SAP products are very widespread in the corporate world. A lot of enterprises run SAP software for a whole variety of purposes. Since enterprises feature many levels of interconnection, there is also a great deal of exposing going on. Usually you do this by means of using portals. The term „portal“ is a trigger for penetration testers, because portals are the gateways to curiosity – and probably compromises. This may give an attacker access to systems that store all informations about your company and process all critical business transactions. You now have compelling reasons to attend DeepSec 2012 for we have a collection of SAP security talks and a workshop for you.
Alexander Polyakov talks about how to attack SAP Portal. It is usually connected to the Internet. In turn the Internet is connected to your friendly penetration testing teams and the attackers, of course. The presentation will walk you through the security architecture of the Portal itself and selected applications. In times of „cyberwar“ 0-days are all the fashion, so Mr Polyakov’s will discuss how to obtain full control over SAP Portal and connected systems without any traces by means of employing a number of 0-day vulnerabilities. Statistics from the open project www.sapscan.com (which is focused on scanning the Internet for SAP systems using various methodologies) will also be presented to show the real state of current SAP Portal security. If your opponents know where to attack, so should you.
This talk is recommended for anyone being responsible for the security of infrastructure SAP (Portal) lives on, for developers, for penetration testers, for security researchers and for administrators being blamed for security breaches.