicessyrinxtech
 
5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applicationsERPScan
 
Sap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depthSap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depthIgor Igoroshka
 
Practical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applicationsPractical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applicationsERPScan
 
Paloalto Networks ACE
Paloalto Networks ACEPaloalto Networks ACE
Paloalto Networks ACEadam_jhon
 
Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP SystemsOnapsis Inc.
 
Cyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsCyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsOnapsis Inc.
 
Web Socket ASM support lior rotkovitch
Web Socket ASM support lior rotkovitchWeb Socket ASM support lior rotkovitch
Web Socket ASM support lior rotkovitchLior Rotkovitch
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples42Crunch
 

Was ist angesagt? (20)

Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)
 
All your SAP passwords belong to us
All your SAP passwords belong to usAll your SAP passwords belong to us
All your SAP passwords belong to us
 
OWASP TOP 10
OWASP TOP 10OWASP TOP 10
OWASP TOP 10
 
If I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionIf I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second edition
 
Attacking SAP users with sapsploit
Attacking SAP users with sapsploit Attacking SAP users with sapsploit
Attacking SAP users with sapsploit
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building Better
 
Forgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application SystemsForgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application Systems
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0
 
ciso-platform-annual-summit-2013-New Framework for ERP Security
ciso-platform-annual-summit-2013-New Framework for ERP Securityciso-platform-annual-summit-2013-New Framework for ERP Security
ciso-platform-annual-summit-2013-New Framework for ERP Security
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
 
Mirai botnet
Mirai botnetMirai botnet
Mirai botnet
 
Web Database Server Best Practices
Web Database Server Best PracticesWeb Database Server Best Practices
Web Database Server Best Practices
 
5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications
 
Sap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depthSap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depth
 
Practical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applicationsPractical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applications
 
Paloalto Networks ACE
Paloalto Networks ACEPaloalto Networks ACE
Paloalto Networks ACE
 
Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP Systems
 
Cyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsCyber-attacks to SAP Systems
Cyber-attacks to SAP Systems
 
Web Socket ASM support lior rotkovitch
Web Socket ASM support lior rotkovitchWeb Socket ASM support lior rotkovitch
Web Socket ASM support lior rotkovitch
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
 

Andere mochten auch

Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...ERPScan
 
Assessing and Securing SAP Solutions
Assessing and Securing SAP SolutionsAssessing and Securing SAP Solutions
Assessing and Securing SAP SolutionsERPScan
 
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERPBusiness breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERPERPScan
 
If I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERPIf I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERPERPScan
 
SAP portal: breaking and forensicating
SAP portal: breaking and forensicating SAP portal: breaking and forensicating
SAP portal: breaking and forensicating ERPScan
 
Breaking SAP portal (HashDays)
Breaking SAP portal (HashDays)Breaking SAP portal (HashDays)
Breaking SAP portal (HashDays)ERPScan
 
SAP security made easy
SAP security made easySAP security made easy
SAP security made easyERPScan
 
The latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscapeThe latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscapeERPScan
 
Securing SAP in 5 steps
Securing SAP in 5 stepsSecuring SAP in 5 steps
Securing SAP in 5 stepsERPScan
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)ERPScan
 
What CISOs should know about SAP security
What CISOs should know about SAP securityWhat CISOs should know about SAP security
What CISOs should know about SAP securityERPScan
 
EAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applicationsEAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applicationsERPScan
 
Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)ERPScan
 
Implementing SAP security in 5 steps
Implementing SAP security in 5 stepsImplementing SAP security in 5 steps
Implementing SAP security in 5 stepsERPScan
 

Andere mochten auch (14)

Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
 
Assessing and Securing SAP Solutions
Assessing and Securing SAP SolutionsAssessing and Securing SAP Solutions
Assessing and Securing SAP Solutions
 
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERPBusiness breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
 
If I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERPIf I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERP
 
