1 of 415
Download to read offline
Recommended
EAS-SEC Project
EAS-SEC ProjectERPScan
油
This document discusses securing enterprise business applications. It notes that major companies rely on applications like SAP, Oracle, and Microsoft Dynamics for critical functions. However, these applications are often vulnerable to attacks like espionage, sabotage, and fraud due to issues like outdated versions, poor patching processes, and internet accessibility. The document argues that securing these widely implemented but vulnerable applications is essential for protecting companies and their sensitive data, operations, and financials.Isteeab02
Isteeab02nour1969
油
悋悋愕惠惺悋惡 惺惘悸 悋悖惶忰悋惡 惠悋惡 惠惘悴悸 悋惶忰悋惡悸 悖 悋忰悋惴 悋惡 惺惡惆 悋惡惘 (368-463) 惺惠惡惘 悋惠悋惡 悖悋悧 悋惠惡 悋惠 悖惠 悋惶忰悋惡悸 悋 悴 悋悗 惠悋惡 悖 悋 悵惘 悋惶忰悋惡 惘 惺 愆悧悋 惘 惺 惘愕 悋 惡惺惷 悖惘 惠惠惺 惡 悋惠 惺惘.With big data comes big responsibility
With big data comes big responsibilityERPScan
油
This document discusses OLAP and MDX injection attacks. It provides an overview of OLAP and how MDX is used to query multidimensional data cubes. The document then explains how MDX injections can be used to expose sensitive data by manipulating MDX queries. Specific techniques are described, such as injecting into the WITH or SELECT clauses of an MDX query to conduct partial data retrieval or blind injections.Oracle PeopleSoft applications are under attack (HITB AMS)
Oracle PeopleSoft applications are under attack (HITB AMS)ERPScan
油
Oracle is the second largest vendor on the ERP market, and its PeopleSoft is used in more than 7000 companies including about 50 % of Fortune 100. PeopleSoft applications are widespread over the world with more than 72% of customers in the USA.
On May 28, Alexey Tyurin, Head of Oracle Security Department at ERPScan, presented this talk at the Hack In The Box security conference.
The presentation describes PeopleSoft Architecture and provides several internal and external attack vectors. Lets look at the most dangerous one. PeopleSoft systems are often accessible from the Internet. And some parts of the system have to be available before registration, for example, job application forms or Forgot your password? forms. For this purpose, there is a special user with minimal rights in PeopleSoft systems. When you enter, the system automatically authenticates you as this user. It is an opportunity to perform a privilege escalation attack by bruteforcing the authentication cookie called TokenID. TokenID is generated based on SHA1 hashing algorithm, and according to the latest information, 8-characters alpha-numeric password can be decrypted within one day on latest GPUs that cost about $ 500.SSRF vs. Business-critical applications. XXE tunneling in SAP
SSRF vs. Business-critical applications. XXE tunneling in SAPERPScan
油
Any information an attacker might want is stored in a companys ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. Industrial espionage, sabotage and fraud or insider embezzlement may be very effective if targeted at the victims ERP system and cause significant damage to the business.
The presentation describes the history of SSRF attack, or Server Side Request Forgery, its types and different kinds of attacks on SAP.
A crushing blow at the heart of SAPs J2EE Engine. 
A crushing blow at the heart of SAPs J2EE Engine. ERPScan
油
Automation of business processes like ERP, PLM, CRM, SRM based on ABAP.
There are the following integration, collaboration and management based on J2EE engine:
- SAP Portal
- SAP PI
- SAP XI
- SAP Mobile Infrastructure
- SAP Solution Manager.
Administrators, developers, pentesters, and researchers mostly focus on ABAP stack. Hackers know about it, so they will find easier ways to control your business.
The presentation describes SAP J2EE Platform Architecture and provides examples of internal and external attacks and ways of its prevention.Architecture vulnerabilities in油SAP油platforms
Architecture vulnerabilities in油SAP油platformsERPScan
油
SAP security becomes a hot theme nowadays. Attacks on SAP can put a business at risk of Espionage, Sabotage and Fraud.
