our crown jewels online: Attacks to SAP Web Applications
"SAP platforms are only accessible internally". You may have heard that several times. While that was true in many organizations more than a decade ago, the current situation is completely different: driven by modern business requirements, SAP systems are getting more and more connected to the Internet. This scenario drastically increases the universe of possible attackers, as remote malicious parties can try to compromise the organization\'s SAP platform in order to perform espionage, sabotage and fraud attacks.
SAP provides different Web interfaces, such as the Enterprise Portal, the Internet Communication Manager (ICM) and the Internet Transaction Server (ITS). These components feature their own security models and technical infrastructures, which may be prone to specific security vulnerabilities. If exploited, your business crown jewels can end up in the hands of cyber criminals. This talk will explain how remote attackers may compromise the security of different SAP Web components and what you can do to avoid it. In particular, an authentication-bypass vulnerability affecting \"hardened\" SAP Enterprise Portal implementations will be detailed. You will understand the real business implications of the exploitation of these technical weaknesses.
We will present several LIVE demos, from remote command execution shells through Web interfaces up to unauthorized access to sensitive business information such as credit card transactions and financial data.
Sobre Mariano Nuñez Di Croce
Mariano Nunez Di Croce is the CEO at Onapsis. Mariano is a renowned researcher in the ERP & SAP Security field, being the first to present on real-world security attacks to SAP platforms. Since then, he has been invited to lecture in some of the most important security conferences in the world, such as BlackHat DC/USA/EU, HITB Dubai/EU, DeepSec, Troopers, Ekoparty, Sec-T, Hack.lu and Seacure.it, as well as in Fortune-100 companies and military organizations. Mariano has discovered more than 50 vulnerabilities in SAP, Microsoft, Oracle and IBM applications. He leads the strategic development of Onapsis X1, and has been the lead developer of the first open-source SAP & ERP Penetration Testing Frameworks and lead author of the \"SAP Security In-Depth\" publication. Mariano is also a founding member of BIZEC, the Business Security Community. Because of his research work, he has been interviewed and featured in mainstream media such as Reuters, IDG, New York Times, eWeek, PCWorld, Darkreading and others.