SAP portal: breaking and forensicating
SAP portal: breaking and forensicating SAP portal: breaking and forensicating
SAP portal: breaking and forensicating
 
Breaking SAP portal (HashDays)
Breaking SAP portal (HashDays)Breaking SAP portal (HashDays)
Breaking SAP portal (HashDays)
 
SAP security made easy
SAP security made easySAP security made easy
SAP security made easy
 
The latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscapeThe latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscape
 
Securing SAP in 5 steps
Securing SAP in 5 stepsSecuring SAP in 5 steps
Securing SAP in 5 steps
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)
 
What CISOs should know about SAP security
What CISOs should know about SAP securityWhat CISOs should know about SAP security
What CISOs should know about SAP security
 
EAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applicationsEAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applications
 
Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)
 
Implementing SAP security in 5 steps
Implementing SAP security in 5 stepsImplementing SAP security in 5 steps
Implementing SAP security in 5 steps
 

Ähnlich wie Top 10 most interesting vulnerabilities and attacks in SAP

SAP security in figures
SAP security in figuresSAP security in figures
SAP security in figuresERPScan
 
Architecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platformsArchitecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platformsERPScan
 
SAP (in)security: New and best
SAP (in)security: New and bestSAP (in)security: New and best
SAP (in)security: New and bestERPScan
 
Assess and monitor SAP security
Assess and monitor SAP securityAssess and monitor SAP security
Assess and monitor SAP securityERPScan
 
EAS-SEC Project
EAS-SEC ProjectEAS-SEC Project
EAS-SEC ProjectERPScan
 
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...ERPScan
 
ERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, SolutionsERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, SolutionsERPScan
 
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirementsMySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirementsOlivier DASINI
 
Top 5 Encryption Myths for IBM i Users
Top 5 Encryption Myths for IBM i UsersTop 5 Encryption Myths for IBM i Users
Top 5 Encryption Myths for IBM i UsersPrecisely
 
SSRF vs. Business-critical applications. XXE tunneling in SAP
SSRF vs. Business-critical applications. XXE tunneling in SAPSSRF vs. Business-critical applications. XXE tunneling in SAP
SSRF vs. Business-critical applications. XXE tunneling in SAPERPScan
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of themRoberto Suggi Liverani
 
Monitor OpenStack Environments from the bottom up and front to back
Monitor OpenStack Environments from the bottom up and front to backMonitor OpenStack Environments from the bottom up and front to back
Monitor OpenStack Environments from the bottom up and front to backIcinga
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxlior mazor
 
StealthWatch & Point-of-Sale (POS) Malware
StealthWatch & Point-of-Sale (POS) Malware StealthWatch & Point-of-Sale (POS) Malware
StealthWatch & Point-of-Sale (POS) Malware Lancope, Inc.
 
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis Inc.
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...arnaudsoullie
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Chetan Khatri
 

Ähnlich wie Top 10 most interesting vulnerabilities and attacks in SAP (18)

SAP security in figures
SAP security in figuresSAP security in figures
SAP security in figures
 
Architecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platformsArchitecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platforms
 
SAP (in)security: New and best
SAP (in)security: New and bestSAP (in)security: New and best
SAP (in)security: New and best
 
Assess and monitor SAP security
Assess and monitor SAP securityAssess and monitor SAP security
Assess and monitor SAP security
 
EAS-SEC Project
EAS-SEC ProjectEAS-SEC Project
EAS-SEC Project
 
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
 
Attacks on SAP Mobile
Attacks on SAP MobileAttacks on SAP Mobile
Attacks on SAP Mobile
 
ERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, SolutionsERP Security. Myths, Problems, Solutions
ERP Security. Myths, Problems, Solutions
 
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirementsMySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
 
Top 5 Encryption Myths for IBM i Users
Top 5 Encryption Myths for IBM i UsersTop 5 Encryption Myths for IBM i Users
Top 5 Encryption Myths for IBM i Users
 
