I was looking at an employee self service portal. I was able to demonstrate how I could send a specially crafted URL to my manager. It sent me the session ID and I was able to hijack the session and approve my own expenses.
Depending on the modules involved you could demonstrate the impact of unauthorized access. .b On Jun 21, 2011, at 12:42 PM, Dimitrios Kapsalis <[email protected]> wrote: > Thus far I've found several XSS vulnerabilities. > The story has been: > 1. No input validation was done. We identified the vulnerability and only > client-side validation was added. > 2. Identified that no server-side validation is present. This is now fixed. > > Was more curious if there are any more sophisticated to look at than just > input validation. The SAP Desktop Portal is an interface to many different > transactions in SAP. Many of them require the SAPGUI tool in order to be > performed. > > > > On Tue, Jun 21, 2011 at 10:19 AM, Brian Erdelyi <[email protected]> > wrote: > I recall it is a web based app. When I did testing a few years back I recall > finding several XSS vulns. So, check input and out validation. > > On Jun 21, 2011, at 11:33 AM, Dimitrios Kapsalis <[email protected]> wrote: > > > Hi All, > > > > I'll be doing an assessment of SAP Desktop in the coming days. Anything > > thing that is specific to SAP that I should keep an eye out for? Currently > > I've treated it as a web application and started preparing my assessment as > > a regular web application. > > > > Thanks, > > Jim > > _______________________________________________ > > Pauldotcom mailing list > > [email protected] > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > Main Web Site: http://pauldotcom.com > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