The presentation covers the following architecture and unusual issues:
Authentication Bypass
1. Verb tampering
2. Invoker servlet
Encryption
3. Storage SAPGUI
4. Authentication P4
5. Transfer RFC, Diag
SSRF
6. Port Scan
7. Command execution
8. Security bypass
Also, the presentation gives advice for developers and describes future trends in SAP Security area.Business breakdown vulnerabilities in ERP via ICS and ICS via ERP
Business breakdown vulnerabilities in ERP via ICS and ICS via ERPERPScan
油
This document discusses vulnerabilities in connecting ERP and ICS systems. It notes that while ERP, ICS, and other business systems need to be connected to share information, these connections can be exploited by attackers to infiltrate corporate networks. The document outlines several ways that vulnerabilities in ERP systems, misconfigurations, unnecessary privileges, and system interconnectivity can be leveraged to access sensitive business data or disrupt operations. It emphasizes that securing these connections and monitoring for security issues is critical for business security and continuity.SAP SDM Hacking
SAP SDM HackingERPScan
油
SAP is the most popular business application with more than two hundred forty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. However, in ERP systems, all business processes are performed, all critical information is stored like finances, HR, clients. Not to care about the security of this data is not very sensible.
SAP NetWeaver Development Infrastructure is a complex item. It combines the characteristics and advantages of local development environments with a server-based development landscape. All this stuff centrally provides opportunities to support the software, implement new features, manage lifecycle of a product, etc. So, the main aim is to control deployment of components in the system landscape in a standardized manner.
The key component in DI scheme is Software Deployment Manager (SDM). It is directly related to the production systems, that is why it is so critical.
The presentation describes special features of SDM and provides several SDM attack scenarios along with the ways to prevent them.
Breaking SAP portal (DeepSec)
Breaking SAP portal (DeepSec)ERPScan
油
Dmitry Chastukhin, Director of security consulting at ERPScan, speaks at Deepsec Conference 2012 on SAP Security.
SAP is the most popular business application. There are more than one hundred eighty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. In ERP systems, all business processes are performed, all critical information is stored.
The presentation describes how SAP Portal works and kinds of attacks it can be exposed to.Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)ERPScan
油
All business processes are generally contained in ERP systems. Any information an attacker might want is stored in a companys ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. And SAP is the most popular business application vendor with more than 250000 customers worldwide.
The workshop conducted by Alexander Polyakov, CTO of ERPScan, at B-Sides Conference 2014 (San Paulo) is a practical SAP pentesting guide.SAP security in figures
SAP security in figuresERPScan
油
The interest in SAP security is growing exponentially, and not only among whitehats. Unfortunately, SAP users still pay little attention to SAP security.
Obtained findings were presented at RSA APAC Conference 2013.
This research focuses on statistics of SAP Vulnerabilities, threats from the Internet, known incidents and future trends.SAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big businessERPScan
油
This document discusses security risks related to SAP applications. It describes ERPScan, a company that provides SAP security monitoring. It then discusses two specific risks: 1) Credit card data theft, where attackers could access encrypted credit card data stored in SAP tables. 2) Competitive intelligence risks, where attackers could access bidding information in SAP SRM to unfairly underbid competitors. The document emphasizes that SAP systems are complex, customized, and rarely updated, making them vulnerable to attacks.What CISOs should know about SAP security
What CISOs should know about SAP securityERPScan
油
The interest in SAP security has been growing exponentially, and not only among whitehats. SAP invests money and resources in security, provides guidelines, and arranges conferences, but, unfortunately, SAP users still pay little attention to SAP security
There are most important takeaways for CISOs to provide SAP Security for Enterprises. The presentation destroys the SAP Security myths, includes statistics obtained by ERPScan Research Group, and future trends in SAP Security.Assess and monitor SAP security
Assess and monitor SAP securityERPScan
油
This document discusses security threats related to SAP systems. It notes that SAP is one of the most widely used business applications, with over 250,000 customers worldwide. However, SAP systems also contain a wealth of sensitive information and are targets for espionage, sabotage, and fraud. The document outlines how a single compromised SAP system could provide access to critical corporate data and processes. It emphasizes that many SAP instances have not been updated in years and contain thousands of known vulnerabilities. Additionally, SAP systems are highly interconnected both within and between companies, allowing threats to spread widely. Strong security is needed to protect SAP environments and the organizations that rely on them.More Related Content
Viewers also liked (7)
SAP SDM Hacking
SAP SDM HackingERPScan
油
SAP is the most popular business application with more than two hundred forty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. However, in ERP systems, all business processes are performed, all critical information is stored like finances, HR, clients. Not to care about the security of this data is not very sensible.