SSRF vs. Business-critical applications. XXE tunneling in SAP
SSRF vs. Business-critical applications. XXE tunneling in SAPSSRF vs. Business-critical applications. XXE tunneling in SAP
SSRF vs. Business-critical applications. XXE tunneling in SAP
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 
Monitor OpenStack Environments from the bottom up and front to back
Monitor OpenStack Environments from the bottom up and front to backMonitor OpenStack Environments from the bottom up and front to back
Monitor OpenStack Environments from the bottom up and front to back
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
 
StealthWatch & Point-of-Sale (POS) Malware
StealthWatch & Point-of-Sale (POS) Malware StealthWatch & Point-of-Sale (POS) Malware
StealthWatch & Point-of-Sale (POS) Malware
 
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
 

Kürzlich hochgeladen

why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfCionsystems
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 

Kürzlich hochgeladen (20)

why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdf
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 

Top 10 most interesting vulnerabilities and attacks in SAP

  • 1. Invest  in  security   to  secure  investments   Top  10  most  interes.ng       SAP  vulnerabili.es  and   a9acks   Alexander  Polyakov     CTO  at  ERPScan  
  • 2. About  ERPScan   •  The   only   360-­‐degree   SAP   Security   solu8on   -­‐   ERPScan   Security   Monitoring  Suite  for  SAP   •  Leader  by  the  number  of  acknowledgements  from  SAP  (  150+  )   •  60+  presenta.ons  key  security  conferences  worldwide   •  25  Awards  and  nomina.ons   •  Research  team  -­‐  20  experts  with  experience  in    different  areas   of  security   •  Headquarters  in  Palo  Alto  (US)  and  Amsterdam  (EU)       2  
  • 3. What  is  SAP  ?                      Shut  up              And              Pay   3  
  • 4. Really   •  The  most  popular  business  applica8on   •  More  than  120000  customers   •  74%  of  Forbes  500   4  
  • 5. Agenda     •  Intro   •  SAP  security  history   •  SAP  on  the  Internet   •  Top  10  latest  interes8ng  aPacks   •  DEMOs   •  Conclusion   5  
  • 6. 6   3  areas  of  SAP  Security   2010   Applica3on  pla4orm  security   Prevents  unauthorized  access  both  insiders  and  remote   a3ackers   Solu8on:  Vulnerability  Assessment  and  Monitoring   2008   ABAP  Code  security   Prevents  a3acks  or  mistakes  made  by  developers   Solu8on:  Code  audit   2002   Business  logic  security  (SOD)   Prevents  a3acks    or  mistakes  made     Solu8on:  GRC  
  • 7. Talks  about  SAP  security   0   5   10   15   20   25   30   35   2006   2007   2008   2009   2010   2011   2012   Most  popular:   •  BlackHat     •  HITB     •  Troopers     •  RSA     •  Source     •  DeepSec       •  etc.   7  
  • 8. SAP  Security  notes   0   100   200   300   400   500   600   700   800   900   2001   2002   2003   2004   2005   2006   2007   2008   2009   2010   2011   2012   By  April  26,  2012,  a  total  of  2026  notes   8  
