[TALK] π«π· There Is No Place To Run : Assessing SAP Focused Run Security
ββ SAP Focused Run is the brand new product in the SAP world. Introduced in ββ 2020 it is the replacement of the current well known SAP Solution Manager. ββ It is a dedicated type of SAP System to manage all others in the company ββ landscape. In other words, this new product will be the technical backbone ββ of many business applications for companies in years to come. ββ ββ The first part of this talk will describe our research process used to ββ understand how this new product works, and how we discovered several ββ vulnerabilities. Attendees will learn how weaknesses in connected systems ββ can be leveraged to compromise SAP Focused Run and then, compromise the ββ rest of the landscape. ββ ββ In the second part of the talk, five different vulnerabilities found by ββ Onapsis Research Lab on different SAP products will be shared and ββ presented, along with a complete attack scenario affecting SAP Focused ββ Run. We will speak about vulnerabilities like Insecure Deserialization, ββ XSLT Injection, Code injection and Missing Authentication. ββ ββ Finally, we will provide all recommendations and mitigation strategies β ββ related to issues covered in this talk.
About Yvan Genuer
- Yvan Genuer is a Sr. Security Researcher at Onapsis. He has over 17 years of SAP experience. He has been delivering consultancy services around SAP Security as well as researching for vulnerabilities into SAP products, resulting in SAP AG official acknowledgements he has received, for several vulnerabilities he originally reported. Furthermore, he has also conducted both trainings and talks about this topic in conferences.
fa-twitter: TWITTER