Great guys Thanks! I'll check those out.
On Tue, Jun 21, 2011 at 11:59 AM, Butturini, Russell < [email protected]> wrote: > There are some fantastically effective modules for SAP inside Metasploit. > Used them many times with a great deal of success. > > *From*: Dimitrios Kapsalis [mailto:[email protected]] > *Sent*: Tuesday, June 21, 2011 10:42 AM > *To*: PaulDotCom Security Weekly Mailing List < > [email protected]> > *Subject*: Re: [Pauldotcom] Anyone do an assessment on SAP Desktop? > > Thus far I've found several XSS vulnerabilities. > The story has been: > 1. No input validation was done. We identified the vulnerability and only > client-side validation was added. > 2. Identified that no server-side validation is present. This is now fixed. > > Was more curious if there are any more sophisticated to look at than just > input validation. The SAP Desktop Portal is an interface to many different > transactions in SAP. Many of them require the SAPGUI tool in order to be > performed. > > > > On Tue, Jun 21, 2011 at 10:19 AM, Brian Erdelyi > <[email protected]>wrote: > >> I recall it is a web based app. When I did testing a few years back I >> recall finding several XSS vulns. So, check input and out validation. >> >> On Jun 21, 2011, at 11:33 AM, Dimitrios Kapsalis <[email protected]> >> wrote: >> >> > Hi All, >> > >> > I'll be doing an assessment of SAP Desktop in the coming days. Anything >> thing that is specific to SAP that I should keep an eye out for? Currently >> I've treated it as a web application and started preparing my assessment as >> a regular web application. >> > >> > Thanks, >> > Jim >> > _______________________________________________ >> > Pauldotcom mailing list >> > [email protected] >> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> > Main Web Site: http://pauldotcom.com >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > ****************************************************************************** > This email contains confidential and proprietary information and is not to be > used or disclosed to anyone other than the named recipient of this email, > and is to be used only for the intended purpose of this communication. > ****************************************************************************** > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