  • 9. SAP  vulnerabili.es  by  type   0   50   100   150   200   250   300   350   12  -­‐SQL  Inj   11  -­‐  BOF   10  -­‐  Denial  of  service     9  -­‐  Remote  Code  Execu8on   8  -­‐  Verb  tampering   7  -­‐  Code  injec8on  vulnerability   6  -­‐  Hard-­‐coded  creden8als   5  -­‐  Unauthorized  usage  of  applica8on   4  -­‐  Informa8on  Disclosure   3  -­‐  Missing  Auth  check   2  -­‐  XSS/Unauthorised  modifica8on  of  stored   1  -­‐  Directory  Traversal       Stats  from  :   •  1Q  2012   •  1Q  2010   •  4Q  2009   9  
  • 10. SAP  on  the  Internet     •   We  have  collected  data  about  SAP  systems  in  the  WEB   •   Have  various  stats  by  countries,  applica8ons,  versions   •   Informa8on  from  Google,  Shodan,  Nmap  scan     MYTH:  SAP  systems  a9acks    available  only  for  insiders   10  
  • 11. SAP  on  the  Internet   About  5000  systems  including  Dispatcher,  Message  server,    SapHostcontrol,  Web-­‐  services   11  
  • 12. SAP  on  the  Internet   12  
  • 13. Top  10  vulnerabili.es  2011-­‐2012     1.  Authen8ca8on  Bypass  via  Verb  tampering   2.  Authen8ca8on  Bypass    via  the  Invoker  servlet     3.  Buffer  overflow  in  ABAP  Kernel   4.  Code  execu8on  via  TH_GREP   5.  MMC  read  SESSIONID   6.  Remote  portscan   7.  Encryp8on  in  SAPGUI     8.  BAPI  XSS/SMBRELAY       9.  XML  Blowup  DOS   10.  GUI  Scrip8ng  DOS     13  
  • 14. 10  –  GUI-­‐Scrip.ng  DOS:  Descrip.on       •  SAP  users  can  run  scripts  which  automate  their  user  func8ons   •  A  script  has  the  same  rights  in  SAP  as  the  user  who  launched  it   •  Security  message  which  is  shown  to  user  can  be  turned  off  in   the  registry   •  Almost  any  user  can  use  SAP  Messages  (SM02  transac8on)   •  It  is  possible  to  run  DOS  aPack  on  any  user  using  a  simple  script           New   Author: Dmitry Chastukhin (ERPScan) 14  
  • 15. 10  –  GUI-­‐scrip.ng:  Other  a9acks         Script  can  be  uploaded  using:   –  SAPGUI  Ac8veX  vulnerability     –  Teensy  USB  flash     –  Any  other  method  of  client  exploita8on         Other  a9acks  like  changing  banking  accounts  in  LFBK  also  possible     15  
  • 16. 10  –  GUI-­‐scrip.ng:    Business  risks   Sabotage  –  High   Ease  of  exploita.on  –  Medium   Espionage  –  No   Fraud  –  No   16  
  • 17.  10  –  GUI-­‐scrip.ng:    Preven.on   •       SAP  GUI  Scrip8ng  Security  Guide   •       sapgui/user_scrip8ng  =  FALSE   •       Block  registry  modifica8on  on  worksta8ons   17  
  • 18. 9  –  XML  Blowup  DOS:  Descrip.on       •  WEBRFC  interface  can  be  used  to  run  RFC  func8ons   •  By  default  any  user  can  have  access   •  Even  without  S_RFC  auth   •  SAP  NetWeaver  is  vulnerable  to  malformed  XML  packets   •  It  is  possible  to  run  DOS  aPack  on  server  using  simple  script     •  It  is  possible  to  run  over  the  Internet!           New   Author: Alexey Tyurin (ERPScan) 18  
  • 19. 9  –  XML  Blowup  DOS:  Demo   19  
  • 20. 9  –  XML  Blowup  DOS:  Business  risks   Ease  of  exploita.on  –  Medium   Espionage  –  No   Fraud  –  No   Sabotage  –  Cri.cal   20  
  • 21.  9  –  XML  Blowup  DOS:    Preven.on   •       Disable  WEBRFC           •       Prevent  unauthorized  access  to  WEBRFC  using  S_ICF   •       Install  SAP  notes  1543318  and  1469549     21  
