There are some fantastically effective modules for SAP inside Metasploit. Used
them many times with a great deal of success.
From: Dimitrios Kapsalis [mailto:[email protected]]
Sent: Tuesday, June 21, 2011 10:42 AM
To: PaulDotCom Security Weekly Mailing List <[email protected]>
Subject: Re: [Pauldotcom] Anyone do an assessment on SAP Desktop?
Thus far I've found several XSS vulnerabilities.
The story has been:
1. No input validation was done. We identified the vulnerability and only
client-side validation was added.
2. Identified that no server-side validation is present. This is now fixed.
Was more curious if there are any more sophisticated to look at than just input
validation. The SAP Desktop Portal is an interface to many different
transactions in SAP. Many of them require the SAPGUI tool in order to be
performed.
On Tue, Jun 21, 2011 at 10:19 AM, Brian Erdelyi
<[email protected]<mailto:[email protected]>> wrote:
I recall it is a web based app. When I did testing a few years back I recall
finding several XSS vulns. So, check input and out validation.
On Jun 21, 2011, at 11:33 AM, Dimitrios Kapsalis
<[email protected]<mailto:[email protected]>> wrote:
> Hi All,
>
> I'll be doing an assessment of SAP Desktop in the coming days. Anything thing
> that is specific to SAP that I should keep an eye out for? Currently I've
> treated it as a web application and started preparing my assessment as a
> regular web application.
>
> Thanks,
> Jim
> _______________________________________________
> Pauldotcom mailing list
> [email protected]<mailto:[email protected]>
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
[email protected]<mailto:[email protected]>
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
******************************************************************************
This email contains confidential and proprietary information and is not to be
used or disclosed to anyone other than the named recipient of this email,
and is to be used only for the intended purpose of this communication.
******************************************************************************
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
