'[Full-disclosure] [Onapsis Research Labs] New SAP Security In-Depth'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] [Onapsis Research Labs] New SAP Security In-Depth
From:       Onapsis Research Labs <research () onapsis ! com>
Date:       2011-07-28 6:13:39
Message-ID: 4E30FE13.8010508 () onapsis ! com
[Download RAW message or body]

Dear colleague,

We are happy to announce the fourth issue of the Onapsis SAP Security In-Depth publication.

Onapsis' SAP Security In-Depth is a free technical publication leaded by the Onapsis Research \
Labs with the purpose of providing specialized information about the current and future risks \
in the SAP security field, allowing all the different actors (financial managers, information \
security managers, SAP administrators, auditors, consultants and the general professional \
community) to better understand the involved risks  and the techniques and tools available to \
assess and mitigate them.

In this edition: "The Invoker Servlet: A Dangerous Detour into SAP Java Solutions", by Mariano \
Nuñez Di Croce and Jordan Santarsieri.

"SAP Application Servers Java, supported by the J2EE Engine, serve as the base framework for \
running critical solutions such as the SAP Enterprise Portal, SAP Exchange Infrastructure (XI), \
SAP Process Integration (PI) and SAP Mobile Infrastructure (MI). Furthermore, customers can \
also deploy their own custom Java applications over these platforms.

On December 2010, SAP released an important white-paper describing how to protect against \
common attacks to these applications. Among the security concepts detailed, there was one that \
was particularly critical: the Invoker Servlet. This functionality introduces several threats \
to SAP platforms, such as the possibility of completely bypassing the authentication and \
authorization mechanisms.

This publication analyzes the Invoker Servlet Detour attack, identifying the root cause of this \
threat, how to verify whether your platform is exposed and how to mitigate it, effectively \
protecting your business-critical information against cyber attacks."

The full publication can be downloaded from \
http://www.onapsis.com/resources/get.php?resid=ssid04

We hope you enjoy this new issue!

Kindest regards,

P.S: We are sponsoring BlackHat USA this year, so don't hesitate to come and chat with us at \
our Booth #706!

-- 
--------------------------------------------
The Onapsis Research Labs Team

Onapsis S.R.L
Email: research@onapsis.com
Web: www.onapsis.com
PGP: http://www.onapsis.com/pgp/research.asc
--------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic