Breaking SAP Portal

Alexander Polyakov

Tue, 29th January 2013

Speaker Bio 1:
Alexander is a multi talented information security professional and we are delighted to have him on the Hacker Hotshots show.

Organizer of ZeroNights deep-technical security conference. His expertise covers security of enterprise business-critical software like ERP, CRM, SRM, banking and processing software. He is the manager of OWASP-EAS (OWASP subproject), a well-known security expert of the enterprise applications of such vendors as SAP and Oracle, who published a significant number of the vulnerabilities found in the applications of these vendors with acknowledgements from SAP. He is the writer of multiple whitepapers and surveys devoted to information security research in SAP like "SAP Security in figures". Alexander were invited to speak and train at international conferences such as BlackHat, RSA, HITB and 30 others around globe as well as in internal workshops for SAP and fortune 500 companies.

Questions and answers

Max, Concise Courses:
What is the latest on SSRF (Server Side Request Forgery) and what is the growth potential? Could SSRF mutate into other types of attacks?

Alexander Polyakov:
After our research many other companies starting their own SSRF research attacks and we found that the Gopher Protocol allows sending of any kind of TCP Packet. Fortunately Oracle closed this vulnerability in the Java Stack. Many people update the Java Stack on their laptops but not on their servers. Other security researchers have found ways to attack by sending UDP packers to reconstruct the TCP packets using other protocols, not only the Gopher Protocol. It is necessary to have a wide range of attacks for future [enhanced security development].

Max, Concise Courses:
We have had several web shows in the past, with for example Marcia Hoffman from Electronic Frontier Foundation and Eric Filol, Director of European Institute of Computer Antivirus Research. They agreed that not enough is being done by vendors to work with hackers to patch holes from backdoors and firm up code. Your relationship, however, with the SAP Product Security Response Team seems very good. Would you agree that close assistance is generally rare and should be made more accessible? In other words, should vendors welcome ethical hackers?

Alexander Polyakov:
Of course I am sure that this is a great idea but it is not an easy project. It is very easy to find vulnerabilities for us but not so easy to close [patch problems] especially is we are talking about the SAP system. [Patching is not just about disabling] the external entity of all the XML interfaces because they work in different banks etc., so if you disable it then all the economics can stop. So, it is very hard to find a good way to patch the system. This is the main problem of this co-operation because a lot of security researches send vulnerability information and that’s at – then after one month they can ask, “so, what’s happened did you patch the problem, if not I will publish the information.”