Alexander Polyakov's Blog (25)

SAP Afaria: how to wipe mobile devices clean with one text message

In the previous blog entry, we described how to exploit an XSS vulnerability in SAP Afaria. Today’s post is dedicated to another security issue affecting Afaria.

( Read More: Checklist On Skillset Required For An Incident Management Person )

Control…

Continue

Added by Alexander Polyakov on February 15, 2016 at 1:30am — No Comments

SAP Security for CISO’s. Part two: Beginner’s introduction to SAP

This time we will speak about SAP in particular. So, what is SAP? First of all, SAP is a German company that develops and sells business software. SAP is famous for its ERP system - the most widespread business application. However, SAP provides much more than just an ERP. In 2005, it introduced its SAP Business Suite – a number of integrated business applications such as ERP, CRM, PLM, SCM, and SRM. These business applications consist of different components. For example, ERP includes…

Continue

Added by Alexander Polyakov on February 15, 2016 at 1:30am — No Comments

SAP Afaria Stored XSS vulnerability - detailed review

Today we will show how SAP Afaria, an MDM solution from a world-famous software vendor, works and how cybercriminals can attack it in different ways.

In a nutshell, MDM is a set of services that help an administrator of a large company to control the mobile devices (smartphones, tablets, phablets and so on and so forth) of employees, thus establishing the security measures of corporate data stored and processed on those devices. A special application called MDM client is installed on…

Continue

Added by Alexander Polyakov on November 25, 2015 at 8:32pm — No Comments

PeopleSoft Security Part 3: PeopleSoft SSO & TokenChpoken Attack

In the third part of the PeopleSoft Security series,we will describe on how to log-in any account and gain full access to the PeopleSoft system.

What is PeopleSoft SSO and how does it work?

Like many other enterprise business applications, PeopleSoft supports various Single Sign-On technologies. SSO enables authentication into several systems by a single action: a user logs into one system manually and into others automatically.

PeopleSoft supports its own…

Continue

Added by Alexander Polyakov on October 1, 2015 at 8:30pm — No Comments

PeopleSoft Security Part 2: “Decrypting” AccessID

Now that we have covered PeopleSoft Architecture, it is time to continue with PeopleSoft security and describe some attack vectors against PeopleSoft system discovered by ERPScan researchers. The first one is an attack on back-end systems.

First, we should clarify some essential terms:

  • User ID – a PeopleSoft user account.
  • Connect ID – a special account with minimal DBMS privileges.
  • Access ID – a special account with a high level of DBMS…
Continue

Added by Alexander Polyakov on October 1, 2015 at 8:00pm — No Comments

Securing SAP Systems from XSS vulnerabilities Part 4: Defense for SAP HANA XS

Today’s post is the last in the series of articles about XSS vulnerabilities in SAP systems. The previous parts describe how to prevent XSS in SAP NetWeaver ABAP and SAP NetWeaver J2EE.

XSS is one of the most popular vulnerabilities and its effect can range from a petty nuisance to a significant security risk, depending on the sensitivity of the data. In SAP products, 628 XSS vulnerabilities were discovered that is almost 22%…

Continue

Added by Alexander Polyakov on August 25, 2015 at 5:48pm — No Comments

Securing SAP Systems from XSS vulnerabilities Part 3: Defense for SAP NetWeaver J2EE

From the developer’s perspective

For AS Java, the encoding is available as tc_sec_csi.jar. There is a static class and an interface which provides the encodings for HTML/XML, JavaScript, CSS and URL. Also it is available to use methods of public class StringUtils (com.sap.security.core.server.csi.util.StringUtils):

  • escapeScriptEndTag(String pStr) - Prepare a string to be used for a javascript…
Continue

Added by Alexander Polyakov on August 25, 2015 at 5:47pm — No Comments

Securing SAP Systems from XSS vulnerabilities Part 2: Defense for SAP NetWeaver ABAP

We continue our series of posts giving a review of one of the most frequent vulnerability which affects a lot of SAP modules: cross-site scripting, or XSS. Today's post describes how to protect SAP NetWeaver ABAP from XSS.

From the developer’s perspective

For all generic Web applications where you accept input parameters, you must use encoding methods provided by the ICF handler. The implementation of the encoding is…

Continue

Added by Alexander Polyakov on August 25, 2015 at 5:46pm — No Comments

PeopleSoft Security Part 1: Overview of architecture

Oracle PeopleSoft applications are quite complex and consist of many components, so does their security. While there is almost no research on PS security, successful attacks against such systems happen from time to time. That’s why we decided to start a series of articles about some aspects of PS security.

These applications are designed to address the most complex business requirements. They…

Continue

Added by Alexander Polyakov on August 24, 2015 at 6:44pm — No Comments

Oracle Security: Researchers' response to the post by Oracle CSO Mary Ann Davidson

Hello, dear readers! Today I would like to talk about Oracle Security.

