Krakow, Poland - May 29, 2013 One of the most critical SAP applications is SAP Portal based on J2EE engine because it is usually available from the Internet and provides access and connections to other internal SAP and legacy systems. It is necessary to increase awareness in this area, especially after the Anonymous attack on Greece Government where an SAP 0-day vulnerability probably was used.
If we talk about SCADA attacks, they are mostly focused on sabotage, which is easy to recognize; attacks on financial systems like banking are focused on money stealing; but if we talk about SAP, the most critical attack is probably espionage, and it is hard to detect if there was espionage because there is no direct evidence of compromise except logs.
In this talk, the security architecture of Portal itself and custom applications like iViews were reviewed, and we demonstrated how SAP Portal can be attacked. But the main area of the talk will be focused on forensics and finding attack patterns in logs traces and other places to understand if it is possible to completely reverse complex attack patterns. At the end of presentation, we showed how an attacker can try to hide their attacks and how to deal with it.