Prasanna Kanagasabai, profile picture
Uploaded byPrasanna Kanagasabai
PPT, PDF1,431 views

IronSAP

This document introduces IronSAP, an open source SAP security scanner being developed to automate testing SAP systems for vulnerabilities. It describes several vulnerabilities IronSAP aims to detect, such as revealing sensitive information from error messages, discovering and testing ICF services, bypassing authentication via HTTP header tampering, and remotely managing users without authentication on the SAP management console. The goal is for IronSAP to simplify security testing of SAP systems for penetration testers unfamiliar with SAP.

Embed presentation

Downloaded 29 times
IronSAP
Who Am i Prasanna Kanagasabai Work @ MNC in Bangalore India Pen tester in the DAY, Programmer by NIGHT @prasannain
Scenario My BOSS wants me to test our internal SAP servers and report findings… PROBLEM I have never seen a SAP system I have no knowledge of SAP vulnerabilities Were is the documents available People who deploy and maintain SAP have poor knowledge of security
Solution Download documents on SAP from various sites. Understand the architecture Understand SAP security vulnerabilities Test each vulnerabilities manually Try some of the Open Source SAP testing tools: 1. Bizsploit (http://www.onapsis.com/research-free-solutions.php) 2. Metasploit Modules (http://labs.mwrinfosecurity.com/blog/2012/04/27/mwr-sap-metasploit- modules/) 3. ERPScan's SAP Pentesting Tool (http://erpscan.com/products/erpscan-pentesting-tool/) Buy and run a commercial SAP security scanner
This was case till today
Fortunately it changes tomorrow Introducing "IronSAP" Open Source SAP Security Scanner
Identification via banner Server Header could provide information what the underlying infrastructure is hosted on “Server: SAP J2EE Engine/7.00” Sap systems are no different IronWASP has a passive plug-in that automatically picks these and raises it as a finding
Error Messages SAP Error messages could revel a big deal of critical information. “Errorcode: ICF-NF-http-XXXX_EAZ_00-…………” XXXX -- > Hostname EAZ -- > SAPSID 00 -- > System Number IronSAP can detect this information, it will raise a finding with the pages and critical information found
ICF There are 1500 ICF services that are shipped They behave like any normal server side pages do. They receive web input, process, and output the results Services are divided into Public Services Private Services
ICF Public services are responded without any authentication Private services can request authentication as configured… Most services require authentication
ICF & IronSAP IronSAP can find all the services that respond to a request. (200 OK) If the response was 200 it continues to check If it is a login page or has some interesting content If login is Basic authentication it launches a brute force attack. Automatically checks all HTTP(s) ports and finds interesting pages.
ICF - Info Service A dangerous Public ICF service Found @ /sap/public/info Returns SAP internal information as a XML ironSAP: Icf Finger printer scans and finds the info service and raises a finding in the system.
ICF 2 – SOAP RFC RFC is a protocol to call ABAP programs Not available on the internet ICF service allows access to the underlying RFC If enabled the malicious user can run RFC programs as present in the local network IronSAP: fingerprint finds presence of this ICF service and raises the finding.
Admin Pages SAP has web administration page that has in store real time information on SAP infrastructure. Can be found without authentication IronSAP: fingerprint finds presence of this ICF service and raises the finding
Verb Tampering Web.xml defines if a request should challenge a with a authentication for a given HTTP method A faulty implementation can allow a user to bypass the authentication. IronSAP: attempts to access the resource using “HEAD” for all requests that challenged with a request, records positive outcome.
REMOTE_USER SAP EP can use web access manger for authentication The user contacts the WAM with his credentials The WAM verifies his identity The WAM forwards the user to the SAP EP with a HTTP header with the username of the successful logged in user EP checks its database if the user exists EP sets the SSO logged in cookie
REMOTE_USER The problem is if a request is sent to the SAP EP with the correct header a user could be logged in without having credentials. IronSAP: on finding a portal login it would try to login to the system with different users in REMOTE_USER header.
SAP Start Service SAP management Console found on the SAP system on port 5<instance id>13/14 Installed by Default Remote management of users Information Disclosure No or basic Authentication IronSAP: Queries this web service and retrieves the information from the SAP system and raises the finding
Next For IronSAP Database Security RFC SAP Client attacks SAP Transactions Passwords ABAP
Thank You IronSAP automates the process discovery of the SAP attacks found by the following researchers: Mariano Nuñez DiCroce Chris John Riley Alexander Polyakov Dave Hartley I would also like to thank: Lavakumar (Author of IronWASP) Pavan Kumar (I bugged him nearly every night for information on SAP) Garrage4Hackers (I got a lot of resources from here)
Prasanna Kanagasabai Prasanna.in@gmail.com @prasannain

