[Onapsis Research Labs] New SAP Security In-Depth issue - The Invoker Servlet: A Dangerous Detour into SAP Java Solutions

Dear colleague,

We are happy to announce the fourth issue of the Onapsis SAP Security In-Depth publication.

Onapsis' SAP Security In-Depth is a free technical publication leaded by the Onapsis Research Labs with the purpose of providing specialized
information about the current and future risks in the SAP security field, allowing all the different actors (financial managers, information security
managers, SAP administrators, auditors, consultants and the general professional community) to better understand the involved risks and the
techniques and tools available to assess and mitigate them.

In this edition: "The Invoker Servlet: A Dangerous Detour into SAP Java Solutions", by Mariano Nuñez Di Croce and Jordan Santarsieri.

"SAP Application Servers Java, supported by the J2EE Engine, serve as the base framework for running critical solutions such as the SAP Enterprise
Portal, SAP Exchange Infrastructure (XI), SAP Process Integration (PI) and SAP Mobile Infrastructure (MI). Furthermore, customers can also deploy
their own custom Java applications over these platforms.

On December 2010, SAP released an important white-paper describing how to protect against common attacks to these applications. Among the security
concepts detailed, there was one that was particularly critical: the Invoker Servlet. This functionality introduces several threats to SAP platforms,
such as the possibility of completely bypassing the authentication and authorization mechanisms.

This publication analyzes the Invoker Servlet Detour attack, identifying the root cause of this threat, how to verify whether your platform is exposed
and how to mitigate it, effectively protecting your business-critical information against cyber attacks."

The full publication can be downloaded from http://www.onapsis.com/resources/get.php?resid=ssid04

We hope you enjoy this new issue!

Kindest regards,

P.S: We are sponsoring BlackHat USA this year, so don't hesitate to come and chat with us at our Booth #706!

The Onapsis Research Labs Team

Onapsis S.R.L
Email: research@xxxxxxxxxxx
Web: www.onapsis.com
PGP: http://www.onapsis.com/pgp/research.asc

Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.


Relevant Pages