Penetration Testing mailing list archives
RE: Pen-Testing SAP
From: Renaud Bidou <rbidou () denyall com>
Date: Tue, 6 Jan 2009 08:51:50 +0100
Has anybody already tested SAPyto ? http://www.cybsec.com/EN/research/sapyto.php Renaud Bidou R&D Manager Deny All -----Message d'origine----- De : listbounce () securityfocus com [mailto:listbounce () securityfocus com] De la part de Mike Duncan Envoyé : lundi 5 janvier 2009 15:02 À : Andrew Johns Cc : 'mahendra_yn () yahoo com'; 'pen-test () securityfocus com' Objet : Re: Pen-Testing SAP -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Additionally, for SAP, I have found in the past a lot of authentication/authorization issues with RFC's. These can allow someone to execute function calls or BAPIs within SAP without proper controls. You should look to the SAP RFC library for more information. Mike Duncan ISSO, Application Security Specialist Government Contractor with STG, Inc. NOAA :: National Climatic Data Center Andrew Johns wrote:
From experience it pays to examine the db config well - it used to be the case that eg: jd edwards installed oracle silently during the install with a known password - ChangeOnInstall - for the sysdba a/c. Thereby leaving the db wide open to abuse... All too many sites do not have the qualified oracle dba's and so the password is never/rarely changed. YMMV -------------------------- Sent using BlackBerry ----- Original Message ----- From: listbounce () securityfocus com <listbounce () securityfocus com> To: pen-test () securityfocus com <pen-test () securityfocus com> Sent: Wed Dec 31 18:09:17 2008 Subject: Pen-Testing SAP Hi, Lemme wish to the members of this list a"Happy New Year" for 2009. I was wondering about the security of Packaged solutions like SAP,Siebel & Peoplsoft with regards to pentesting them. Are there any speciffice tests for these packages,apart from the generic set pentests which we do on the normal web applications ? Please let me know if there is any information in line to the above request. Cheers Mahendra. Add more friends to your messenger and enjoy! Go to http://messenger.yahoo.com/invite/ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkliEtkACgkQnvIkv6fg9hau6QCdGYUwXHfHjLoCqX9ALbD0ppo5 yaIAnjzw/mkX6XAFR0Z7Kjiu3i5TfFlS =vPBB -----END PGP SIGNATURE-----
Current thread:
- Re: Pen-Testing SAP Ulises Retamal (Jan 03)
- <Possible follow-ups>
- Re: Pen-Testing SAP Andrew Johns (Jan 03)
- Re: Pen-Testing SAP Mike Duncan (Jan 05)
- RE: Pen-Testing SAP Renaud Bidou (Jan 05)
- Re: Pen-Testing SAP Mike Duncan (Jan 05)
- Re: Pen-Testing SAP Jon Kibler (Jan 05)