More Related Content

PDF
APISecurity_OWASP_MitigationGuide
byIsabelle Mauny
 
PDF
API Security - OWASP top 10 for APIs + tips for pentesters
byInon Shkedy
 
PDF
WEBINAR: OWASP API Security Top 10
by42Crunch
 
PDF
AutoBLG by Sun Bo
bymori_tatsuya
 
PDF
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
byAdar Weidman
 
PDF
OWASP API Security Top 10 Examples
by42Crunch
 
PPTX
Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
byOry Segal
 
PDF
REST API Security by Design with Azure Pipelines
by42Crunch
 
APISecurity_OWASP_MitigationGuide
byIsabelle Mauny
 
API Security - OWASP top 10 for APIs + tips for pentesters
byInon Shkedy
 
WEBINAR: OWASP API Security Top 10
by42Crunch
 
AutoBLG by Sun Bo
bymori_tatsuya
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
byAdar Weidman
 
OWASP API Security Top 10 Examples
by42Crunch
 
Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
byOry Segal
 
REST API Security by Design with Azure Pipelines
by42Crunch
 

What's hot

PDF
OWASP API Security Top 10 - Austin DevSecOps Days
by42Crunch
 
PDF
Sleep better by automating monitoring for your app (CakeFest 2013)
byJuan Basso
 
PPTX
A7 Missing Function Level Access Control
bystevil1224
 
PDF
Restful api design
byMizan Riqzia
 
PPTX
OWASP A7 and A8
byPavan M
 
PDF
The Dev, Sec and Ops of API Security - API World
by42Crunch
 
PDF
WEBINAR: Positive Security for APIs: What it is and why you need it!
by42Crunch
 
PPTX
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
byCA API Management
 
PDF
The Dev, Sec and Ops of API Security - NordicAPIs
by42Crunch
 
PDF
Owasp Top 10-2013
byn|u - The Open Security Community
 
PPTX
Burp intruder
bypenetration Tester
 
DOCX
It and ej
byHarihar Kalia
 
PDF
Beyond OWASP Top 10 - TASK October 2017
byAaron Hnatiw
 
PPTX
Webhooks
byPriyank Thada
 
PPTX
Owasp top 10 security threats
byVishal Kumar
 
PDF
SalesForce WebServices part 2
byMindfire Solutions
 
PDF
Riviera Jug - 20/03/2018 - Kafka streams
byFlorent Ramiere
 
PDF
Are You Properly Using JWTs?
by42Crunch
 
PDF
OISC 2019 - The OWASP Top 10 & AppSec Primer
byThreatReel Podcast
 
PPTX
Hacking mobile apps
bykunwaratul hax0r
 
OWASP API Security Top 10 - Austin DevSecOps Days
by42Crunch
 
Sleep better by automating monitoring for your app (CakeFest 2013)
byJuan Basso
 
A7 Missing Function Level Access Control
bystevil1224
 
Restful api design
byMizan Riqzia
 
OWASP A7 and A8
byPavan M
 
The Dev, Sec and Ops of API Security - API World
by42Crunch
 
WEBINAR: Positive Security for APIs: What it is and why you need it!
by42Crunch
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
byCA API Management
 
The Dev, Sec and Ops of API Security - NordicAPIs
by42Crunch
 
Owasp Top 10-2013
byn|u - The Open Security Community
 
Burp intruder
bypenetration Tester
 
It and ej
byHarihar Kalia
 
Beyond OWASP Top 10 - TASK October 2017
byAaron Hnatiw
 
Webhooks
byPriyank Thada
 
Owasp top 10 security threats
byVishal Kumar
 
SalesForce WebServices part 2
byMindfire Solutions
 
Riviera Jug - 20/03/2018 - Kafka streams
byFlorent Ramiere
 
Are You Properly Using JWTs?
by42Crunch
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
byThreatReel Podcast
 