  • 22. 8  –  BAPI  script  injec.on/hash  stealing  :   Descrip.on     •  SAP  BAPI  transac8on  fails  to  properly  sani8ze  input   •  Possible  to  inject  JavaScript  code  or  link  to  a  fake  SMB  server     •  SAP   GUI   clients   use   Windows   so   their   creden8als   will   be   transferred  to  aPackers  host.           Author: Dmitry Chastukhin (ERPScan) 22  
  • 23. 8  –  BAPI  script  injec.on/hash  stealing:   Demo   New   23  
  • 24. 8  –  BAPI  script  injec.on/hash  stealing:   Business  risks   Ease  of  exploita.on  –  Low   Sabotage    –  High   Espionage    –  High   Fraud    –  High   24  
  • 25. 7  –  SAP  GUI  bad  encryp.on:  Descrip.on   •  SAP  FrontEnd  can  save  encrypted  passwords  in  shortcuts     •  Shortcuts  stored  in  .sap  file   •  This  password  uses  byte-­‐XOR  algorithm  with  “secret”  key   •  Key  has  the  same  value  for  every  installa8on  of  SAP  GUI   •  Any  password  can  be  decrypted  in  1  second           Author: Alexey Sintsov (ERPScan) New   25  
  • 26. 7  –  SAP  GUI  bad  encryp.on:  Business  risks   Sabotage  –  Medium   Fraud  –  High   Espionage  –  High   Ease  of  exploita.on  –  Medium   26  
  • 27. 7  –  SAP  GUI  bad  encryp.on:  Preven.on   •       Disable  password  storage  in  GUI   27  
  • 28. 6  –  Remote  port  scan  via  JSP:  Descrip.on     •   It  is  possible  to  scan  internal  network  from  the  Internet   •   Authen.ca.on  is  not  required   •   SAP  NetWeaver  J2EE  engine  is  vulnerable     •  /ipcpricing/ui/BufferOverview.jsp?   •  server=172.16.0.13     •  &  port=31337     •  &  password=     •  &  dispatcher=     •  &  targetClient=     •  &  view=     Author: Alexander Polyakov (ERPScan) 28  
  • 29. 6  –  Remote  port  scan  via  JSP:  Demo   Port  closed   HTTP  port   SAP  port   29  
  • 30. 6  –  Remote  port  scan  via  JSP:  Business  risks   Espionage  –  Medium   Fraud  –  No   Ease  of  exploita.on  –  High   Sabotage  –  Low   30  
  • 31. 6  –  Remote  port  scan  via  JSP:  Preven.on   •       Install  SAP  notes:    1548548,  1545883,  1503856,  948851,  1545883   •       Disable  unnecessary  applica8ons   31  
  • 32. 5  –  MMC  JSESSIONID  stealing:  Descrip.on     •  Remote  management  of  SAP  Platorm   •  By  default,  many  commands  go  without  auth   •  Exploits  implemented  in  Metasploit  (by  ChrisJohnRiley)   •  Most  of  the  bugs  are  informa8on  disclosure   •  It  is  possible  to  find  informa8on  about  JSESSIONID   •  Only  if  trace  is  ON   Can  be  authen.cated  as  an  exis.ng  user  remotely   1)  Original bug by ChrisJohnRiley 2)  JSESSIONID by Alexey Sintsov and Alexey Tyurin (ERPScan) New   32  
  • 33. 5  –  MMC  JSESSIONID  stealing:  Business  risks   Espionage  –  Cri.cal   Sabotage  –  Medium   Fraud  –  High   Ease  of  exploita.on  –  Medium   33  
  • 34. 5  –  MMC  JSESSIONID  stealing:  Preven.on     •  The  JSESSIONID  by  default  will  not  be  logged  in  log  file     •  Don’t  use  TRACE_LEVEL  =  3  on  produc8on  systems  or  delete  traces   aver  use   •  Other  info  hPp://help.sap.com/saphelp_nwpi71/helpdata/en/ d6/49543b1e49bc1fe10000000a114084/frameset.htm         34  
  • 35. 4    –  Remote  command  execu.on  in   TH_GREP:  Descrip.on   •  RCE  vulnerability  in  RFC  module  TH_GREP   •  Found  by  Joris  van  de  Vis   •  SAP  was  not  properly  patched  (1433101)   •  We  have  discovered  that  the  patch  can  be  bypassed  in   Windows     Original  bug  by  Joris  van  de  Vis  (erp-­‐sec)   Bypass  by  Alexey  Tyurin  (ERPScan)   35  
