Your crown jewels online: Further Attacks to SAP Web Applications presented at DeepSec 2011

by Mariano Croce,

Tags: Security

Summary : "SAP platforms are only accessible internally". You may have heard that several times. While that was true in many organizations more than a decade ago, the current situation is completely different: driven by modern business requirements, SAP systems are getting more and more connected to the Internet. This scenario drastically increases the universe of possible attackers, as remote malicious parties can try to compromise the organizations SAP platform in order to perform espionage, sabotage and fraud attacks.
SAP provides different Web interfaces, such as the Enterprise Portal, the Internet Communication Manager (ICM) and the Internet Transaction Server (ITS). These components feature their own security models and technical infrastructures, which may be prone to specific security vulnerabilities. If exploited, your business crown jewels can end up in the hands of cyber criminals.
Through many live demos, this talk will explain how remote attackers may compromise the security of different SAP Web components and what you can do to avoid it. In particular, an authentication-bypass vulnerability affecting "hardened" SAP Enterprise Portal implementations will be detailed.
Update: New attacks not presented in previous conferences will be also demonstrated. You will see how the content of your SAP Enterprise Portal may be accessed by anonymous attackers from the Internet, abusing default weak configurations. Well also talk about a misconfiguration in default SAP Java Application Servers that may allow access to sensitive features, bypassing authentication and authorization capabilities. As usual, you will learn which are the protection measures that you need to implement before your business crown jewels are gone.