Full Disclosure mailing list archives

[Onapsis Research Labs] New SAP Security In-Depth issue - The Invoker Servlet: A Dangerous Detour into SAP Java Solutions

From: Onapsis Research Labs <research () onapsis com>
Date: Wed, 27 Jul 2011 23:13:39 -0700

Dear colleague,

We are happy to announce the fourth issue of the Onapsis SAP Security In-Depth publication.

Onapsis' SAP Security In-Depth is a free technical publication leaded by the Onapsis Research Labs with the purpose of 
providing specialized
information about the current and future risks in the SAP security field, allowing all the different actors (financial 
managers, information security
managers, SAP administrators, auditors, consultants and the general professional community) to better understand the 
involved risks  and the
techniques and tools available to assess and mitigate them.

In this edition: "The Invoker Servlet: A Dangerous Detour into SAP Java Solutions", by Mariano Nuñez Di Croce and 
Jordan Santarsieri.

"SAP Application Servers Java, supported by the J2EE Engine, serve as the base framework for running critical solutions 
such as the SAP Enterprise
Portal, SAP Exchange Infrastructure (XI), SAP Process Integration (PI) and SAP Mobile Infrastructure (MI). Furthermore, 
customers can also deploy
their own custom Java applications over these platforms.

On December 2010, SAP released an important white-paper describing how to protect against common attacks to these 
applications. Among the security
concepts detailed, there was one that was particularly critical: the Invoker Servlet. This functionality introduces 
several threats to SAP platforms,
such as the possibility of completely bypassing the authentication and authorization mechanisms.

This publication analyzes the Invoker Servlet Detour attack, identifying the root cause of this threat, how to verify 
whether your platform is exposed
and how to mitigate it, effectively protecting your business-critical information against cyber attacks."

The full publication can be downloaded from http://www.onapsis.com/resources/get.php?resid=ssid04

We hope you enjoy this new issue!

Kindest regards,

P.S: We are sponsoring BlackHat USA this year, so don't hesitate to come and chat with us at our Booth #706!

-- 
--------------------------------------------
The Onapsis Research Labs Team

Onapsis S.R.L
Email: research () onapsis com
Web: www.onapsis.com
PGP: http://www.onapsis.com/pgp/research.asc
--------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

[Onapsis Research Labs] New SAP Security In-Depth issue - The Invoker Servlet: A Dangerous Detour into SAP Java Solutions Onapsis Research Labs (Jul 27)