  • 36. 4  –  RCE  in  TH_GREP:  Details        elseif  opsys  =  'Windows  NT'.     concatenate  '/c:"'  string  '"'  filename  into  grep_params  in  character  mode.     else.      /*if  linux*/              /*  185  */      replace  all  occurrences  of  ''''  in  local_string  with  '''"''"'''.     /*  186  */    concatenate  ''''  local_string  ''''  filename  into  grep_params     /*  187*/      in  character  mode.     /*  188*/      endif.       /*  188*/       36  
  • 37. 4  –  RCE  in  TH_GREP:  Demo  #1   37  
  • 38. 4  -­‐  RCE  in  TH_GREP:  More  details     4  ways  to  execute  vulnerable  program     •  Using  transac8on  "Se37“   •  Using  transac8on  “SM51“  (thanks  to  Felix  Granados)   •  Using  remote  RFC  call  "TH_GREP"   •  Using  SOAP  RFC  call  "TH_GREP"    via  web     38  
  • 39. 4  –  RCE  in  TH_GREP:  Demo  #2   39  
  • 40. 4  –  RCE  in  TH_GREP:  Business  risks   Sabotage  –  Medium   Fraud  –  High   Espionage  –  High   Ease  of  exploita.on  –  medium   40  
  • 41. 4  –  RFC  in  TH_GREP:  Preven.on   •       Install  SAP  notes  1580017,  1433101   •       Prevent  access  to  cri8cal  transac8ons  and  RFC  func8ons   •       Check  the  ABAP  code  of  your  Z-­‐transac8ons  for  similar   vulnerabili8es   41  
  • 42. 3  -­‐  ABAP  Kernel  BOF:  Descrip.on   •  Presented  by    Andreas  Wiegenstein  at  BlackHat  EU  2011     •  Buffer  overflow  in  SAP  kernel  func8on  C_SAPGPARAM     •   When  NAME  field  is  more  than  108  chars     •  Can  be  exploited  by  calling  an  FM  which  uses  C_SAPGPARAM     •  Example  of    report  –  RSPO_R_SAPGPARAM   Author: (VirtualForge) 42  
  • 43. 3  –  ABAP  Kernel  BOF:    Business  risks   Espionage    –  Cri.cal   Ease  of  exploita.on  –  Medium   Fraud    –  Cri.cal   Sabotage    –  Cri.cal   43  
  • 44. 3  –  ABAP  Kernel  BOF:  Preven.on   •   Install  SAP  notes:   -­‐  1493516  –  Correc8ng  buffer  overflow  in  ABAP  system  call   -­‐  1487330  –  Poten8al  remote  code  execu8on  in  SAP  Kernel   •       Prevent  access  to  cri8cal  transac8ons  and  RFC  func8ons     •       Check  the  ABAP  code  of  your  Z-­‐transac8ons  for  cri8cal  calls   44  
  • 45. 2  –  Invoker  Servlet:  Descrip.on   •  Rapidly  calls  servlets  by  their  class  name   •  Published  by  SAP  in  their  security  guides   •  Possible  to  call  any  servlet  from  the  applica8on   •  Even  if  it  is  not  declared  in    WEB.XML     Can  be  used  for  auth  bypass   45  
  • 46. 2  -­‐  Invoker  Servlet:  Details   <servlet> ! <servlet-name>CriticalAction</servlet-name> ! <servlet-class>com.sap.admin.Critical.Action</servlet-class> ! </servlet>! <servlet-mapping> ! <servlet-name>CriticalAction</</servlet-name> ! <url-pattern>/admin/critical</url-pattern> ! </servlet-mapping! <security-constraint>! <web-resource-collection>! <web-resource-name>Restrictedaccess</web-resource-name>! <url-pattern>/admin/*</url-pattern>! <http-method>GET</http-method>! </web-resource-collection>! <auth-constraint>
      !<role-name>admin</role-name>
