“Breaking SAP Portal” From HackerHalted 2012
Today, SAP NetWeaver is the most widespread platform for developing enterprise business applications. One of the most critical applications is SAP Portal. The point is that SAP Portal, unlike many other systems, is usually available from the Internet because it provides SSO access to other business critical systems from SAP and other vendors. If a malicious hacker can get unauthorized access to SAP Portal, he can get control over all the other systems located inside the company even if they are secured by firewalls. We have done numerous security assessments of SAP Portal and found that even critical infrastructure systems like SCADA sometimes connected to Portal. Also developers can make custom applications for Portal called IViews and those have their problems. In this talk, the security architecture of Portal itself and custom applications will be reviewed and a number of new issues will be presented that can give full control over SAP Portal.