Hacking mobile apps
bykunwaratul hax0r
 

Viewers also liked

PPTX
Javascript Testing
byPrasanna Kanagasabai
 
PPTX
Selenium Conference 2014 -- Bangalore
byPrasanna Kanagasabai
 
PPTX
Automated tests to a REST API
byLuís Barros Nóbrega
 
PDF
PHPSpec & Behat: Two Testing Tools That Write Code For You (#phptek edition)
byJoshua Warren
 
PPTX
BDD for APIs
byJason Harmon
 
PDF
Intro to IronWASP
byn|u - The Open Security Community
 
PDF
Null HYD Playing with shodan null
byRaghunath G
 
PDF
How to Automate API Testing
byBruno Pedro
 
DOCX
FARMACOLOGÍA - MEDICAMENTOS BÁSICOS EN ODONTOLOGÍA
bydedy jhan carlos
 
Javascript Testing
byPrasanna Kanagasabai
 
Selenium Conference 2014 -- Bangalore
byPrasanna Kanagasabai
 
Automated tests to a REST API
byLuís Barros Nóbrega
 
PHPSpec & Behat: Two Testing Tools That Write Code For You (#phptek edition)
byJoshua Warren
 
BDD for APIs
byJason Harmon
 
Intro to IronWASP
byn|u - The Open Security Community
 
Null HYD Playing with shodan null
byRaghunath G
 
How to Automate API Testing
byBruno Pedro
 
FARMACOLOGÍA - MEDICAMENTOS BÁSICOS EN ODONTOLOGÍA
bydedy jhan carlos
 

Similar to IronSAP

PDF
Securing SAP in 5 steps
byERPScan
 
PDF
[CB19] Spyware, Ransomware and Worms. How to prevent the next SAP tragedy by ...
byCODE BLUE
 
PDF
Top 10 most interesting vulnerabilities and attacks in SAP
byERPScan
 
PDF
Assess and monitor SAP security
byERPScan
 
PDF
SAP portal: breaking and forensicating
byERPScan
 
PDF
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
byOnapsis Inc.
 
PDF
SAP Forensics Detecting White Collar Cyber-crime
byOnapsis Inc.
 
PDF
SAP security in figures
byERPScan
 
PDF
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
byERPScan
 
PDF
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
byOnapsis Inc.
 
PPTX
SAP (In)Security: New and Best
byPositive Hack Days
 
PDF
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
byOnapsis Inc.
 
PDF
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
byPROIDEA
 
PDF
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
byERPScan
 
PDF
Assessing and Securing SAP Solutions
byERPScan
 
PDF
EAS-SEC: Framework for securing business applications
byERPScan
 
PDF
SAP (in)security: New and best
byERPScan
 
PPTX
SAP (in)security: Scrubbing SAP clean with SOAP
byChris John Riley
 
PDF
Architecture vulnerabilities in SAP platforms
byERPScan
 
PPTX
SecZone 2011: Scrubbing SAP clean with SOAP
byChris John Riley
 
Securing SAP in 5 steps
byERPScan
 
[CB19] Spyware, Ransomware and Worms. How to prevent the next SAP tragedy by ...
byCODE BLUE
 
Top 10 most interesting vulnerabilities and attacks in SAP
byERPScan
 
Assess and monitor SAP security
byERPScan
 
SAP portal: breaking and forensicating
byERPScan
 
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
byOnapsis Inc.
 
SAP Forensics Detecting White Collar Cyber-crime
byOnapsis Inc.
 
SAP security in figures
byERPScan
 
Breaking, forensicating and anti-forensicating SAP Portal and J2EE Engine
byERPScan
 
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
byOnapsis Inc.
 
SAP (In)Security: New and Best
byPositive Hack Days
 
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
byOnapsis Inc.
 
