PaulDotCom mailing list archives
Re: Anyone do an assessment on SAP Desktop?
From: "Butturini, Russell" <Russell.Butturini () Healthways com>
Date: Tue, 21 Jun 2011 11:59:03 -0500
There are some fantastically effective modules for SAP inside Metasploit. Used them many times with a great deal of success. From: Dimitrios Kapsalis [mailto:dimitrios () gmail com] Sent: Tuesday, June 21, 2011 10:42 AM To: PaulDotCom Security Weekly Mailing List <pauldotcom () mail pauldotcom com> Subject: Re: [Pauldotcom] Anyone do an assessment on SAP Desktop? Thus far I've found several XSS vulnerabilities. The story has been: 1. No input validation was done. We identified the vulnerability and only client-side validation was added. 2. Identified that no server-side validation is present. This is now fixed. Was more curious if there are any more sophisticated to look at than just input validation. The SAP Desktop Portal is an interface to many different transactions in SAP. Many of them require the SAPGUI tool in order to be performed. On Tue, Jun 21, 2011 at 10:19 AM, Brian Erdelyi <brian_erdelyi () yahoo com<mailto:brian_erdelyi () yahoo com>> wrote: I recall it is a web based app. When I did testing a few years back I recall finding several XSS vulns. So, check input and out validation. On Jun 21, 2011, at 11:33 AM, Dimitrios Kapsalis <dimitrios () gmail com<mailto:dimitrios () gmail com>> wrote:
Hi All, I'll be doing an assessment of SAP Desktop in the coming days. Anything thing that is specific to SAP that I should keep an eye out for? Currently I've treated it as a web application and started preparing my assessment as a regular web application. Thanks, Jim _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com<mailto:Pauldotcom () mail pauldotcom com> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com<mailto:Pauldotcom () mail pauldotcom com> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com ****************************************************************************** This email contains confidential and proprietary information and is not to be used or disclosed to anyone other than the named recipient of this email, and is to be used only for the intended purpose of this communication. ******************************************************************************
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Anyone do an assessment on SAP Desktop? Dimitrios Kapsalis (Jun 21)
- Re: Anyone do an assessment on SAP Desktop? Brian Erdelyi (Jun 21)
- Re: Anyone do an assessment on SAP Desktop? Dimitrios Kapsalis (Jun 21)
- Re: Anyone do an assessment on SAP Desktop? Brian Erdelyi (Jun 21)
- Re: Anyone do an assessment on SAP Desktop? Butturini, Russell (Jun 21)
- Re: Anyone do an assessment on SAP Desktop? Dimitrios Kapsalis (Jun 21)
- Re: Anyone do an assessment on SAP Desktop? Dimitrios Kapsalis (Jun 21)
- Re: Anyone do an assessment on SAP Desktop? Brian Erdelyi (Jun 21)