SAP NetWeaver Development Infrastructure is a complex item. It combines the characteristics and advantages of local development environments with a server-based development landscape. All this stuff centrally provides opportunities to support the software, implement new features, manage lifecycle of a product, etc. So, the main aim is to control deployment of components in the system landscape in a standardized manner.
The key component in DI scheme is Software Deployment Manager (SDM). It is directly related to the production systems, that is why it is so critical.
The presentation describes special features of SDM and provides several SDM attack scenarios along with the ways to prevent them.
Breaking SAP portal (DeepSec)
Breaking SAP portal (DeepSec)ERPScan
油
Dmitry Chastukhin, Director of security consulting at ERPScan, speaks at Deepsec Conference 2012 on SAP Security.
SAP is the most popular business application. There are more than one hundred eighty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. In ERP systems, all business processes are performed, all critical information is stored.
The presentation describes how SAP Portal works and kinds of attacks it can be exposed to.Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)ERPScan
油
All business processes are generally contained in ERP systems. Any information an attacker might want is stored in a companys ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. And SAP is the most popular business application vendor with more than 250000 customers worldwide.
The workshop conducted by Alexander Polyakov, CTO of ERPScan, at B-Sides Conference 2014 (San Paulo) is a practical SAP pentesting guide.SAP security in figures
SAP security in figuresERPScan
油
The interest in SAP security is growing exponentially, and not only among whitehats. Unfortunately, SAP users still pay little attention to SAP security.
Obtained findings were presented at RSA APAC Conference 2013.
This research focuses on statistics of SAP Vulnerabilities, threats from the Internet, known incidents and future trends.SAP security landscape. How to protect(hack) your(their) big business
SAP security landscape. How to protect(hack) your(their) big businessERPScan
油
This document discusses security risks related to SAP applications. It describes ERPScan, a company that provides SAP security monitoring. It then discusses two specific risks: 1) Credit card data theft, where attackers could access encrypted credit card data stored in SAP tables. 2) Competitive intelligence risks, where attackers could access bidding information in SAP SRM to unfairly underbid competitors. The document emphasizes that SAP systems are complex, customized, and rarely updated, making them vulnerable to attacks.What CISOs should know about SAP security
What CISOs should know about SAP securityERPScan
油
The interest in SAP security has been growing exponentially, and not only among whitehats. SAP invests money and resources in security, provides guidelines, and arranges conferences, but, unfortunately, SAP users still pay little attention to SAP security
There are most important takeaways for CISOs to provide SAP Security for Enterprises. The presentation destroys the SAP Security myths, includes statistics obtained by ERPScan Research Group, and future trends in SAP Security.Assess and monitor SAP security
Assess and monitor SAP securityERPScan
油
This document discusses security threats related to SAP systems. It notes that SAP is one of the most widely used business applications, with over 250,000 customers worldwide. However, SAP systems also contain a wealth of sensitive information and are targets for espionage, sabotage, and fraud. The document outlines how a single compromised SAP system could provide access to critical corporate data and processes. It emphasizes that many SAP instances have not been updated in years and contain thousands of known vulnerabilities. Additionally, SAP systems are highly interconnected both within and between companies, allowing threats to spread widely. Strong security is needed to protect SAP environments and the organizations that rely on them.