Services Vulnerabilities Exploits Publications News Blog About DSecRG


Whitepaper "Architecture and program vulnerabilities in SAPís J2EE engine" from BlackHat USA 2011

Whitepaper Whitepaper on which a presentation "A crushing blow at the heart of SAP J2EE Engine" from BlackHat USA 2011 was based.

Author: Alexander Polyakov

Today, SAP NetWeaver is the most widespread platform for developing enterprise business applications. This talk will focus on one of the black holes called SAP J2EE engine. Some of the critical SAP products like SAP Portal, SAP Mobile, SAP XI and many other applications lay on J2EE engine which is apart from ABAP engine is less discussed but also critical. We will explain the architecture of SAPís J2EE engine and give a complete tour into its internals. Thereafter, we will show a number of previously unknown architecture and program vulnerabilities from auth bypasses, smbrelays, internal scans, xml/soap attacks to insecure encryption algorithms and cross-system vulnerabilities in J2EE platform. Finally a chained attack which use multiple logic vulnerabilities and gives full control on SAPís J2EE Engine will be demoed. A free tool will also be presented to automatically scan custom applications against this attack.Ē

A crushing blow at the heart SAP J2EE engine_whitepaper.pdf, 1920 KB

Publications RSS RSS
06.06.2012
Presentation "Light and Dark side of Code Instrumentation" from CONFidence Krakow 2012

26.04.2012
Whitepaper "Python arsenal for Reverse Engineering" version 1.1

12.08.2011
Whitepaper "Architecture and program vulnerabilities in SAPís J2EE engine" from BlackHat USA 2011

06.07.2011
Whitepaper "Python arsenal for Reverse Engineering" version 1.0

Publications list


© 2002—2014, ERPScan
For quoting or using materials from this site
link is obligatory

+44 (20) 81334493    e-mail: research@dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary
Search