Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 











Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

0-day XSS vulnerability on SAP website put customers’ data at risk of theft by hackers

May 2015 by ERPScan

ERPScan’s Security Research and Threat Intelligence division has identified information leak of highly-critical 0-day vulnerability in SAP.com on a public resource.

On the 4th of May 2015 security researcher v0raz reported on xssposed.org website about 0-day XSS (Cross-Site Scripting) vulnerability on sap.com (it has 4 vulnerabilities reported by security researchers). The vulnerability remained unpatched for at least 3 days, putting sap.com users, visitors and administrators at risk of being compromised by malicious hackers.

XSS vulnerability on SAP website put customers’ data at risk of being stolen by hackers. Information data such as cookies, personal data, authentication credentials, and browser history are probably the less dangerous consequences of XSS attacks. In a worst case scenario XSS attacks can even give a full control of a website and ability to intrude corporate networks and all mission critical assets.

Customers’s security is of primary concern to us. Our Security Research and Intelligence team continuously analyses all public resources for any data leakage related to mission-critical systems such as SAP or Oracle ERP systems and business applications. We alerted SAP Security Response Team immediately and they are working on it. We would also like to alert all customers and strongly recommend to them, and to the users of SAP websites to not open any seemingly malicious links from untrusted sources while they are logged into SAP Website until the time this vulnerability is patched.

- adds Taran Kambo, VP of Customer Success at ERPScan.

XSS attacks are becoming more and more sophisticated these days and are being used in collusion with spear phishing, social engineering and drive-by attacks.

One of the most important angles of SAP Security apart from vulnerabilities in SAP platforms is security of custom programs. Companies develop custom programs on top of their systems as SAP is more like a framework on which organizations build their own systems using different languages and platforms such as ABAP, JAVA and XSJS or UI5 framework. These customization’s mean that every SAP system in an organization is unique. Apart from major platform vulnerabilities and configuration issues (such as Password policies, Default users, Encryption, unnecessary services, Verb Tampering vulnerabilities, RFC Connections and SAP Gateway attacks) that exist in almost every SAP Installation, companies may have issues in custom programs which have the same importance as that of SAP platform security. Usually about 50% of SAP implementations code base is actually custom programs which extend or modify SAP functionality.

Eventually once needs to be sure that all 3 layers of SAP Security such as Platform Security, Custom code security and Segregation of Duties are covered together to have a clear visibility of the wholistic picture.

 adds Alexander Polyakov, CTO ERPScan

These custom programs usually have vulnerabilities such as XSS, Missing Authorization checks, and Directory Traversal (Top 3 most rampant vulnerabilities according our "Analysis of 3000 vulnerabilities in SAP" report published by ERPScan 6 months ago). This top 3 list remains relevant to date with slight changes, and these 3 issues cover 66% of all the most frequent vulnerabilities in Source code of SAP Systems.

XSS actually is the most common of the rest, and as part of our job in helping companies to be secure, we continuously publish guidelines for securing SAP from different angles. ERPScan’s aim is to alert SAP and our clients of every event regarding SAP Security and help companies in dealing with them.

We were able to swiftly react to this incident, combining our existing knowledgebase provided in our solutions and efforts of our Research and Intelligence team. On 6th of May we published a guideline on how to improve SAP NetWeaver ABAP, JAVA and SAP HANA Security by protecting listed solutions from XSS attacks.

 adds Alexander Polyakov, ERPScan’s CTO.

The latest guideline is the ultimate 27-pages report with the most comprehensive details on how to secure SAP Systems from all types of XSS attacks for every type of development platform that can be used in SAP infrastructure.

Apart from general information about XSS vulnerabilities this report provides comprehensive information on how to:

Prevent issues on the source code level during development;
Minimize attack possibility by securely configuring application during implementation;
Maximize visibility by securely configuring logs to identify cyberattacks or an attack attempt if it were to happen.

For a detailed guide please follow this link, and our blog, here we will keep you posted with our latest research, and don’t forget to implement latest SAP Security Notes every month. Identifying a problem is easy, but to provide a working solution is often easier said than done, but resolving such tough challenges is what ERPScan is all about.


See previous articles

    

See next articles












Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts