Re: Anyone do an assessment on SAP Desktop?

[Dimitrios Kapsalis <dimitrios () gmail com>]

Thus far I've found several XSS vulnerabilities.
The story has been:
1. No input validation was done. We identified the vulnerability and only
client-side validation was added.
2. Identified that no server-side validation is present. This is now fixed.

Was more curious if there are any more sophisticated to look at than just
input validation. The SAP Desktop Portal is an interface to many different
transactions in SAP. Many of them require the SAPGUI tool in order to be
performed.



On Tue, Jun 21, 2011 at 10:19 AM, Brian Erdelyi <brian_erdelyi () yahoo com>wrote:

> I recall it is a web based app.  When I did testing a few years back I
> recall finding several XSS vulns.  So, check input and out validation.
>
> On Jun 21, 2011, at 11:33 AM, Dimitrios Kapsalis <dimitrios () gmail com>
> wrote:
>
> > Hi All,
> >
> > I'll be doing an assessment of SAP Desktop in the coming days. Anything
> thing that is specific to SAP that I should keep an eye out for? Currently
> I've treated it as a web application and started preparing my assessment as
> a regular web application.
> > Thanks,
> > Jim
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom () mail pauldotcom com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com