SAP: Session (Fixation) Attacks and Protections - Black Hat

More documents

Recommendations

Info

#3 Discovery and Exploitation (1)• Large penetration test (net, web-app, wi-fi)• Some of the target servers were the Intranetwebsite and the SAP systems– Critical business processes and activities• This website contained a link (used byemployees) to the SAP Portal (HTTP)– http(s)://intranet.example.com (NTLM auth)– http://portal.example.com (SAP NW Portal)• SAP Portal redirects to HTTPS versionCopyright © 2011 Taddong S.L. www.taddong.com54
#3 Discovery and Exploitation (2)• HTTP 307: “Temporary Redirect”– https://portal.example.com/irj/portal• The common & “innocent” HTTP redirectiondiscloses all the session cookies: (network traffic)– saplb_*, PortalAlias & JSESSIONID• Even if the reference is HTTPS, the lack of the“secure” attribute makes possible to MitM it andrelay fictitious HTTP to HTTPS (e.g. SSLstrip)• Target SAP Portal supported client-based digitalcertificates (smart card ID) or user/password authCopyright © 2011 Taddong S.L. www.taddong.com55
Page 1 and 2:
UPDATEDwww.taddong.comSAP: Session
Page 3 and 4: Sessions in Web Applications• A w
Page 5 and 6: OWASP Top 10 2010• The Top 10 Mos
Page 7 and 8: WASC Threat Clasification v2.0• W
Page 9 and 10: What Session Fixation Should Be?Obs
Page 11 and 12: Session ID Exchange (1)• Multiple
Page 13 and 14: Session ID ExchangeUsed vs. Accepte
Page 15 and 16: The Attacker is After the…http://
Page 17 and 18: Session Fixation Attackshttp://www.
Page 19 and 20: Attack Vectors (2)• Web traffic i
Page 21 and 22: Attack Vectors (4)• Cross-Site Sc
Page 23 and 24: Session Fixation ExploitationSummar
Page 25 and 26: Three Case Studies• From real-wor
Page 27 and 28: Case Study #1Joomla! Open-Source CM
Page 29 and 30: #1 Discovery and Exploitation• Ta
Page 31 and 32: #1 Vulnerability Disclosure Timelin
Page 33 and 34: Case Study #2Commercial Web Applica
Page 35 and 36: #2 Discovery and Exploitation (1)
Page 39 and 40: #2 Impact• Three possible scenari
Page 41 and 42: WebLogic HTTPS Enforcement (2)• H
Page 45 and 46: #2 Protections (2)HTTPS Secure Cook
Page 47 and 48: #2 Protections (4)WebLogic Session
Page 49 and 50: #2 Protections (6)Summary• Too ma
Page 51 and 52: #2 Protections (8)Industry standard
Page 53: #3 Summary• Session fixation in t
Page 57 and 58: #3 Discovery and Exploitation (4)Co
Page 61 and 62: #3 Impact (1)• Hijack any SAP use
Page 63 and 64: #3 Impact (2)• Direct impact of s
Page 67 and 68: SAP Disclosure Guidelines (1)• SA
Page 69 and 70: #3 Protections (1)• Monthly Patch
Page 71 and 72: #3 Protections (3)• Use HTTPS-onl
Page 73 and 74: ConclusionsCopyright © 2011 Taddon
Page 75 and 76: Conclusions (1)• Session fixation
Page 77 and 78: Conclusions (3)• Impact on the we
Page 79 and 80: Questions? Copyright © 2011 Taddon
show all

SAP: Session (Fixation) Attacks and Protections - Black Hat

Create successful ePaper yourself

Delete template?

Save as template?