Breaking SAP Portal - Proidea
Breaking SAP Portal - Proidea
Breaking SAP Portal - Proidea
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Investigation<br />
• Most actions have icons<br />
• They have to be loaded from the server<br />
• Usually, legitimate users have them all in cache<br />
• Attackers usually don’t have them, so they make requests to<br />
the server<br />
• That’s how we can identify potentially malicious actions<br />
• But there should be correlation with a real user’s activity<br />
• False positives are possible:<br />
•New legitimate user<br />
•Old user clears cache<br />
•Other