Presentation from the annual BlackHat DC conference is held in, USA 16-19 January. Alexander Polyakov, CTO of ERPScan together with Val Smith from AttackResearch give a talk «Forgotten World: Corporate Business Application Systems».
Author: Alexander Polyakov
The talk will be about enterprise business applications, the way attackers can gain access to critical business data, steal money or disable technological corporate network like SCADA, using vulnerabilities and misconfigurations in the architecture of business applications. We will show the examples of various business applications including custom ones as well as the more popular ones, like SAP and JD Edwards and previously unknown vulnerabilities and attack methods that can be exploited not just for popping a shell, but to gain unauthorized access to business-critical data. These attack methods can also be useful in penetration tests against ERP systems. Many problems that will be shown cannot be easily patched because they are design flaws or business logic problems requiring re-design of a system.Forgotten-World-Security-of-Enterprise-Business-Application-Systems-Whitepaper Forgotten World — Corporate Business Application Systems (Polyakov, Smith at BlackHat DC).pdf