Full Disclosure mailing list archives
[Onapsis Research Labs] New SAP Security In-Depth issue - The Invoker Servlet: A Dangerous Detour into SAP Java Solutions
From: Onapsis Research Labs <research () onapsis com>
Date: Wed, 27 Jul 2011 23:13:39 -0700
Dear colleague, We are happy to announce the fourth issue of the Onapsis SAP Security In-Depth publication. Onapsis' SAP Security In-Depth is a free technical publication leaded by the Onapsis Research Labs with the purpose of providing specialized information about the current and future risks in the SAP security field, allowing all the different actors (financial managers, information security managers, SAP administrators, auditors, consultants and the general professional community) to better understand the involved risks and the techniques and tools available to assess and mitigate them. In this edition: "The Invoker Servlet: A Dangerous Detour into SAP Java Solutions", by Mariano Nuñez Di Croce and Jordan Santarsieri. "SAP Application Servers Java, supported by the J2EE Engine, serve as the base framework for running critical solutions such as the SAP Enterprise Portal, SAP Exchange Infrastructure (XI), SAP Process Integration (PI) and SAP Mobile Infrastructure (MI). Furthermore, customers can also deploy their own custom Java applications over these platforms. On December 2010, SAP released an important white-paper describing how to protect against common attacks to these applications. Among the security concepts detailed, there was one that was particularly critical: the Invoker Servlet. This functionality introduces several threats to SAP platforms, such as the possibility of completely bypassing the authentication and authorization mechanisms. This publication analyzes the Invoker Servlet Detour attack, identifying the root cause of this threat, how to verify whether your platform is exposed and how to mitigate it, effectively protecting your business-critical information against cyber attacks." The full publication can be downloaded from http://www.onapsis.com/resources/get.php?resid=ssid04 We hope you enjoy this new issue! Kindest regards, P.S: We are sponsoring BlackHat USA this year, so don't hesitate to come and chat with us at our Booth #706! -- -------------------------------------------- The Onapsis Research Labs Team Onapsis S.R.L Email: research () onapsis com Web: www.onapsis.com PGP: http://www.onapsis.com/pgp/research.asc -------------------------------------------- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [Onapsis Research Labs] New SAP Security In-Depth issue - The Invoker Servlet: A Dangerous Detour into SAP Java Solutions Onapsis Research Labs (Jul 27)