“A crushing blow at the heart of SAP J2EE Engine version 1.1” from Brucon 2011
Presentation "A crushing blow at the heart of SAP J2EE Engine version 1.1" from Brucon 2011.
This is updated version of presentation from BlackHat which includes 2 new information disclose vulnerabilities in J2EE engine.
Today, SAP NetWeaver is the most widespread platform for developing enterprise business applications. This presentation is focused on one of the black holes called SAP J2EE engine.
Some of the critical SAP products like SAP Portal, SAP Mobile, SAP XI and many other applications lay on J2EE engine which is apart from ABAP engine is less discussed but also critical. Here is explained the architecture of SAP's J2EE engine and its internals. Also a number of previously unknown architecture and program vulnerabilities from auth bypasses, smbrelays, internal scans, information discloses, invoker servlet bypasses, insecure encryption algorithms and cross-system vulnerabilities in J2EE platform are discussed.
Demonstration of critical auth bypass flaw is inside!
A crushing blow at the heart of SAP's J2EE Engine_BRUCON