   !</auth-constraint>! </security-constraint>! Author: Dmitry Chastukhin (ERPScan) What  if  we  call  /servlet/com.sap.admin.Cri.cal.Ac.on     46  
  • 47. 2  –  Invoker  servlet:  Business  risks   Ease  of  use  –  Very  easy!   Espionage    –  High   Sabotage    –  High   Fraud    –  High   47  
  • 48. 2  -­‐  Invoker  servlet:  Preven.on     •           Update  to  the  latest  patch  1467771,  1445998   •           “EnableInvokerServletGlobally”  property  of  the  servlet_jsp  must  be  “false”         If  you  can’t  install  patches  for  some  reason,  you  can  check  all  WEB.XML  files  using   ERPScan  web.xml  scanner  manually.   48  
  • 49.  1  –  VERB  Tampering   49  
  • 50. 1st    Place  –  Verb  Tampering   <security-constraint>! <web-resource-collection>! <web-resource-name>Restrictedaccess</web-resource- name>! <url-pattern>/admin/*</url-pattern>! <http-method>GET</http-method>! </web-resource-collection>!   !<auth-constraint>
      !<role-name>admin</role-name>
   !</auth-constraint>! </security-constraint>! ! What  if  we  use  HEAD  instead  of  GET  ?   Author: Alexander Polyakov (ERPScan) 50  
  • 51. 1  –  Verb  tampering:  Details   Remotely  without  authen.ca.on!   51   •  CTC  –  Secret  interface  for  managing  J2EE  engine   •  Can  be  accessed  remotely     •  Can  run  user  management  ac8ons:     –  Add  users   –  Add  to  groups   –  Run  OS  commands   –  Start/Stop  J2EE  
  • 52. 1  –  Verb  tampering:  Demo   52  
  • 53. 1  –  Verb  tampering:  More  details   53   If  patched,  can  be  bypassed  by  the  Invoker  servlet!  
  • 54. 1  –  Verb  tampering:  Business  risks   Espionage    –  Cri.cal   Sabotage  –  Cri.cal     Fraud    –  Cri.cal   Ease  of  use  –  Very  easy!   54  
  • 55. 1st  Place  –  Verb  tampering:  Preven.on       Preven8on:   •         Install  SAP  notes  1503579,1616259   •         Install  other  SAP  notes  about  Verb  Tampering  (about  18)   •         Scan  applica8ons  using  ERPScan  WEB.XML  check  tool  or  manually   •         Secure  WEB.XML  by  dele8ng  all    <hPp-­‐method>   •         Disable  the  applica8ons  that  are  not  necessary   55  
  • 56. Conclusion   It  is  possible  to  be  protected  from  almost  all  those  kinds  of  issues  and  we   are  working  hard  with  SAP  to  make  it  secure     SAP  Guides   It’s  all  in  your  hands   Regular  Security  assessments   ABAP  Code  review   Monitoring  technical  security   Segrega.on  of  Du.es   56  
  • 57. Future  work    Many  of  the  researched  things  cannot  be  disclosed  now  because   of   our   good   relaGonship   with   SAP   Security   Response   Team,   whom   I   would   like   to   thank   for   cooperaGon.   However,   if   you   want  to  see  new  demos  and  0-­‐days,  follow  us  at  @erpscan  and   a3end  the  future  presentaGons:     •  PHDays    in  May  (Moscow)   •  Just4Mee8ng    in  July  (Portugal)   •  BlackHat  USA    in  July    (Las  Vegas)           57  
  • 58.   Greetz   to   our   crew   who   helped:   Dmitriy   Evdokimov,   Alexey   Sintsov,   Alexey   Tyurin,   Pavel   Kuzmin,  Evgeniy  Neelov.     web:                www.erpscan.com   e-­‐mail:          info@erpscan.com                                  sales@erpscan.com   TwiPer:      @erpscan                  @sh2kerr     58