“Forgotten World: Corporate Business Application Systems” from BlackHat DC 2011

Black Hat

Presentation from the annual BlackHat DC conference is held in, USA 16-19 January. Alexander Polyakov, CTO of ERPScan together with Val Smith from AttackResearch give a talk «Forgotten World: Corporate Business Application Systems».

Author: Alexander Polyakov

[notification type=”info”] Agenda: «Do you know where all the critical company data is stored? Do you know how easily you can be attacked by cybercriminals targeting this data? How can an attacker sabotage or commit espionage against your company having access just to one system? This paper will describe some basic and advanced threats and attacks on Enterprise Business Applications — the core of many companies». [/notification]

The talk will be about enterprise business applications, the way attackers can gain access to critical business data, steal money or disable technological corporate network like SCADA, using vulnerabilities and misconfigurations in the architecture of business applications. We will show the examples of various business applications including custom ones as well as the more popular ones, like SAP and JD Edwards and previously unknown vulnerabilities and attack methods that can be exploited not just for popping a shell, but to gain unauthorized access to business-critical data. These attack methods can also be useful in penetration tests against ERP systems. Many problems that will be shown cannot be easily patched because they are design flaws or business logic problems requiring re-design of a system.

Forgotten-World-Security-of-Enterprise-Business-Application-Systems-Whitepaper Forgotten World — Corporate Business Application Systems (Polyakov, Smith at BlackHat DC).pdf