On August 11, Mary Ann – Oracle's CSO - published an incredibly shocking post about security researchers which was promptly deleted (either by herself or somebody else). The post was discussed by multiple resources such as…

Continue

Added by Alexander Polyakov on August 24, 2015 at 6:38pm — No Comments

Car recalls and sabotage attacks against MES systems

No doubt you had heard about Chrysler’s recall of affected cars as it appeared in all the top media. You’ll be even more surprised if you see how many recalls happened because of technical issues in recent months. But there is something that we may miss beyond the headlines, some important potential sabotage vectors may happen or are even happening now to increase these…

Continue

Added by Alexander Polyakov on August 4, 2015 at 4:31pm — No Comments

Universities are at risk of data breaches: is it possible to protect them?

Last Wednesday Harvard University announced that on June 19 an intrusion on Faculty of Arts and Sciences and Central Administration information technology networks was discovered. According to the announcement on Harvard website, this breach affected eight different schools and thought to have exposed students’ log-in credentials. University IT staff denied that any personal data or information from internal…

Continue

Added by Alexander Polyakov on July 14, 2015 at 4:58pm — No Comments

SAP vulnerabilities highlighted in many Cyber Security Reports

Recently, HP published their yearly Cyber Risk Report 2015. Having many typical things spotlighted in this report such as growing number of ATM and IOT Security events, we have found some parts that are relevant to business application security, which we are honored to share with our readers, customers and partners.

According to their report, HP Zero Day Initiative were busy coordinating the disclosure and remediation of over…

Continue

Added by Alexander Polyakov on June 25, 2015 at 7:41pm — No Comments

Chinese attack on USIS using SAP vulnerability - Detailed review and comments

Intro

On 11th of May, a security headline broke out in the news, it was about an attack on USIS (U.S. Investigations Services) conducted potentially by Chinese state-sponsored hackers via a vulnerability in SAP Software. Hackers broke into third-party software in 2013 to open personal records of federal employees and contractors with access to classified intelligence, according to the government's largest private employee investigation…

Continue

Added by Alexander Polyakov on June 25, 2015 at 6:30pm — No Comments

SAP Passwords part 2: SAP HANA Secure Storage. How it works

In our previous article we’ve already covered how SAP ABAP Security Storage works. Today’s post is dedicated to SAP HANA Security Storage.

SAP HANA is a recent key product of SAP. It is a software solution based on the in-memory technology, that reduces the time of the data processing significantly.

This product has obviously caused an excitement among large enterprises interested in…

Continue

Added by Alexander Polyakov on June 24, 2015 at 4:00pm — No Comments

Securing SAP Systems from XSS vulnerabilities Part 1: Introduction

With this article we are starting new series of posts giving a review of one of the most frequent vulnerability which affects a lot of SAP modules: cross-site scripting, or XSS. XSS is by far one of the most popular vulnerability indeed in all products and a most popular vulnerability in SAP products with total number of 628 vulnerabilities that is almost 22% of all vulnerabilities ever found in SAP during 12 years. You can find this in our latest research…

Continue

Added by Alexander Polyakov on June 17, 2015 at 3:45pm — No Comments

ERPScan warns SAP Clients about serious vulnerabilities in Microsoft affecting Afaria and other products

April 17, 2015 – As a part of monthly updates Microsoft released security update MS15-034 which closes vulnerability in driver HTTP.sys which enables an attacker to execute arbitrary code on OS remotely.

This update has a critical status as almost every modern version of Microsoft operating systems (Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2) is vulnerable.

We…

Continue

Added by Alexander Polyakov on June 17, 2015 at 12:49pm — No Comments

SAP Mobile Platform Security: Introduction

Mobile devices are actively integrated into business processes. Companies have more and more business applications and mobile devices. Employees increasingly bring their own equipment to the workplace (BYOD policy – Bring Your Own Device) and gain access to critical corporate information.

SAP Mobile Platform (or SMP, formerly called Sybase Unwired Platform, or SUP) is a MEAP (Mobile Enterprise Application Platform) solution. SMP is used for monitoring…

Continue

Added by Alexander Polyakov on June 17, 2015 at 12:48pm — No Comments

SAP NetWeaver ABAP Security Configuration Part 5: Insecure Settings

Each application has several security settings that do not fit into any of the critical issues groups mentioned in our series of articles.Among such settings there are both standard settings (such as password length or the number of attempts given to enter invalid password) and the specific to the system, individual settings. In this article we are going to use as an example the SAP Gateway service access settings.

[EASAI-NA-15] Minimal…

Continue

Added by Alexander Polyakov on April 2, 2015 at 8:00pm — No Comments

SAP NetWeaver ABAP Security Configuration Part 4: Open remote management interfaces

Today we are going on with our series of articles where we describe the 33 steps to security. The subject is of great significance not only to a small group of SAP infosec specialists, but to all those people who work with ERP systems as recent years have witnessed an increased awareness of business data protection problems. Not to go into details, let us get right to the topic. 

The SAP NetWeaver platform includes not only the Dispatcher service…

Continue

Added by Alexander Polyakov on March 26, 2015 at 3:00pm — No Comments

© 2020   Created by CISO Platform.   Powered by

Badges  |  Report an Issue  |  Privacy Policy  |  Terms of Service