PaulDotCom mailing list archives

Re: Anyone do an assessment on SAP Desktop?

From: "Butturini, Russell" <Russell.Butturini () Healthways com>
Date: Tue, 21 Jun 2011 11:59:03 -0500

There are some fantastically effective modules for SAP inside Metasploit. Used them many times with a great deal of 
success.

From: Dimitrios Kapsalis [mailto:dimitrios () gmail com]
Sent: Tuesday, June 21, 2011 10:42 AM
To: PaulDotCom Security Weekly Mailing List <pauldotcom () mail pauldotcom com>
Subject: Re: [Pauldotcom] Anyone do an assessment on SAP Desktop?

Thus far I've found several XSS vulnerabilities.
The story has been:
1. No input validation was done. We identified the vulnerability and only client-side validation was added.
2. Identified that no server-side validation is present. This is now fixed.

Was more curious if there are any more sophisticated to look at than just input validation. The SAP Desktop Portal is 
an interface to many different transactions in SAP. Many of them require the SAPGUI tool in order to be performed.

On Tue, Jun 21, 2011 at 10:19 AM, Brian Erdelyi <brian_erdelyi () yahoo com<mailto:brian_erdelyi () yahoo com>> wrote:
I recall it is a web based app.  When I did testing a few years back I recall finding several XSS vulns.  So, check 
input and out validation.

On Jun 21, 2011, at 11:33 AM, Dimitrios Kapsalis <dimitrios () gmail com<mailto:dimitrios () gmail com>> wrote:

Hi All,

I'll be doing an assessment of SAP Desktop in the coming days. Anything thing that is specific to SAP that I should 
keep an eye out for? Currently I've treated it as a web application and started preparing my assessment as a regular 
web application.

Thanks,
Jim
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com<mailto:Pauldotcom () mail pauldotcom com>
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com<mailto:Pauldotcom () mail pauldotcom com>
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


******************************************************************************
This email contains confidential and proprietary information and is not to be used or disclosed to anyone other than 
the named recipient of this email, 
and is to be used only for the intended purpose of this communication.
******************************************************************************

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

Anyone do an assessment on SAP Desktop? Dimitrios Kapsalis (Jun 21)
- Re: Anyone do an assessment on SAP Desktop? Brian Erdelyi (Jun 21)
  - Re: Anyone do an assessment on SAP Desktop? Dimitrios Kapsalis (Jun 21)
    - Re: Anyone do an assessment on SAP Desktop? Brian Erdelyi (Jun 21)
    - Re: Anyone do an assessment on SAP Desktop? Butturini, Russell (Jun 21)
    - Re: Anyone do an assessment on SAP Desktop? Dimitrios Kapsalis (Jun 21)