Description: Slides : - https://deepsec.net/docs/Slides/Deepsec_2011_Mariano_Nunez_Di_Croce_-_Your%20crown%20jewels%20online_-_Further_Attacks_to_SAP_Web_Applications.pdf
"SAP platforms are only accessible internally". You may have heard that several times. While that was true in many organizations more than a decade ago, the current situation is completely different: driven by modern business requirements, SAP systems are getting more and more connected to the Internet. This scenario drastically increases the universe of possible attackers, as remote malicious parties can try to compromise the organization's SAP platform in order to perform espionage, sabotage and fraud attacks.
SAP provides different Web interfaces, such as the Enterprise Portal, the Internet Communication Manager (ICM) and the Internet Transaction Server (ITS). These components feature their own security models and technical infrastructures, which may be prone to specific security vulnerabilities. If exploited, your business crown jewels can end up in the hands of cyber criminals.
Through many live demos, this talk will explain how remote attackers may compromise the security of different SAP Web components and what you can do to avoid it. In particular, an authentication-bypass vulnerability affecting "hardened" SAP Enterprise Portal implementations will be detailed.
Update: New attacks not presented in previous conferences will be also demonstrated. You will see how the content of your SAP Enterprise Portal may be accessed by anonymous attackers from the Internet, abusing default weak configurations. We'll also talk about a misconfiguration in default SAP Java Application Servers that may allow access to sensitive features, bypassing authentication and authorization capabilities. As usual, you will learn which are the protection measures that you need to implement before your business crown jewels are gone.
This talk was held at DeepSec 2011 conference.
Tags: securitytube , Confidence , hacking , hackers , information security , convention , computer security , deepsec-11 , deepsec-2011 ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.