Leading SAP SE partner in discovering and solving security vulnerabilities                                 Request DEMO             

ERPScan WEBXML Checker


ERPScan WEBXML checker is a freeware tool that is intended for checking security configuration of SAP J2EE applications by scanning a WEB.XML file. It is intended to checking WEB.XML files for different vulnerabilities and missconfigurations like Verb Tampering, Invoker servlet bypass and other missconfigurations. Detailed information about that vulnerabilities can be found in whitepaper “Architecture and program vulnerabilities in SAP’s J2EE engine” presented at BlackHat conference.


Check for possibilities of those attacks on J2EE application:

  1. Information disclose through error code
  2. Auth bypass through verb tampering
  3. Intercept critical data through lack of SSL encryption for data transfer
  4. Cookie stealing thought lack of SSL for an authorization
  5. Cookie stealing through XSS. Checking for Httponly=true
  6. Session stealing when JSESSIONID are not in Cookie
  7. Increased CSRF or XSS probability with big session timeout
  8. Unauthorized actions by locally enabled invoker servlets
  9. Invoker servlet bypass by checking for /* and /servlet/* in security-constraint
Terms of use

Due to the high risk of public access to this dangerous tool, the access can be granted to SAP clients and consulting companies only upon request using this form:

Full Name: *
Company: *
Company Type: *
Site: *
Position: *
Email: *
Phone: *
Type the code shown: captcha *

Where did you get information about ERPScan WEBXML Checker: