Services Vulnerabilities Exploits Publications News Blog About DSecRG

Presentation "Forgotten World: Corporate Business Application Systems" from BlackHat DC 2011

Presentation Presentation from the annual BlackHat DC conference is held in Virginia, USA 16-19 January. Alexander Polyakov, CTO of Digital Security and Head of DSecRG together with Val Smith from AttackResearch give a talk "Forgotten World: Corporate Business Application Systems"

Author: Alexander Polyakov

Agenda: “Do you know where all the critical company data is stored? Do you know how easily you can be attacked by cybercriminals targeting this data? How can an attacker sabotage or commit espionage against your company having access just to one system? This paper will describe some basic and advanced threats and attacks on Enterprise Business Applications – the core of many companies.”

The talk will be about enterprise business applications, the way attackers can gain access to critical business data, steal money or disable technological corporate network like SCADA, using vulnerabilities and misconfigurations in the architecture of business applications. We will show the examples of various business applications including custom ones as well as the more popular ones, like SAP and JD Edwards and previously unknown vulnerabilities and attack methods that can be exploited not just for popping a shell, but to gain unauthorized access to business-critical data. These attack methods can also be useful in penetration tests against ERP systems. Many problems that will be shown cannot be easily patched because they are design flaws or business logic problems requiring re-design of a system.

Whitepaper can be downloaded here

Forgotten World - Corporate Business Application Systems (Polyakov,Smith at BlackHat DC).pdf, 1602 KB

Publications RSS RSS
Presentation "Light and Dark side of Code Instrumentation" from CONFidence Krakow 2012

Whitepaper "Python arsenal for Reverse Engineering" version 1.1

Whitepaper "Architecture and program vulnerabilities in SAP’s J2EE engine" from BlackHat USA 2011

Whitepaper "Python arsenal for Reverse Engineering" version 1.0

Publications list

© 2002—2014, ERPScan
For quoting or using materials from this site
link is obligatory

+44 (20) 81334493    e-mail:
Rss: Vulnerabilities, Exploits, News, Publications, Summary