Social Network For Security Executives: Network, Learn & Collaborate
In the previous blog entry, we described how to exploit an XSS vulnerability in SAP Afaria. Today’s post is dedicated to another security issue affecting Afaria.
Added by Alexander Polyakov on February 15, 2016 at 1:30am — No Comments
This time we will speak about SAP in particular. So, what is SAP? First of all, SAP is a German company that develops and sells business software. SAP is famous for its ERP system - the most widespread business application. However, SAP provides much more than just an ERP. In 2005, it introduced its SAP Business Suite – a number of integrated business applications such as ERP, CRM, PLM, SCM, and SRM. These business applications consist of different components. For example, ERP includes…Continue
Added by Alexander Polyakov on February 15, 2016 at 1:30am — No Comments
Today we will show how SAP Afaria, an MDM solution from a world-famous software vendor, works and how cybercriminals can attack it in different ways.
In a nutshell, MDM is a set of services that help an administrator of a large company to control the mobile devices (smartphones, tablets, phablets and so on and so forth) of employees, thus establishing the security measures of corporate data stored and processed on those devices. A special application called MDM client is installed on…Continue
Added by Alexander Polyakov on November 25, 2015 at 8:32pm — No Comments
In the third part of the PeopleSoft Security series,we will describe on how to log-in any account and gain full access to the PeopleSoft system.
Like many other enterprise business applications, PeopleSoft supports various Single Sign-On technologies. SSO enables authentication into several systems by a single action: a user logs into one system manually and into others automatically.
PeopleSoft supports its own…Continue
Added by Alexander Polyakov on October 1, 2015 at 8:30pm — No Comments
Now that we have covered PeopleSoft Architecture, it is time to continue with PeopleSoft security and describe some attack vectors against PeopleSoft system discovered by ERPScan researchers. The first one is an attack on back-end systems.
First, we should clarify some essential terms:
Added by Alexander Polyakov on October 1, 2015 at 8:00pm — No Comments
Today’s post is the last in the series of articles about XSS vulnerabilities in SAP systems. The previous parts describe how to prevent XSS in SAP NetWeaver ABAP and SAP NetWeaver J2EE.
XSS is one of the most popular vulnerabilities and its effect can range from a petty nuisance to a significant security risk, depending on the sensitivity of the data. In SAP products, 628 XSS vulnerabilities were discovered that is almost 22%…Continue
Added by Alexander Polyakov on August 25, 2015 at 5:48pm — No Comments
Added by Alexander Polyakov on August 25, 2015 at 5:47pm — No Comments
We continue our series of posts giving a review of one of the most frequent vulnerability which affects a lot of SAP modules: cross-site scripting, or XSS. Today's post describes how to protect SAP NetWeaver ABAP from XSS.
For all generic Web applications where you accept input parameters, you must use encoding methods provided by the ICF handler. The implementation of the encoding is…Continue
Added by Alexander Polyakov on August 25, 2015 at 5:46pm — No Comments
Oracle PeopleSoft applications are quite complex and consist of many components, so does their security. While there is almost no research on PS security, successful attacks against such systems happen from time to time. That’s why we decided to start a series of articles about some aspects of PS security.
These applications are designed to address the most complex business requirements. They…Continue
Added by Alexander Polyakov on August 24, 2015 at 6:44pm — No Comments
Hello, dear readers! Today I would like to talk about Oracle Security.
On August 11, Mary Ann – Oracle's CSO - published an incredibly shocking post about security researchers which was promptly deleted (either by herself or somebody else). The post was discussed by multiple resources such as…Continue
Added by Alexander Polyakov on August 24, 2015 at 6:38pm — No Comments
No doubt you had heard about Chrysler’s recall of affected cars as it appeared in all the top media. You’ll be even more surprised if you see how many recalls happened because of technical issues in recent months. But there is something that we may miss beyond the headlines, some important potential sabotage vectors may happen or are even happening now to increase these…Continue
Added by Alexander Polyakov on August 4, 2015 at 4:31pm — No Comments
Last Wednesday Harvard University announced that on June 19 an intrusion on Faculty of Arts and Sciences and Central Administration information technology networks was discovered. According to the announcement on Harvard website, this breach affected eight different schools and thought to have exposed students’ log-in credentials. University IT staff denied that any personal data or information from internal…Continue
Added by Alexander Polyakov on July 14, 2015 at 4:58pm — No Comments
Recently, HP published their yearly Cyber Risk Report 2015. Having many typical things spotlighted in this report such as growing number of ATM and IOT Security events, we have found some parts that are relevant to business application security, which we are honored to share with our readers, customers and partners.
According to their report, HP Zero Day Initiative were busy coordinating the disclosure and remediation of over…Continue
Added by Alexander Polyakov on June 25, 2015 at 7:41pm — No Comments
On 11th of May, a security headline broke out in the news, it was about an attack on USIS (U.S. Investigations Services) conducted potentially by Chinese state-sponsored hackers via a vulnerability in SAP Software. Hackers broke into third-party software in 2013 to open personal records of federal employees and contractors with access to classified intelligence, according to the government's largest private employee investigation…Continue
Added by Alexander Polyakov on June 25, 2015 at 6:30pm — No Comments
In our previous article we’ve already covered how SAP ABAP Security Storage works. Today’s post is dedicated to SAP HANA Security Storage.
SAP HANA is a recent key product of SAP. It is a software solution based on the in-memory technology, that reduces the time of the data processing significantly.
This product has obviously caused an excitement among large enterprises interested in…Continue
Added by Alexander Polyakov on June 24, 2015 at 4:00pm — No Comments
With this article we are starting new series of posts giving a review of one of the most frequent vulnerability which affects a lot of SAP modules: cross-site scripting, or XSS. XSS is by far one of the most popular vulnerability indeed in all products and a most popular vulnerability in SAP products with total number of 628 vulnerabilities that is almost 22% of all vulnerabilities ever found in SAP during 12 years. You can find this in our latest research…Continue
Added by Alexander Polyakov on June 17, 2015 at 3:45pm — No Comments
April 17, 2015 – As a part of monthly updates Microsoft released security update MS15-034 which closes vulnerability in driver HTTP.sys which enables an attacker to execute arbitrary code on OS remotely.
This update has a critical status as almost every modern version of Microsoft operating systems (Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2) is vulnerable.
Added by Alexander Polyakov on June 17, 2015 at 12:49pm — No Comments
Mobile devices are actively integrated into business processes. Companies have more and more business applications and mobile devices. Employees increasingly bring their own equipment to the workplace (BYOD policy – Bring Your Own Device) and gain access to critical corporate information.
SAP Mobile Platform (or SMP, formerly called Sybase Unwired Platform, or SUP) is a MEAP (Mobile Enterprise Application Platform) solution. SMP is used for monitoring…Continue
Added by Alexander Polyakov on June 17, 2015 at 12:48pm — No Comments
Each application has several security settings that do not fit into any of the critical issues groups mentioned in our series of articles.Among such settings there are both standard settings (such as password length or the number of attempts given to enter invalid password) and the specific to the system, individual settings. In this article we are going to use as an example the SAP Gateway service access settings.
Added by Alexander Polyakov on April 2, 2015 at 8:00pm — No Comments
Today we are going on with our series of articles where we describe the 33 steps to security. The subject is of great significance not only to a small group of SAP infosec specialists, but to all those people who work with ERP systems as recent years have witnessed an increased awareness of business data protection problems. Not to go into details, let us get right to the topic.
The SAP NetWeaver platform includes not only the Dispatcher service…Continue
Added by Alexander Polyakov on March 26, 2015 at 3:00pm — No Comments