CONFidence 2014: Dimitriy Chastuhin: All your sap p@$$w0яd z belong to us
byPROIDEA
 
Injecting evil code in your SAP J2EE systems. Security of SAP Software Deploy...
byERPScan
 
Assessing and Securing SAP Solutions
byERPScan
 
EAS-SEC: Framework for securing business applications
byERPScan
 
SAP (in)security: New and best
byERPScan
 
SAP (in)security: Scrubbing SAP clean with SOAP
byChris John Riley
 
Architecture vulnerabilities in SAP platforms
byERPScan
 
SecZone 2011: Scrubbing SAP clean with SOAP
byChris John Riley
 

Recently uploaded

PDF
UiPath Coded Agents - A Developer Driven Agentic Automation Era
byUiPathCommunity
 
PDF
Intro to CrafterQ - AI Agent Platform for the Enterprise.pdf
byCrafterQ
 
PPTX
Becoming Frontier for Dynamics 365 Finance PPT
byjonbravetti
 
PDF
Mercury Computer Systems & The Cell Broadband Engine
bySlide_N
 
PDF
Zniber Partners. Audience Foresight for Confident Decisions
bySamuel Zniber
 
PDF
2006 IEEE International Solid-State Circuits Conference
bySlide_N
 
PDF
Presentation of Cybersecurity and data protection
bytarikaityahya2
 
PDF
A paper in the leading academic journal Telecommunication Policy cited Scott ...
byScott M. Graffius
 
PPTX
The Abomination of AI – keynote at ICoSCI 2026
byAlan Dix
 
PPTX
Robot Vacuums are Cleaning Up. The global robot vacuum segment has high marke...
byRobert March
 
PDF
TopMate ES11 3-Wheel Electric Scooter: Comfort, Stability, and Independence f...
byTopmate
 
PDF
TrustArc Webinar - Unpacking India’s DPDP Act: What You Should Know
byTrustArc
 
PDF
Why Enterprises Are Moving to Dedicated Servers in the Netherlands
byAtal Networks
 
PDF
Unlocking Gen AI Capabilities Within UiPath Document Understanding
byDianaGray10
 
PDF
Profiting from Technological Innovation: Managing Intellectual Property to Bu...
byDavid Teece
 
PDF
Philippine Agricultural Engineering Standard_Hand Tractor .pdf
by6xfrnmdp4b
 
PPTX
UNIT 1- Introduction to Basic of Computer Fundamentals
bypawarbhaktiit
 
PDF
January Patch Tuesday
byIvanti
 
PDF
Top 5 Best Dedicated Server Providers in Los Angeles (Updated Edition)
byAtal Networks
 
PPTX
Storage-and-HCI-Positioning-update-sales.pptx
byhungungphu123
 
UiPath Coded Agents - A Developer Driven Agentic Automation Era
byUiPathCommunity
 
Intro to CrafterQ - AI Agent Platform for the Enterprise.pdf
byCrafterQ
 
Becoming Frontier for Dynamics 365 Finance PPT
byjonbravetti
 
Mercury Computer Systems & The Cell Broadband Engine
bySlide_N
 
Zniber Partners. Audience Foresight for Confident Decisions
bySamuel Zniber
 
2006 IEEE International Solid-State Circuits Conference
bySlide_N
 
Presentation of Cybersecurity and data protection
bytarikaityahya2
 
A paper in the leading academic journal Telecommunication Policy cited Scott ...
byScott M. Graffius
 
The Abomination of AI – keynote at ICoSCI 2026
byAlan Dix
 
Robot Vacuums are Cleaning Up. The global robot vacuum segment has high marke...
byRobert March
 
TopMate ES11 3-Wheel Electric Scooter: Comfort, Stability, and Independence f...
byTopmate
 
TrustArc Webinar - Unpacking India’s DPDP Act: What You Should Know
byTrustArc
 
Why Enterprises Are Moving to Dedicated Servers in the Netherlands
byAtal Networks
 
Unlocking Gen AI Capabilities Within UiPath Document Understanding
byDianaGray10
 
Profiting from Technological Innovation: Managing Intellectual Property to Bu...
byDavid Teece
 
Philippine Agricultural Engineering Standard_Hand Tractor .pdf
by6xfrnmdp4b
 
UNIT 1- Introduction to Basic of Computer Fundamentals
bypawarbhaktiit
 
January Patch Tuesday
byIvanti
 
Top 5 Best Dedicated Server Providers in Los Angeles (Updated Edition)
byAtal Networks
 
