RE: Pen-Testing SAP

[Renaud Bidou <rbidou () denyall com>]

Has anybody already tested SAPyto ? 
http://www.cybsec.com/EN/research/sapyto.php

Renaud Bidou
R&D Manager
Deny All

-----Message d'origine-----
De : listbounce () securityfocus com [mailto:listbounce () securityfocus com] De la part de Mike Duncan
Envoyé : lundi 5 janvier 2009 15:02
À : Andrew Johns
Cc : 'mahendra_yn () yahoo com'; 'pen-test () securityfocus com'
Objet : Re: Pen-Testing SAP

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Additionally, for SAP, I have found in the past a lot of
authentication/authorization issues with RFC's. These can allow someone
to execute function calls or BAPIs within SAP without proper controls.

You should look to the SAP RFC library for more information.

Mike Duncan
ISSO, Application Security Specialist
Government Contractor with STG, Inc.
NOAA :: National Climatic Data Center


Andrew Johns wrote:
> From experience it pays to examine the db config well - it used to be the case that eg: jd edwards installed oracle 
> silently during the install with a known password - ChangeOnInstall - for the sysdba a/c. Thereby leaving the db wide 
> open to abuse...
>
> All too many sites do not have the qualified oracle dba's and so the password is never/rarely changed. YMMV
>
>
>
> --------------------------
> Sent using BlackBerry
>
>
> ----- Original Message -----
> From: listbounce () securityfocus com <listbounce () securityfocus com>
> To: pen-test () securityfocus com <pen-test () securityfocus com>
> Sent: Wed Dec 31 18:09:17 2008
> Subject: Pen-Testing SAP
>
> Hi,
>
> Lemme wish to the members of this list a"Happy New Year" for 2009.
>
> I was wondering about the security of Packaged solutions like SAP,Siebel & Peoplsoft with regards to pentesting them.
> Are there any speciffice tests for these packages,apart from the generic set pentests which we do on the normal web 
> applications ?
>
> Please let me know if there is any information in line to the above request.
>
> Cheers
> Mahendra.
>
>
>       Add more friends to your messenger and enjoy! Go to http://messenger.yahoo.com/invite/
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Security Trends Report from Cenzic
> Stay Ahead of the Hacker Curve!
> Get the latest Q2 2008 Trends Report now
>
> www.cenzic.com/landing/trends-report
> ------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkliEtkACgkQnvIkv6fg9hau6QCdGYUwXHfHjLoCqX9ALbD0ppo5
yaIAnjzw/mkX6XAFR0Z7Kjiu3i5TfFlS
=vPBB
-----END PGP SIGNATURE-----