Storage-and-HCI-Positioning-update-sales.pptx
byhungungphu123
 

IronSAP

  • 1.
  • 2.
    Who Am i PrasannaKanagasabai Work @ MNC in Bangalore India Pen tester in the DAY, Programmer by NIGHT @prasannain
  • 3.
    Scenario My BOSS wantsme to test our internal SAP servers and report findings… PROBLEM I have never seen a SAP system I have no knowledge of SAP vulnerabilities Were is the documents available People who deploy and maintain SAP have poor knowledge of security
  • 4.
    Solution Download documents onSAP from various sites. Understand the architecture Understand SAP security vulnerabilities Test each vulnerabilities manually Try some of the Open Source SAP testing tools: 1. Bizsploit (http://www.onapsis.com/research-free-solutions.php) 2. Metasploit Modules (http://labs.mwrinfosecurity.com/blog/2012/04/27/mwr-sap-metasploit- modules/) 3. ERPScan's SAP Pentesting Tool (http://erpscan.com/products/erpscan-pentesting-tool/) Buy and run a commercial SAP security scanner
  • 5.
    This was casetill today
  • 6.
    Fortunately it changestomorrow Introducing "IronSAP" Open Source SAP Security Scanner
  • 7.
    Identification via banner ServerHeader could provide information what the underlying infrastructure is hosted on “Server: SAP J2EE Engine/7.00” Sap systems are no different IronWASP has a passive plug-in that automatically picks these and raises it as a finding
  • 8.
    Error Messages SAP Errormessages could revel a big deal of critical information. “Errorcode: ICF-NF-http-XXXX_EAZ_00-…………” XXXX -- > Hostname EAZ -- > SAPSID 00 -- > System Number IronSAP can detect this information, it will raise a finding with the pages and critical information found
  • 9.
    ICF There are 1500ICF services that are shipped They behave like any normal server side pages do. They receive web input, process, and output the results Services are divided into Public Services Private Services
  • 10.
    ICF Public services areresponded without any authentication Private services can request authentication as configured… Most services require authentication
  • 11.
    ICF & IronSAP IronSAPcan find all the services that respond to a request. (200 OK) If the response was 200 it continues to check If it is a login page or has some interesting content If login is Basic authentication it launches a brute force attack. Automatically checks all HTTP(s) ports and finds interesting pages.
  • 12.
    ICF - InfoService A dangerous Public ICF service Found @ /sap/public/info Returns SAP internal information as a XML ironSAP: Icf Finger printer scans and finds the info service and raises a finding in the system.
  • 13.
    ICF 2 –SOAP RFC RFC is a protocol to call ABAP programs Not available on the internet ICF service allows access to the underlying RFC If enabled the malicious user can run RFC programs as present in the local network IronSAP: fingerprint finds presence of this ICF service and raises the finding.
  • 14.
    Admin Pages SAP hasweb administration page that has in store real time information on SAP infrastructure. Can be found without authentication IronSAP: fingerprint finds presence of this ICF service and raises the finding
  • 15.
    Verb Tampering Web.xml definesif a request should challenge a with a authentication for a given HTTP method A faulty implementation can allow a user to bypass the authentication. IronSAP: attempts to access the resource using “HEAD” for all requests that challenged with a request, records positive outcome.
  • 16.
    REMOTE_USER SAP EP canuse web access manger for authentication The user contacts the WAM with his credentials The WAM verifies his identity The WAM forwards the user to the SAP EP with a HTTP header with the username of the successful logged in user EP checks its database if the user exists EP sets the SSO logged in cookie
  • 17.
    REMOTE_USER The problem isif a request is sent to the SAP EP with the correct header a user could be logged in without having credentials. IronSAP: on finding a portal login it would try to login to the system with different users in REMOTE_USER header.
  • 18.
    SAP Start Service SAPmanagement Console found on the SAP system on port 5<instance id>13/14 Installed by Default Remote management of users Information Disclosure No or basic Authentication IronSAP: Queries this web service and retrieves the information from the SAP system and raises the finding
  • 19.
    Next For IronSAP DatabaseSecurity RFC SAP Client attacks SAP Transactions Passwords ABAP
  • 20.
    Thank You IronSAP automatesthe process discovery of the SAP attacks found by the following researchers: Mariano Nuñez DiCroce Chris John Riley Alexander Polyakov Dave Hartley I would also like to thank: Lavakumar (Author of IronWASP) Pavan Kumar (I bugged him nearly every night for information on SAP) Garrage4Hackers (I got a lot of resources from here)
  • 22.